Resubmissions
03-12-2024 21:44
241203-1lfvba1ncp 619-10-2024 22:38
241019-2kv4aavgnm 319-08-2024 01:19
240819-bpr93szapm 319-08-2024 00:51
240819-a7mlwavcqg 1019-08-2024 00:48
240819-a5824avcka 619-08-2024 00:44
240819-a3nndavara 1019-08-2024 00:41
240819-a12gfsvaja 719-08-2024 00:39
240819-azr7dsthlh 819-08-2024 00:02
240819-abjkcasema 619-08-2024 00:00
240819-aas3dswaqk 1Analysis
-
max time kernel
1762s -
max time network
1796s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-08-2024 00:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win11-20240802-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 12 IoCs
description pid Process procid_target PID 4612 created 2276 4612 taskmgr.exe 153 PID 4612 created 2276 4612 taskmgr.exe 153 PID 4612 created 4160 4612 taskmgr.exe 162 PID 4612 created 4160 4612 taskmgr.exe 162 PID 4612 created 1600 4612 taskmgr.exe 158 PID 4612 created 1600 4612 taskmgr.exe 158 PID 4612 created 3708 4612 taskmgr.exe 154 PID 4612 created 3708 4612 taskmgr.exe 154 PID 4612 created 2752 4612 taskmgr.exe 151 PID 4612 created 2752 4612 taskmgr.exe 151 PID 4612 created 1892 4612 taskmgr.exe 161 PID 4612 created 1892 4612 taskmgr.exe 161 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 28 IoCs
pid Process 4844 [email protected] 2752 Free YouTube Downloader.exe 2276 Free YouTube Downloader.exe 3708 Free YouTube Downloader.exe 4092 Free YouTube Downloader.exe 1600 Free YouTube Downloader.exe 1892 Free YouTube Downloader.exe 4160 Free YouTube Downloader.exe 4000 Box.exe 124 Box.exe 4556 Box.exe 4248 Box.exe 4124 Box.exe 3448 Box.exe 1000 Box.exe 3288 Box.exe 3092 Box.exe 5028 Box.exe 3196 Box.exe 1716 [email protected] 2020 [email protected] 492 ska2pwej.aeh.exe 2452 ska2pwej.aeh.tmp 2036 walliant.exe 1968 Uninstall.exe 4336 Uninstall.exe 2184 unins000.exe 3956 _iu14D2N.tmp -
Loads dropped DLL 21 IoCs
pid Process 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe 2036 walliant.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\walliant.exe" ska2pwej.aeh.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 40 raw.githubusercontent.com -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe [email protected] File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe [email protected] File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe [email protected] File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini [email protected] -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe:Zone.Identifier explorer.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]:Zone.Identifier explorer.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]:Zone.Identifier explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ska2pwej.aeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unins000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ska2pwej.aeh.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language walliant.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _iu14D2N.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Box.