Analysis
-
max time kernel
522s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 05:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240611-en
General
-
Target
http://google.com
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files\Microsoft Office\root\rsod\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files\Java\jre-1.8\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe -
CryptoLocker
Ransomware family with multiple variants.
-
Renames multiple (3256) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
resource yara_rule behavioral1/files/0x00130000000236e2-1182.dat aspack_v212_v242 behavioral1/files/0x000c0000000236db-1250.dat aspack_v212_v242 -
Executes dropped EXE 40 IoCs
pid Process 4960 WinNuke.98.exe 4828 WinNuke.98.exe 1160 Flasher.exe 3736 Flasher.exe 2000 Flasher.exe 3228 Flasher.exe 740 Flasher.exe 2068 Flasher.exe 716 ScreenScrew.exe 3324 ScreenScrew.exe 3760 ScreenScrew.exe 5088 ScreenScrew.exe 1432 ScreenScrew.exe 3376 ScreenScrew.exe 2264 Time.exe 2476 Time.exe 1212 Time.exe 4768 Time.exe 3888 Time.exe 4508 Time.exe 3340 Time.exe 2440 Trololo.exe 4596 Trololo.exe 4696 Vista.exe 3280 Vista.exe 5064 rickroll.exe 3600 rickroll.exe 4944 rickroll.exe 512 rickroll.exe 4636 rickroll.exe 1176 HawkEye.exe 4184 HawkEye.exe 2400 butterflyondesktop.exe 5924 butterflyondesktop.exe 6016 butterflyondesktop.tmp 6044 butterflyondesktop.tmp 2328 CryptoLocker.exe 1784 CryptoLocker.exe 5108 {34184A33-0407-212E-3320-09040709E2C2}.exe 4324 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Vista.exe File opened for modification C:\Users\Public\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Vista.exe File opened for modification C:\Users\Public\Music\desktop.ini Vista.exe File opened for modification C:\Users\Public\Videos\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Vista.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Vista.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Vista.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Music\desktop.ini Vista.exe File opened for modification C:\Program Files (x86)\desktop.ini Vista.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Vista.exe File opened for modification C:\Program Files\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Vista.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Vista.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Vista.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Vista.exe File opened for modification C:\Users\Public\Documents\desktop.ini Vista.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Vista.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 155 raw.githubusercontent.com 156 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 188 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\7.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-125_contrast-black.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-16.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-24_contrast-black.png Vista.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxLargeTile.scale-150.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png Vista.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-high.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js Vista.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png Vista.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyCalendarSearch.scale-200.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200_contrast-black.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\packages.config Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\9.jpg Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeTile.scale-125_contrast-black.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-LTR.