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 14 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 4408 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1042" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10259" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\LogicalViewMode = "5" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2886" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1042" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 010000000200000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 62003200c4b2030013596f072000466c61736865722e7a697000480009000400efbe13596e0713596f072e00000000000000000000000000000000000000000000000000ae55a60046006c00610073006800650072002e007a006900700000001a000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "21" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000000000000100000002000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000004d61f677f0e4da0176b0c950f4e4da0189092bcfd5f1da0114000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\1\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0400000003000000000000000100000002000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 020000000100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Downloads" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000010000000000000002000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{885A186E-A440-4ADA-812B-DB871B942259} explorer.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 explorer.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 walliant.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a walliant.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a walliant.exe -
NTFS ADS 11 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\DesktopPuzzle.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]:Zone.Identifier explorer.exe File opened for modification C:\Users\Admin\Downloads\Flasher.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\SoftwareOnlineComplaint.pdf:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Deskbottom.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\FakeActivation.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\HMBlocker.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Walliant.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]:Zone.Identifier explorer.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe:Zone.Identifier explorer.exe File opened for modification C:\Users\Admin\Downloads\CPURocket.7z:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 8 IoCs
pid Process 2656 explorer.exe 2656 explorer.exe 1092 WINWORD.EXE 1092 WINWORD.EXE 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 msedge.exe 2532 msedge.exe 2028 msedge.exe 2028 msedge.exe 2152 identity_helper.exe 2152 identity_helper.exe 4916 msedge.exe 4916 msedge.exe 2216 msedge.exe 2216 msedge.exe 5048 msedge.exe 5048 msedge.exe 1620 msedge.exe 1620 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 224 msedge.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1700 msedge.exe 1700 msedge.exe 2588 msedge.exe 2588 msedge.exe 3488 msedge.exe 3488 msedge.exe 4636 msedge.exe 4636 msedge.exe 2656 explorer.exe 2656 explorer.exe 3644 msedge.exe 3644 msedge.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe 2124 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2656 explorer.exe 4612 taskmgr.exe 2512 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs