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-white_scale-100.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-lightunplated.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-200.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-lightunplated.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg Vista.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml Vista.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-100_contrast-white.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-150.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es.gif Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\MicrosoftAdvertising.ini Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-lightunplated.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-48.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\ExtendedSplashScreen.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-200.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated_devicefamily-colorfulunplated.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\179.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-100_contrast-white.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-24.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-24_altform-unplated_contrast-white.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PayLockScreenLogo.scale-200.png Vista.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Light.scale-125.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml Vista.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML Vista.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js Vista.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-125.png Vista.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Rainbow.png Vista.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini Vista.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeWideTile.scale-125.png Vista.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
pid Process 4844 taskkill.exe 456 taskkill.exe 4080 taskkill.exe 396 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116563" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7039c90d2bcdda01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb7b7aaa19eb84499a1cb94a069837d100000000020000000000106600000001000020000000ee6645ddd0ca749dddeac71cafecdec6c4330aef68bcc96502c832c2d8121a2a000000000e8000000002000020000000a5c6c07f7914b2ebff149e3e6928def9d861393c3062d180d5d54862e3b4495b200000003e0c6204918d85d3263e51461417ba14948eb50129c105d7b2d3aa538b232d2c400000005c9bfac9cbb0c146650a697c0c9a365cf6981e3d5d774d85dc358fe52bed63c759f7cb84c35d6eedd3e6c26375defb77967914ee5ed6dc83a2f7077362a5fe12 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1576888626" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e4a60d2bcdda01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb7b7aaa19eb84499a1cb94a069837d10000000002000000000010660000000100002000000024315d5689e3b54d9f3de6ed44b3860e599a75f3d0783fb21007c2abedd137ff000000000e80000000020000200000005e4807f48a98359c8cbd4eb5101a68ac9c9cc685dab8957ddcbfd37d7118ad6920000000fe1721023f1ce4e7ad2af615d7170e1b6740b5b487bc2c1c65341b7aae74a52740000000062780c832791e625cf8963219bf81ff0ac871b3bf076be8b0a93297c0efe8a452781f80ae5a61be6ea7ede8cee65c92e9f0735af02060872aee9bdbaf566cad iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116563" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1571232820" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1576888626" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{88413F5E-38D0-11EF-B1BC-6E9B7344EC16} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116563" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1571232223" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116563" IEXPLORE.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{AE9F7323-93F0-4309-88D1-E8A805264F80} msedge.exe -