pid Process 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 1608 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe 3628 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1876 taskmgr.exe Token: SeSystemProfilePrivilege 1876 taskmgr.exe Token: SeCreateGlobalPrivilege 1876 taskmgr.exe Token: 33 1876 taskmgr.exe Token: SeIncBasePriorityPrivilege 1876 taskmgr.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe Token: SeCreatePagefilePrivilege 2656 explorer.exe Token: SeShutdownPrivilege 2656 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 1876 taskmgr.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 280 OpenWith.exe 4128 OpenWith.exe 3512 OpenWith.exe 2656 explorer.exe 1068 SearchHost.exe 8 StartMenuExperienceHost.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 4844 [email protected] 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 2656 explorer.exe 2656 explorer.exe 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 2656 explorer.exe 2656 explorer.exe 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2036 walliant.exe 2036 walliant.exe 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 1968 Uninstall.exe 4336 Uninstall.exe 2656 explorer.exe 2656 explorer.exe 2656 explorer.exe 1092 WINWORD.EXE 1092 WINWORD.EXE 1092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2064 2028 msedge.exe 80 PID 2028 wrote to memory of 2064 2028 msedge.exe 80 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 1832 2028 msedge.exe 83 PID 2028 wrote to memory of 2532 2028 msedge.exe 84 PID 2028 wrote to memory of 2532 2028 msedge.exe 84 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 PID 2028 wrote to memory of 3748 2028 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa8,0x10c,0x7fff5cf63cb8,0x7fff5cf63cc8,0x7fff5cf63cd82⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:22⤵PID:1832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:2440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=1816 /prefetch:62⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3304 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:12⤵PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2448 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:12⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,5129699551371154355,1757231462484011478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3644
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4480
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:280
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4128
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Deskbottom.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Deskbottom.zip\[email protected]"1⤵
- System Location Discovery: System Language Discovery
PID:2328
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\f09724def3dd47aaaf4535fac85f1e6c /t 3344 /p 33401⤵PID:3592
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4000
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288
-
-
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:124
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092
-
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
PID:3708 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4556
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5028
-
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
PID:4092 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4248
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3196
-
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4124
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448
-
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5cf63cb8,0x7fff5cf63cc8,0x7fff5cf63cd83⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1800 /prefetch:23⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:83⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:13⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:13⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:13⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:83⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:13⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:13⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:83⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,3677632648188477476,7797611409836052579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:13⤵PID:3528
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:4612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5cf63cb8,0x7fff5cf63cc8,0x7fff5cf63cd83⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:23⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:33⤵PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:83⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:13⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:13⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:13⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:83⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:13⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:13⤵PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:13⤵PID:2644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:13⤵PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:83⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1764,17804769724565616922,17256894829146920676,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6072 /prefetch:23⤵PID:4532
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:492 -
C:\Users\Admin\AppData\Local\Temp\is-VUO4K.tmp\ska2pwej.aeh.tmp"C:\Users\Admin\AppData\Local\Temp\is-VUO4K.tmp\ska2pwej.aeh.tmp" /SL5="$100212,4511977,830464,C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant.zip\ska2pwej.aeh.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:2512
-
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\Uninstall.exe"C:\Users\Admin\AppData\Local\Temp\Uninstall.exe" end3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
-
C:\Users\Admin\AppData\Local\Programs\Walliant\unins000.exe"C:\Users\Admin\AppData\Local\Programs\Walliant\unins000.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Local\Programs\Walliant\unins000.exe" /FIRSTPHASEWND=$703D63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C "taskkill /F /T /IM walliant.exe4⤵
- System Location Discovery: System Language Discovery
PID:5056 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /IM walliant.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4408
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1068
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3880
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3896
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:260
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\be5e0944b2774d14ac6c2bc22a076726 /t 5024 /p 22761⤵PID:2452
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\42884709bf6a488ebdb02180b2718d62 /t 1964 /p 41601⤵PID:4452
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\1726ee83920b46de9619433a63f7c2e5 /t 3800 /p 16001⤵PID:3436
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7c8239d260284a46a21e364299d415d2 /t 3480 /p 37081⤵PID:4176
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\356c880cfcb644ae979c2f210afb27b6 /t 3772 /p 27521⤵PID:3044
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\6c76530d9b29429090c720652bf73b59 /t 880 /p 18921⤵PID:3216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:888