NTFS ADS 13 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 585357.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 433408.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 183374.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 936924.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 647783.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 381936.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 548892.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 528948.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 134737.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 184540.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 422931.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 485182.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 628 msedge.exe 628 msedge.exe 4936 msedge.exe 4936 msedge.exe 2084 identity_helper.exe 2084 identity_helper.exe 5084 msedge.exe 5084 msedge.exe 5060 msedge.exe 5060 msedge.exe 1548 msedge.exe 1548 msedge.exe 4512 msedge.exe 4512 msedge.exe 4512 msedge.exe 4512 msedge.exe 2432 msedge.exe 2432 msedge.exe 1772 msedge.exe 1772 msedge.exe 1108 msedge.exe 1108 msedge.exe 3696 msedge.exe 3696 msedge.exe 4280 msedge.exe 4280 msedge.exe 2028 msedge.exe 2028 msedge.exe 2652 msedge.exe 2652 msedge.exe 1340 msedge.exe 1340 msedge.exe 4212 msedge.exe 4212 msedge.exe 5780 msedge.exe 5780 msedge.exe 2928 msedge.exe 2928 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4936 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeDebugPrivilege 4080 taskkill.exe Token: SeDebugPrivilege 4844 taskkill.exe Token: 33 1016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1016 AUDIODG.EXE Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 456 taskkill.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeDebugPrivilege 1176 HawkEye.exe Token: SeDebugPrivilege 4184 HawkEye.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe Token: SeSystemtimePrivilege 2264 Time.exe Token: SeSystemtimePrivilege 2476 Time.exe Token: SeSystemtimePrivilege 1212 Time.exe Token: SeSystemtimePrivilege 4768 Time.exe Token: SeSystemtimePrivilege 3888 Time.exe Token: SeSystemtimePrivilege 4508 Time.exe Token: SeSystemtimePrivilege 3340 Time.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 4936 msedge.exe 5364 iexplore.exe 5364 iexplore.exe 5472 IEXPLORE.EXE 5472 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 2796 4936 msedge.exe 82 PID 4936 wrote to memory of 2796 4936 msedge.exe 82 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 4268 4936 msedge.exe 83 PID 4936 wrote to memory of 628 4936 msedge.exe 84 PID 4936 wrote to memory of 628 4936 msedge.exe 84 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85 PID 4936 wrote to memory of 528 4936 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a24f46f8,0x7ff9a24f4708,0x7ff9a24f47182⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:3244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:12⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 /prefetch:82⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5272 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:1832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3360 /prefetch:82⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6728 /prefetch:82⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵PID:2044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6104 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:12⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:82⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
PID:4960
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 /prefetch:82⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1108
-
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:1160
-
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:3736
-
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:2000
-
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:3228
-
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:740
-
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:82⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
C:\Users\Admin\Downloads\ScreenScrew.exe"C:\Users\Admin\Downloads\ScreenScrew.exe"2⤵
- Executes dropped EXE
PID:716
-
-
C:\Users\Admin\Downloads\ScreenScrew.exe"C:\Users\Admin\Downloads\ScreenScrew.exe"2⤵
- Executes dropped EXE
PID:3324
-
-
C:\Users\Admin\Downloads\ScreenScrew.exe"C:\Users\Admin\Downloads\ScreenScrew.exe"2⤵
- Executes dropped EXE
PID:3760
-
-
C:\Users\Admin\Downloads\ScreenScrew.exe"C:\Users\Admin\Downloads\ScreenScrew.exe"2⤵
- Executes dropped EXE
PID:5088
-
-
C:\Users\Admin\Downloads\ScreenScrew.exe"C:\Users\Admin\Downloads\ScreenScrew.exe"2⤵
- Executes dropped EXE
PID:1432
-
-
C:\Users\Admin\Downloads\ScreenScrew.exe"C:\Users\Admin\Downloads\ScreenScrew.exe"2⤵
- Executes dropped EXE
PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:12⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5404 /prefetch:82⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:4820
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
C:\Users\Admin\Downloads\Trololo.exe"C:\Users\Admin\Downloads\Trololo.exe"2⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
-
C:\Users\Admin\Downloads\Trololo.exe"C:\Users\Admin\Downloads\Trololo.exe"2⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:82⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
-
C:\Users\Admin\Downloads\Vista.exe"C:\Users\Admin\Downloads\Vista.exe"2⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:4696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5364 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5364 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5472
-
-
-
-
C:\Users\Admin\Downloads\Vista.exe"C:\Users\Admin\Downloads\Vista.exe"2⤵
- Executes dropped EXE
PID:3280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:12⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:82⤵PID:700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:5064
-
-
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:3600
-
-
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:4944
-
-
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:512
-
-
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:12⤵PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 /prefetch:82⤵PID:3692
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:12⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7016 /prefetch:82⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\is-SEGMF.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-SEGMF.tmp\butterflyondesktop.tmp" /SL5="$601AA,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
PID:6016
-
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\is-1N9NT.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-1N9NT.tmp\butterflyondesktop.tmp" /SL5="$F039E,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
PID:6044
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:12⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6100 /prefetch:82⤵PID:112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1231093879678108331,14136967909208094866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- NTFS ADS
PID:2328 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5108 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002204⤵
- Executes dropped EXE
PID:4324
-
-
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
PID:1784
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1240