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3896
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵PID:4000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
4Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD59e466b4837d8431be725d6b9c1b4d9ef
SHA13f247b7c89985a41d839cad351cd0fc182fcb284
SHA2562f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d
SHA51201de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
152B
MD533283e35e23033332d4a139e2f65d375
SHA115329faa7f816fbbdf558ec9bb7d47d09f0e72e1
SHA25649d57921366b017b08bc13942d5d3f0f146167cae92058fd13289b8df1cddfc4
SHA51236b620c0813445358143c54bb06da8dd933b8e61104fb34cb9b5f03a6c9133a195e4fca6ade1b79ed93c62fb3439f4fd5df40bae8e9aa4c8fde72e17a03079c6
-
Filesize
152B
MD5cc2429a9fdf1ff1b068b456a6f9edb5a
SHA1ccd3f60cc81c69bc5edad4d618e10e601d492802
SHA25689b660e0941a7b9f25b7be9bd3e77d35b2121f6d0b940d46851b8ebc5918826e
SHA5128ad8c90e98833f9bab7efda39f0e3c343fbd36aba8c54c53a722e88ab8c79a6b12971171ee42332552b107e84bcac1342d609b389f8d34d06264b2a73015a9ae
-
Filesize
152B
MD55840c56c567c79be6cc464545e5dec3f
SHA1a4b568d56c1cfd6ca48104a013ecb09ab40008da
SHA256a748de7dadb84bfc2bf38509f1cc01cd561b2d520eb3adc5859707644b8c615f
SHA51277e2a54845d4480dece6ffe1aca4f5d9dbb2bf9df2f8695b42b9ef43ad9a7e47ab0476c30cac67f622786a64ecd7bf8085635c4b9195d61ee91d07e1032f18c3
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7b2a8b21-af02-4a66-abea-04a3ca3050be.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD55da530d45a70ae07b207e43f19c07348
SHA18838ad0e5d163b3c2153e28e83b0d37907d89a69
SHA256a89e2018bbd3502a179477b6e2c8ed47d3d04fdb0d31089851454c8e2bf34f05
SHA512aef0239116bb67e59d94ba197ca69deabf08b2588f33c19281808a885ae69202cbe8fc87c88a7b4cd1a6b22fe337b878a02e3b60a9d7817f2f5be271c62c1a7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5988a3a6b12ef07042d67d74269427300
SHA14dd8abf8bdfdc2e48fd4426141f012254e8a4a9f
SHA256a68d3ca647390c0505db0fcc57467c6f5a0f6108e3c145ec61ef951a73b79d85
SHA512d11a8de9667018d639e5ff39859de57fde4a96d4797f35f425fcf1f0eb39e07150c4c348ad9cf25d4cf0a18160576c3a7a46b21e25cffc3502644478d25d6c72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD589ba1adb09a21ce02c56214dd298385c
SHA123a3f586518d7b5c86f80d810f3dcf72dc06f4eb
SHA256305dd0c6d77566cf7e124d42f1b29f12b59ffac42dee43311dded9953a550aa4
SHA512e60d227ca018462d17c1fde010d390122b55eaf714c44c7f395a90f6910d6ad07a9aa47ebd82d66587c2fa1444626c1b1d91ba6813b87396f147dc10c8e5db11
-
Filesize
264KB
MD5e5a3e7e4eed5639db2e2f3e33a8ec806
SHA1fab155367bc845bec097b48d50bd856ca8665343
SHA256c58e1f38669fe8ad6deeaf3e9aad7033f8d5c6c21e34b408441e8902234a3ca9
SHA5128a4458eeaace3c749991e29366546a62822e2446ac4f84be11430c6809f3fc7a349240cf08114181cad2bae10787b24696f4ebd6efeb356a02c1a6ab064f9771
-
Filesize
739B
MD550691dd47cd1a25c517a1a8f148e47e9
SHA184d0cbd72f26171a89fcb98a648e31cc741e59d0
SHA256bbdda216562894ec8f27b9dee361ce48730d72515553853fd2c5b243daadefa4
SHA51243bb77214f696630ba4227c8c321abf423ce15e4578ffc0aa9b9e3adf043030feb9b246611ef778bc364430167254dc81a5ca401552487adc73ea6a440000608
-
Filesize
739B
MD5e94ff2aa5416a64d7f6cf099310105e9
SHA1dd12ebfb87e7ffc0ba6823d00c063e4caa4d1d51
SHA25627d0b0f1618c95dd17b6e0f72048dc29f9b9433490c4be6e246333a91c89fb84
SHA51272c56e4473ab9655d3d5693e1258ac77ba5346996cca5625e8400c2175053c095f3b48e2f4c90556d88a387fe9ecc75381b78a9ae234805714dcf00cf4ead7d4
-
Filesize
739B
MD519fa6bbfbcb0911679a52c80611c02a4
SHA169f6ed3c4a2bed160c920b02d277f6da8f7d9ff1
SHA2563dbf65feac59a07f5c4aaad5cb2bf53e9799d5775af2892fb1f2167952f6c9bf
SHA5127037468bc5e57e0fa3cf9f8d6dcb0496f2007a15ce5c9a1183196c288216d8674de44e7a923219d9b010c14512a5d9edd3c4cfa52192fcbfe4dcb4875b6d104f
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
669B
MD5366d1c10cf5779f3891b958ffdca1987
SHA10b7fc789001f2e8f1331c454c6d410a938ce25a6
SHA25660ce7406639e9dcaaddd36da1fc83be7ebeb2175ae6a7f65e50fb92f18f318b9
SHA512b338fd68a83e99544eca6eff460398ac545368e2d276752d85360f06fe8e4c505884a424923bf1c0a6c02384ab3997964c85c5ed5e2a9bc1210c207091f7c7aa
-
Filesize
739B
MD5a481a0746eaa255f00707ac1936455b5
SHA11be24b612659e1ebd3cda9e1a4e877ed71f14f51
SHA2567a50c6a6698968cc5a5d5b1aafefb7d4747003635a321d0fcac580ee6cbd20c9
SHA5128e5ccdcff01eda09c33d5d57013bc7f428a62c3c2157e3f2d7a3d1ee98d248f6e8a91d049da157c1581d260418bef579e95e019ca7b5404dfdc311636bc65996
-
Filesize
739B
MD57849d2108262d251fe6bd64d6be210b9
SHA1191810d50988ba6b9e42e8f59252b89b2086f9cd
SHA2567d5fb7d8fd0bf40da948e007a597518cceb5e33b109b3893127cf16cd90812a1
SHA512de1434c5f369817e6d16cdd19476482afc39a8cf97921b82491e2b11638ad0026bd24233773bde6e59d041192ae224a5c1265a34ae9f473987bc97453286b25b
-
Filesize
669B
MD53e82e31df16c611906eb4fafbb7f8c9e
SHA1146f48b1cc3e631182421f04f908621d03b844cb
SHA25622f0b47ccdaa357d282b24e0e04a5c9fde5a0db67def1ea54e45cf8eef3dd28f
SHA51260930397fc358a712430e75e26caafdaf187d5a933924a4f20d6e04f5e915fe7ce61abd38ad72da72df2e8c9693e00c5d3aa4f1c5db60a7a26fe40698d12fc64
-
Filesize
5KB
MD580226212058910ea751203040a8d375f
SHA1707647f2a85394eec8e9a3e0d1e0ce6db6873233
SHA256e0c88805d3e47b00dba73291a74ff3da37e7a0f4fbaf47494b796eec7fe3ad9a
SHA51235d3e6f65b8b07d064f251a4370a87427604e96356e3fc0644207725e50e7771d0d28f87dea47394c9b9200d3ae07a147f5389329ee8cfced185173449d8d950
-
Filesize
6KB
MD5c11384d31c1a5caddd0bf61ee92ba0a6
SHA1c165afcea728e7feea62252c26abbd7b66a66218
SHA2564778b555c772c10ff64e8f679e77eca36781e163b43a8a327cc275be65df4b59
SHA512cc2b8085dc7be9a2b515fd36e5fbd21af45520ab6518aeb47e6c113bf627e46a32538a5bf8505e35eb77afe812809fa2d0825c52dd238a8657e40c56cd0f4e54
-
Filesize
6KB
MD57109a542d0a713664a39a82c899e9142
SHA1a5a6e9ae58ef75b0cb25078a3531b5061902d473
SHA2567ec2553922ce7d0aaf35670c985e24089fd5db6fbb9e9a58829a3c90874008e0
SHA512db0c1fc3e405439c13409a4c905a4bbec7896d9f87b6c2e25b593a48ca47bf8d1e4833b024a8478882b85cf2fbee375cb2b005a70ab08a5d04207e2893eb121d
-
Filesize
6KB
MD5c88b6ac8c91c3009e9f75e153c112642
SHA1be120c33aff1b503b6ed3016a0642549a550f62e
SHA2562e2651767d9fe13aad47d673d85ac0c080cb69f670340c0a81eb0bdb989593e5
SHA5126a50253c1df1c8f40eca1afa1d9c18bd3fa8b26beba21cc2f164de90b0b47b1755420331a13188730e9a7742327f6136f028a07b929bfe352f30ee6c4c6954cf
-
Filesize
6KB
MD57473b07e8feb2632fdc471432a092d15
SHA1477aa00fec12f17621c5d8b02188d7379a0bc08a
SHA25674a1cb4fc26ecc29c8b281fde29f4177bc111f9d7cc686a802c696f1cb82fb5b
SHA5120eae2375adf0c8ea5fa9a216f86a70761c87245de85a3dbbd2131199e3f03a493cdf765c4da58ce9ccee31a846014299ab151b88da32e9cdf39cdf97b7f1dc0c
-
Filesize
6KB
MD54d56954f9ae7ba304fe306134aec6866
SHA1b1da285bff57a4f561568ed672015dccb12d048f
SHA2565c4e99cbfae1ef80967171061b6a17ac9c5a4602c395de06640a76aa284cb521
SHA5129d26345c803b35da5f1efb319513f305fc57369078ef29a9219a8d764f8673d88464a2c4e601670c4f27f5ee2aded4dd186dd07415abaf338fa3fd9199aeac01
-
Filesize
6KB
MD5746a87f37e8184e134fdef7a02683025
SHA181058ec1a0f291efe4212a47a2438922b62538b5
SHA25630cbad6da335fc5a69aec1facaaace80e5a1b00c12b13572464a2f0c6f1bf30b