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b55e8ed2faece3e59612a63ae325547d
SHA19bebb1c4ce616bdcca5e9352ef10b47ef7990c5b
SHA256a147daac14b1161ea1b1312639153a489c123761b7bad1452c7b2ca9ab23e256
SHA512b89486e906724d04510f2551e68a3d624805c9da8e269bc0fee8698307aca5bd8420e48041e17dc33a1fbc1b6563fa054c8a4cafdc8a866c71e34e5052485870
-
Filesize
12KB
MD5857c76df779152b9c685c9dfcbb15eb9
SHA1ec76a76a9c6fad7eaa62e97b3ca16189d30cf060
SHA2565ce23970e1d3ff5ed319ca54fa38556d53b2ae51bce6b2eddec025dd53e00251
SHA512a7b82fda19dfd12454d2f90916bdf05d15c3520e029427b908b7280e53fd9f22232268a37a6152f6eef8bd166d6de07409ff33923894991d252f15b414fc928e
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
41KB
MD5ddb8bf0444969fde4ffd0dd3036d9dda
SHA1b77ba856c51a72a40f69637a9c7980cbbe859897
SHA2563e634c7e24539826f9f228decb932e1b9c3139c6505bbf6a9d15cc206f1cc6c3
SHA512bca01e2dbf2b8aed3a08ddd51d68029296175b7a2f2a601a3c3e522ccfbce6c397b3c9a109db07abb053cd812865d930b097888ea58a772a99d4a67821d02f5d
-
Filesize
67KB
MD59e3f75f0eac6a6d237054f7b98301754
SHA180a6cb454163c3c11449e3988ad04d6ad6d2b432
SHA25633a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf
SHA5125cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5e9260f3d081cf9a5d5c7551fbdc3d234
SHA10cc5b721c02dab3301207880871fc97e004c3b88
SHA25681b05795af8af16e41a86d022730747b7b59a8e96951ec3053f34f91d66cae4e
SHA512d4445200865a3636e814fcddd9ea21dfdbed943deb68a12279d715879693921e94ca8dd8570853bbed657f47cc8d034f931f500b3591a2001185d9be45bd109a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD52f7b33b04c6c9c78b10d6e5249d42abe
SHA1e630fb7b5b9fac008fca5aca2811f5b1a485c2b1
SHA256580fb01c6e14b2ad5bbcbf587aa0843bd800b24c22421e66f3783ef50f198d92
SHA512e391b60bc285675c920dc7cab777006c3a0f282db2d66c3836572f39e7a819abc18f09c74d3010c373d94deacecd4f730613929a94b88da87c01c2b5bed66f62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5dbe32a7487568e6c57429d2d0cbf2a15
SHA14ae8713ce3ff2478138983a8b37f4db6a0c0e4e5
SHA2568a45dda10e0b5e30b7ff6844c050070eac681e9f42fee0a99bc9b682223eb52e
SHA5129841a96f40619b467904a655b873a5694fc1968bf927522e4b2111ec9a9f95097472dae36823ef2cf20f8714c6fccfad0f010c5b90a899e284fd8a87210c5e37
-
Filesize
2KB
MD59cf850a35f28d6e7646e33b84cb5681d
SHA16737b678aaf58f3239abde37548c0d1e1fbbed09
SHA256ae148dc90c0e8af8ce1ee12b9e63056dbff487ee1ba4aa098f2a9a922e0a762d
SHA512b3d867b7566058a1ea4f76489fb93ed365020a11044b2cf694a27fbb30ef846fbe5faac8dbbb0a1da416c2bfaccf718bdce97a0e160f945c95620a130a548549
-
Filesize
2KB
MD5e38eb38662e3daa1eb8484ffdb586e3a
SHA169c248d230d0796722b1ccd57f7ff979ef56be1b
SHA25692065e9fbad633463bd95919e04ac84f16febf94eb874465cc2f0c74bcb4165f
SHA5120b22bba648830aea9d6d77cc065664be1d8bba5848ddef07a0795ab26efdf573accd05459e3190df732b9f3fec369e5b819a5c2505ae2c10cac681ab5610ed61
-
Filesize
5KB
MD5b51c9c85f33d0f20f082a9ebe9860dde
SHA1dbb75436a179e207be04d91969ddf34bf18307ad
SHA2568938f13a67bae5642ec9f2f7f8974c470d03d6d9c68aa15d1f7bc4c3d807ddbf
SHA51220f645b199b3b16bec0278651b05d65f73c3a4efd6ff57efb52979ff6a030e0695885e9ada7d03928f4ad2e5a8fea57ca81627a2e1eede5ffc172264ab64ef73
-
Filesize
7KB
MD5155f7b1ec6d997cba39920a6d3d4c3cb
SHA1bae81bef1a21633e538cd40de6430bfa379c773c
SHA25635d9361ec90b0aa558f90b1864820a2c5ff19b464121f5a6e381e9d9f33dbb96
SHA5120dd17a46e2dc80937df4779568a5fdbe0f1e4bde7f1dd149af5c2437fbf5a52c5102f15e0520d3af10d5397f3e74a35abd68d3974b0d16241c12145ad03e8cca
-
Filesize
7KB
MD56df76c3e57f8bf1d6e5c00827bfff675
SHA1a9fa1ff77d9ad9abdc8d8c2ffc10efbae9cfd94d
SHA2561ffc67140390b8b8b0607b620007ff3f30ebd16e428a5a235b3c7c7b1064884b
SHA512f58b03f17617955422bb0fd2a4fdca4ff789be710b5ebb7185c86b01e1f66966b7b4cc7201f3c1c84c44b1bb68535b5a1b4d5d1e76e38c460649eabce9f37941
-
Filesize
6KB
MD511826a132d3e6958c65865a0ee8c8d0c
SHA10547fc851e6e5b9313e51b943c871d14c8804174
SHA256d692b5de0211943901fe2ceefcca2c1d3391d67643a97c2684c7e718ccffe612
SHA512fab5da52461cbc5b088f4d51c2b10997dbc1f6daf3f9a909eb5937f826dd6c952469ec581fe5bf124949766c70ed8816c7c77fc2820e59fac61c589fce8184cb
-
Filesize
7KB
MD59cac68539f0e39f392aadcf1d5584e68
SHA1c56f7a51f223dbb5ed01542c24960870f5114efd
SHA2565a9f8e39bf9dfeae4f7dcf0d29ca8e40e4a19739ea7c5a95af43ce9e6f7c4fe7
SHA512e956aeb97c69ca427ae40422e5c0f331c38aa037182373bf9a11de3f7330224382d3f883e5cb36f0e4706d317a5ad11069d960d3e673b492a131270c626bf5e4
-
Filesize
7KB
MD582d1f1802b4bd7d77cc5086afec9d243
SHA1165ba991e917cdead79100d36be2ce0b974c7d2d
SHA256b9c7e0162fd437d61212b58c3bb0aea80da1ab161d70c6d1d5ea1a963148a46b
SHA512e043363cf4500648e57ec0b5e2950b4d3156c419393a420c377914b38fed8345be94af255c7ac05353f995f7b4932ee4965195e2070e257f246b849c8cab9005
-
Filesize
7KB
MD5d6f3665fbac06aaa64717600ce853b0d
SHA1a182181cffe51995398f7e703e2f48420f4d5752
SHA25668d379d675ab148ecf73a129f0e3ff67ffeabf381931205112c1fb4d6ba25663
SHA512dd2b5f6d711a7ae6fedb34416f22379b4bba49424b07e47c01e972c09d4336ef8e213988d33d870cf4e0db58212fc778f687ad37e586ec6cef413883b47925c2
-
Filesize
1KB
MD5f8a3fda879b67198c37ea39ff7b06205
SHA10333d0ca9583ff64a134f3053250845a2750ae96
SHA2569af9e78d50f7b0d3996cfc41f846e5d9ebb8eb80123304a461e58d431dfd2b1c
SHA5128044090e05677c9406b751c13f2771a96eb40424718786ce3882737efe4fc2cb5b4cf96f8a07b9940a462254d23a7d8397cee24f721c19ae74d05337b7e196c1
-
Filesize
1KB
MD59621cc5c243b83b3361a66193411c82d
SHA1522310387188de5872af7325357701ad777e73d1
SHA25678ed90b5a2cc913e3ab0649b679f4d84203351243440995d4e9f26946ece1ad5
SHA512bc5831ac0f478db9c5d8be2421b8a7953e6ce7ed06a99836187c63c71893665757b6db8e3616208347d91ab8f51e65dc60fe1331366d7115de2313239b07b522
-
Filesize
1KB
MD5e84f3e7b051e5f1f1053660668bb11c6
SHA1368ca0a99c5412f87ba01bafc2d8bfb96ff3cbf3
SHA2561e3119c39af098176b9cf7a2091fb8da05001820d3b725d8c6cc6788c8a2cd69
SHA512895a73b13f6b83b3de877b11e099369c0ebf8a06b8e5d4b539a9cba5565076c2416a03179ab8ce8e8e7680573acfc6766ebb72bffac76411120ae07a4b70f5be
-
Filesize
1KB
MD533a3ea2508cfbf74298ddeb1f008cd6f
SHA1f24d0ad5ee39d5d1e18ad4f7966b9536bc2aaf16
SHA2566fc07ca05c8962ea27bc826765117976666375d59559df3e4370f224a9504b91
SHA512f26f338fa0dae73c837b26d8067862a335b8f5131206b9082926bf430fda2ef85411131332480ce0a6e105591a7f5729cc081f14eb665531ae87852fbf0e2d83
-
Filesize
1KB
MD51249426537e82fa82672d4fb25346bb6
SHA1711095e3699427272855b1f28f5b6089f6839180
SHA2567b040524765fa1880eafe92dd02fc6773b8a08f8206a26d8baa5a8385452b409
SHA5128bef7426dd4ecbe5e9938b691c7226825cfcb94fddb8af6ffb5fcee274b14fa2ac64d0bf4875d9edd4c5e46986bdbd7c335a0b44616444ef1e2325c861606f04
-
Filesize
1KB
MD519b3269b6ffe23652d89eff05935cd21
SHA182ad84303f9b5efb7f3f7321827bdf4c257c5823
SHA2560e78ac0b48978414241fcba7ff3c905def8a93c894ee10b66a604aaee434cdb5
SHA5125d08bc9ffa8b8a965484a47102b0ac0062f34eb6418abee488da5f00712cc09e214884e7bdec9af4967d6bb055ae35a2c669b08b4efec30602a0dd4bed81dff9
-
Filesize
1KB
MD5862a24c07d68cfab3d401d4159058ba7
SHA1e3064d1faa186cd27c05de2ff1d06ec95c3630f0
SHA25652a9f61acf2e395fbbaf4ccc62421b567590d66e20e0bf6ee8d67bee740f1eb9
SHA5126f873b76547a44b78bf77248dc16ede1fef8fab26ea2ba45504544a9bf3f062be3cf2669e89cc93f0c8c0d24590e37c6a7251461cf50fab913e9a0b778c8d64f
-
Filesize
1KB
MD5b82e310015fde5dc4b98157b0cec3cd1
SHA1d2a7ea691e4c5cfdfd69164b786ffe1d41801237
SHA256554228c653223aace25f9fac2cbd69de26ec5cef6696f24b2a7d80c0ae22b326
SHA512beebe9dd548dce555ba231cc97253f08c5bde7f7456d2daa1ee4cc1bd016bc7e3d46b2e1e1d2214a8a1bcf18e10a128bea0e35f90bedae2647507b6a28020b83
-
Filesize
1KB
MD54c56aed53650d69b160494dcbf553de7
SHA110559b53dc456b60195ee4d36d550424e61fad5e
SHA256efb5bea3a1d76e81d3c84a8f62ecb6dd1fe7797e9a3e5ce96019f425b8a80046