SHA512e1e7792b26fbd97360f594cf5492f77a6f13461357255fae164f859d70dc6b62da6bc90c4de73ef3192d0c36fe6ae9176a637e7ebf68d86992bcc71e8e59bdd1
-
Filesize
6KB
MD5737f413ee8d7acad54644ade5b40cf96
SHA153bb160a3cd9f60169886887504089cbf4e831f2
SHA2564ce5b11abcd3e1dcf23ee48189d66ae942bb8964b5758b612e992a51a22af221
SHA5127e88dab6ff1d5ba3543d421270737369c9e45381cf235dbaa10b09db7774c3968f50634e0ef16fc98015fdaacf481002a91e8c4de8441a9172660fab817713ac
-
Filesize
6KB
MD5fed717655dc813a902659439c248a57a
SHA1b0b9a7976b8ab94dfd28a23924f570875abc9b5f
SHA25625304747af32db675657b16b1b62c694365ada4b12048c46bded10a837f8fb9f
SHA51257fe81a260ab377a2a723dcc30fbd8639f22fec5e187c629340c9b58dc0fcba9d412d022a7b872669fe3791d968360c8018f469e2d31e7aa7f9cc483f8dc044a
-
Filesize
6KB
MD53f5100860e3cecd61c56b1835cda8eee
SHA178031a8c784cd38a2806fde0af53ad4afa2cc959
SHA2565eea51430c7eff9a09dcf20b271119e3e896ccebd18a27172ccf41b7155fb313
SHA51209a0bd739c7b11e0c6d398a2cf09ff90d81ef850413b60c7c7f999a0333631ad3ebba02247b52a312d55927cb29556f11cf3bc049d8cb6e78e9188c98558b3bb
-
Filesize
6KB
MD52804fd15bc657b67861bc94104a55812
SHA109ec79a9c7d35a4f7c2b7ad86ed4361de3897e5d
SHA25605a86b5e3ce2eb86812a87f7ca45448e1ff8d725f37f70f2eee8869b4b61b01d
SHA512a8ae5948f1708a79fc8cb392aa52d5d6747d987d07735e4ed53bd67eb6a805d15ee382ef9cf72dd52c7c443adab0a5dbd0bebf24606db2ca9410efe9379d5ce5
-
Filesize
6KB
MD5f1d5993620a7fcdf07feb034fbeb4594
SHA118bf57981e058fd83acb96f7dd010796f589022f
SHA2561afd6fce2d49c6c8470bd6e49fbe969b92b21a013f13321238f0a6e2cca91596
SHA512d4865ad9f773a7e03ec36fbc40c9ddfeadc45f171837048ea59f6124f62265a894b4fd6b0993e8f71337b8bf84f05db0505050c4ecdaf8a92f222a7a9a0d8319
-
Filesize
6KB
MD57c4634ec102d59741c80a75f6266f506
SHA15bc1a693155b456df7b6e10990ff8c43999c919b
SHA256e18b6f692f225cd14f035f6d111175af777bc4358e74386a0f81e02f026ae58c
SHA5120631fc8bdcee8d1e6785dc7fd6cc609ef451f1009e9f9004b89b98ab2c9ce4354a8684c2a00f8ccea6518e39b04a3f1e46fd011e4d05d50929c7fc7387fdd411
-
Filesize
6KB
MD5eb2aeb7df11a62d7a0891b7337a69a3b
SHA18526e1400a20e0737c547a95e28078dd0e736013
SHA256e84b73f7cded744e5ac0d669fe5090cfb31bdd143fea45435ea79e268fc31d18
SHA5128ec18878b7f46f0e746ddcf81c412541e1f8cc54e1a817d6489ae8df2568bfa763aecf6b2d336c4438e8cfffe813413ba45ac6d5381a4cd757a0a2a46c1bdaf5
-
Filesize
6KB
MD5d5a5ccf3bd00f5cbd84afafc99a9d3db
SHA19f64ca398e2c7efa6a16cfff6542141754ec4877
SHA256ead2b4f6de582b10bca84e6fadef15124146b614ba41979b23457571ed02ced1
SHA51282000ec01b28b2fe8d27174b73180983ea45fb0fa7c4432b2321b1fa1f977ea0e26945651f83bc558551f3a6f4d0b0fb6c4cfffffbbc90fe05b6b7b858d67d78
-
Filesize
6KB
MD5b27c265ffc21e58db789237d60838716
SHA1393ac39d58c2f2b3631c8036ff3e36494f252a1c
SHA25659e6da9c32ff8b57c0f05163b6489163e0ecb0fccedb8cc25deafad53487e97c
SHA512e61af3dc94eb09154745c121091b8bbd69199c583ad1a11f20160ada37147d818e1fc36a713f7065671db29c170452d086f0b5304c3d0bf4a4b8b3ace01a6851
-
Filesize
6KB
MD5073b40f2825c5d05faa7cce486cecf47
SHA113e90a65de01004b6e6f3afd9d334cbb3bd8be36
SHA2569b68fead4ccd5e811e9b49ebba566ac0152da1ca32e2bbdcaa51ac9418c9920b
SHA5122042f6bba7fc89e509a464db61128f4018e9c9af6ae031fda1ae4baae5792c55e21e2b6eb6b1493254b23fc05be0c82005a53be7fa7543d2225b62649a756184
-
Filesize
6KB
MD50a17e0b8ac092dade95d02f774853d49
SHA1d7f4cbed370e51744220a594b56e360f4925a7d0
SHA25640ad170c559b111a59a63659df031e0f65bc2acdc1152671725be0315122049e
SHA5127b36ecca026380b8ff7bc4c3461f5407beba9f7f30b702545018b3d34a01e4267685d068bc622676143626ba3140774d727d20068c59b73fbd670f32a32b658c