SHA512cc0be0d0daa4ff522ff160dea12242aaa72e072aa06981959bd8f96cd5893000ec4e12982fefc9d8123b2ef2ab37e466986e6bdc69c659d3d87eb4d8df513caf
-
Filesize
1KB
MD54be26ae3149a0432a04a6ba113ce03e6
SHA1ff74253999d21e4f3eb3fe4674dc48495e20d598
SHA256e220be3e98f2af670451d9d1aa5f318c1a4b7c6665c17f0ccfe67c233af52fed
SHA512bf0f5ebb2b1e412f6bf6bb4bd96f2e2475a1903ff92cb8a793274aa4f6731ab5b7655277451c7c0729d2745b9e8e10415d65a5db12a798b06cefd1630cff640b
-
Filesize
1KB
MD5bc856d36867e4ddb53e6f1cad0260776
SHA1676551d52f2ce3abaab8a2d21cdf5d9f3de18022
SHA256ad026af8622832fbf2e0613466ece4a8d5d43efcf5d40a42f3422bfc8dddc777
SHA51245e57fe36ae52f86920221296d59f08325277aa93658bd241f43bbe33e3ca9cf70f98460f48f6a0166f4e1e3cec71d834e1e92d5e7959a3fda414108a412e5aa
-
Filesize
1KB
MD5d2f6d450b9a8f8c27689659b15cba9f4
SHA174ee8963f48e27ee27a29d0cf0e3e3f66dd4f399
SHA25613508513251dbe01ad3c3ea69f84fd298a666c94248f01a7f89b8a16ddcb7a06
SHA512df2acc9a1f9e1c72c57f08181f6479e67b48aa92ef20d21c5546c253a3beec4875c2f66e61d364a35cc997d7ef2cddd0d9a33a6dda06fc26251b14011ac94ae1
-
Filesize
1KB
MD525aea3e6b7b4cac063d08c7b6564877b
SHA175a8e2501ba87ef2af5f7675b2cef50494f4e374
SHA256a2a4f6164ad62bfafa91e7dadbde07ff487323b6108ed07e392243f8fdc59554
SHA512545d34a168bea4604a0382e2be917a554d0177cc11b63c2a3d8e675832082318eb57e28397d6b98fa23a6b8a623951a2291e751076f6ce0b8b6c975caff327c3
-
Filesize
1KB
MD5818a7173f6b6b2426439b1d095143ca6
SHA19ee432bd4d3bd361ce66150eccd31c81920af0a9
SHA2566f85a5cebb862fc650094e76c8f453531e2c1302462c2eca9284e32910c2312e
SHA5121f76a93445e54a21fbeda33b4de0655a6529954352936aee7f659b07168d63db96f4d5e5972eacbc297b560c536d9b46ef2d57cd4f297f2f2827b97370adaa35
-
Filesize
1KB
MD5898d9ec2a93887c3c337c5f0a2d38955
SHA167f7a49ed38757fed186c5c3ed327b83d26d7593
SHA256bce8a05eeb89b9ba3c24ab4ced393b9ae01eb08934916e5e044b0dce3b3d0fe0
SHA5122588f85e770d5c877f38aaa2630d887903b7cdd0e5983be893d2e754cc0e8662d9157c275833fdac221dbd5343cddf69e430d1df61e1631fb47667cdd2ee18d3
-
Filesize
1KB
MD5800465a9696d400afbd0255576d62d93
SHA15fc47bdf52af463c43771d482cfe049dd7cc9b5e
SHA2564414794fed2dbcbfff256c4e72962f2e256f33bd1a164304a1cb7e15219bdc2d
SHA512d5c9110020c799b47cf97122733af6fc8d7f5baed94902365771a500857c17579035f28d177450f36991ce8b28d014354f08fc8597e141e0a4dfccfccc008441
-
Filesize
874B
MD5f40f79ead7ca56f461ac6061a24b4990
SHA171b47f6ec392b5745e6988211994eec1748628fc
SHA256e490090740b8800fc83e0d48f0f29daa15ad1bc45bf67141442ca4309fd8f204
SHA5125a7b4e7e70d4a783209ca5a14049a79f454f5bc2ee1a5de24abc2e00d2cb56ff09dc7d093ca32ce8433af7310067010e91efddb9f079beb0efc448b4318d87ef
-
Filesize
1KB
MD5f7f17441e5c66ecca0861f0f289c8db6
SHA1c7c0f1712ae2b758293719ed70ab14efe8d13f19
SHA2563a86ebaf9e03c75e5c18ceeca289cf15ec5c6de849962c450a8f131a19a5a03d
SHA512f7b0eae69071e5cd91c461769a54790772cb84f59b4c0a66525a627e9346fdc3353f02daa748de38fa58602d890860f29c7044e02fffb45d5eeb3a5911c6348d
-
Filesize
1KB
MD5d31a028aff3785cff91aa0e3b4e63870
SHA14d290aa99029134699d48178a0a66409dd964927
SHA256ff1045193527ec01f3a890d3f1bf77db415709509b4eb6584accbdd4b0203ae3
SHA512754dc0fa3911554bb5254f19e0aa9155e2647ea4efac3b0e0daa7439a7ec5c1e063630225cd5713012538ea40f1c0dcbe77ad8ee2e995335d638927e415d67c0
-
Filesize
1KB
MD51b006bdc2901c700c1479b402c781964
SHA12cd4d78464359e77cc4cd572c2d83e8ab8a99c1b
SHA25672bb28e11dc0d2db557dabb6c24c1cc9aeaf8b74f82f12ac5d2a0832298fd621
SHA512af840ccceb86272d8967025d96d73669413418ca3e69e4340f52c5ef4de98442779f6e9ab992fd4e8bb4c168940ba337056df7f0823ae694c88c480c42000d7d
-
Filesize
1KB
MD5b19058e5e39abfd359d3e12f237730f6
SHA171be58f704667a2cee4f2532d1e8689776bf9028
SHA256e96da42f299e2065d1eae6524067bf4f0e5cf53543eb179a78dab417809dce7a
SHA512d2568ab97f1b83e8b4289573c3c56d60eb20f9041bca2078b266d663a020cc46ba83a7c7949083e2b85b969beb2f585e079b427434859e8cf7aed48126954deb
-
Filesize
372B
MD5d45661417627c5d0f73892e7e4e555b5
SHA10489d2a88e899b7259f710b46b861c314383f920
SHA256a8dd9f4be506e25ebcc61f000fe3bdd91fecb1aaba3baf2503e7ff9c21365095
SHA5127dd1555065014e76e34733ac97d6649e7272d0a58a1c19327369417de7fc6deac45c3a163c52ed4b0d9fc883d8e111b6bcb72b1ed0319ba34523a23276e84359
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51cd0a0b66747c8667d0ee6d9e8b3e0a5
SHA1f38ea3abc73845f34e459ee4a54305af01983518
SHA25611d1bc98f977333df8a79c8bde89e7488851ad8450d3201be1335d8e37905949
SHA5124f12652e24167c8a2fa5aa89a0b649d0d6fe865c0afc952aeeb912b635d65b65998ae102ae557aa84eb4d449e6e5a5b2e12d9a976b9e6f0ff1122ce5d329dd81
-
Filesize
12KB
MD5a9b9c68b8957e5d6ca517a47f17363f2
SHA1b949dd8ba26f3dcf6dddf0941529d36aae4fa216
SHA256c2a7ec0329c2a26aeba4397a21ba973d9da95866a39835514737957f04ee909f
SHA5129e99187ede1b52e69bc286d3b3ec793aa68dad3d83b82a78c9e5784ed88001ce7d92e1a59383abaad167316ce6fd191d4c6b8c2c96809651ec6469403fbdd795
-
Filesize
12KB
MD5c6d3b70784f53bcabf74e292ea27d67a
SHA1ca57a04bd2d573a3a0516fc999191de43363f884
SHA25685ba672c8c87146b5793d5953496d0681215304bfbd4df092155f91ab5f7fbb5
SHA512120f650baff1625ad90a2018115c1445d6327e4687216ac0c35fc66fe094450e464a021bc730211b7580a2998471920038f67688eee56981961201975a08e7fc
-
Filesize
12KB
MD57e7d3759d786c2cff2ef21baad0293b1
SHA1123889db7f6d0136565730fea0ed669943e35148
SHA256d7173650f0342c370074be97a7458371fe36be3354aec9110c214903ee5be24f
SHA51203633cfa7cd0f4f32f2419e60ff4746b54f00fdfc93556cda1bd57d9d5b686e82f689ba5d15aa74e92ae66b4fd851259fbfb54345e46a3d5ff6660e0a0c4790c
-
Filesize
12KB
MD5ba440788b15f4b590a05c71bcabfab7a
SHA1cbeec66b74f5a11b955dacedd154424e823f302e
SHA25692d36174cb67396b0eec13d06c5594aeb7294263d4faa37b2e34f76d6a9fb68a
SHA512336a3ee8b25f79218edd628879b05775e8a975dcd536eeb0ef14ac7fc0c887d2e9d093002541d9c8d79217153968d766c24c4d3518b3507f086aeda464b5bb40
-
Filesize
12KB
MD5808839f3e6fb9056b40f07e739a47a3e
SHA12b8acb52fe6eec867254da5b40195adc07082c59
SHA256c5dd40ecd248f0b5c8161d25d56822b01931de7106ea56744e984b54fb0cfdd6
SHA5127c94a5295e236c5939f930498794a996ffad902725a57ede425e93a4ef4ce90c7940781dba664ce652894b8b17ef2a4a9fd9a73c1a97f86d215fbcecfb7430d4
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
40KB
MD54b68fdec8e89b3983ceb5190a2924003
SHA145588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
111KB
MD59d0d2fcb45b1ff9555711b47e0cd65e5
SHA1958f29a99cbb135c92c5d1cdffb9462be35ee9fd
SHA256dc476ae39effdd80399b6e36f1fde92c216a5bbdb6b8b2a7ecbe753e91e4c993
SHA5128fd4ce4674cd52a3c925149945a7a50a139302be17f6ee3f30271ebe1aa6d92bcb15a017dca989cd837a5d23cd56eaacc6344dc7730234a4629186976c857ca9
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
Filesize
111KB
MD5e87a04c270f98bb6b5677cc789d1ad1d
SHA18c14cb338e23d4a82f6310d13b36729e543ff0ca
SHA256e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338
SHA5128784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
129KB
MD50ec108e32c12ca7648254cf9718ad8d5
SHA178e07f54eeb6af5191c744ebb8da83dad895eca1
SHA25648b08ea78124ca010784d9f0faae751fc4a0c72c0e7149ded81fc03819f5d723
SHA5121129e685f5dd0cb2fa22ef4fe5da3f1e2632e890333ce17d3d06d04a4097b4d9f4ca7d242611ffc9e26079900945cf04ab6565a1c322e88e161f1929d18a2072
-
Filesize
3.0MB
MD5b6d61b516d41e209b207b41d91e3b90d
SHA1e50d4b7bf005075cb63d6bd9ad48c92a00ee9444
SHA2563d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe
SHA5123217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da
-
Filesize
4KB
MD593ceffafe7bb69ec3f9b4a90908ece46
SHA114c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
1.9MB
MD5faa6cb3e816adaeaabf2930457c79c33
SHA16539de41b48d271bf4237e6eb09b0ee40f9a2140
SHA2566680317e6eaa04315b47aaadd986262cd485c8a4bd843902f4c779c858a3e31b
SHA51258859556771203d736ee991b651a6a409de7e3059c2afe81d4545864295c383f75cfbabf3cffaa0c412a6ec27bf939f0893c28152f53512c7885e597db8d2c66