-
Filesize
1KB
MD5342ea3bf09e711f8f2ebcf58cbe1c55e
SHA1d9c05c0ee9b56656c949b6869db0b6ed217eca08
SHA256bccfa1e35de0b919f909a69a80cbe005fc0fb4a8c586c1d87a25b8956f1bf40d
SHA512bb0ea70a46d756f5cce3bf1d8771be5122b7b2eca3cd5b23edd78efbee26bcd5b45fb7d93f867e9c34f82c8a5691c4c52aee19f7d6dfc0bc049035284a7639e5
-
Filesize
1KB
MD51c43fcd70a2ad797f88257909882d7c5
SHA128943242c3da1e4ebb44b14f61869d7f7aeef6ff
SHA25650349387fca0a425f7225a6433a0605c8a76d44cd8188a7447782817ac1f250e
SHA512fc29c7a47b3deded1854dd4e0d1b3bb8334aa0edb9444373a16f45cb1cc89eed07b9dd649d908a828672ea157c05bccae509fb97430c266ae64affb4e36adbf7
-
Filesize
1KB
MD5c81ae0715f041a74817148a1b958f44e
SHA1c3676459c8dff84749d3d200a75a464c81ffb7f4
SHA256004b1d2abcfe785fb81f192253609932a7957519e55f0f4853f2d596b3cb5028
SHA5123bca02dfb1bcd53557a0e1d3c6f8b7c3069759b5478ed4b3c633ff1df28e83593b2c38a95f49eb76e1978390bfe8ea220bd5edb0bd8281650fe8efe129f8989c
-
Filesize
1KB
MD525df335233325c1712361b52fbd72787
SHA12dac3afa0c99bdbf985f80fb219add1242a8dd7e
SHA25685db0fdb68ca462bcfdb64e4aa85e1b1bf6b4e3dd0b3912a729e64d72f3f90bc
SHA512ebec5b72e0ca4c57d8b00bbab76caafa9d189a431b15d40d62d49fd19e2df7e4975ed7527b8f37bcb19895882077d38a2ca431b01dc0664695586f4aeb714f84
-
Filesize
1KB
MD5fef0f453811c6bb84704732c7598375f
SHA17f84c7f9e15b379108efe66879c03ed819b8c1a1
SHA2564fdfb8a5c76dea1b5bff05517086558a82bf3695fa4b34ddb0225a6f7c641293
SHA5120d7702f3f9f867bdb5195370aafcc12c7b5887d1a256882d13855348953719e43522f5f64447c4188ae3d385715a48404d6a07b3b918dfd978d361f7ca455b0d
-
Filesize
1KB
MD532eb0cda8b1ea0e5414a8681822d6764
SHA1adaf4451519c3662c71d0f9fdd2b5a839b8f0d92
SHA25627f6324afd0bbfe1d1f018602cd03aca1827d4c305c993af2eb498d384ece855
SHA512dd9b8fc62a622f820e510685cb96c1f2741a7f0dbb27f0e4863ac3e6c1553595f537cae4a4c6e2935c5475e851a52c0987e60bb75621f662bbe22202769c8a1e
-
Filesize
1KB
MD50a723d6ddb8b2ca76d5e6d6ba91dc5af
SHA1423840269a5ab34acdbe09dc02b36505c1c36b30
SHA25633598b1a96c9171df0ddcf882a70df206583a168b012fde441c9dd8474f73a83
SHA512f3356fd1a4ce626d7e85c139cdf725202ed251210c4297bb1f2e2d54983c4ebbc2fdcdadd58f3d2f56154e5126ff00882fc814dc94dbb3e47289265ac5263a4a
-
Filesize
1KB
MD5fa16b46180fd8512365342cc4f28a653
SHA198dab3e442d92ba73e913e77c2dcfed391629046
SHA2568e250e62e62fe6f6b63b733fa9b528ce6e11f2bc2bd982facdb75073b8fb876d
SHA512dea384dac5688514f7f4e165cb7abb2cc70fa93337e67a3f1fc538d6211f387f0bbe09b5ccbd6f1535b97f5ecbfba9a4d428784b4113278f15a1886781ac9615
-
Filesize
1KB
MD59521de4b63320c7c84ecf0751d1ff7b1
SHA129e10ad5d925970383ecb34d89df2f5c38026cd8
SHA2567c808248da827771488fe8df5438a77e6f0bb550ff892d1ab0a2a3572949b4cc
SHA51238b69a6f2b15c791e7a7bfe617af9363a91b2a396826481d5a0c0f07a2cc02690c2369f0150bc0dbd36a437eae40289c1318026091147dfd6b2af5ad7c1b7b3a
-
Filesize
1KB
MD51428c82ff2b97680ab55d0201da6f06d
SHA1decddd943788680c91a132a7c5590426c2a829b3
SHA256d30558f078dc17fb83992e00b8634938c2eb84ab30aa6f364d8dd32f16bfad17
SHA5124308aaa14fd98a1148f3d852265533b8f16dbd32b10e05943451790a8a4fff5f164eb6be410495745f7981a1e973811c4583b4ddb052a92b3f404a51a6591933
-
Filesize
1KB
MD52a32466b0ee2dff7e5e2602239cd842a
SHA183e678df2df004d1eebb1f6de5b1167fd4fd02e0
SHA256ff6eb1d6a18954d11183e420e67f631a1a31d1d18cf5ea7ae6dcc8c41e660cb9
SHA512b24bf46c23c86fb12f9bf153d3dd329073f63873dac9d1193ec87cb8369f63934524a2c28084a4e9ee339544540ea600d3b39f44ba98045ba066e01f80af89ef
-
Filesize
1KB
MD520818b336622051b3794d8f5e74f862e
SHA160c7d6df8359639853eef336c780f49340670cda
SHA2563b19bf2149473a208c2731ea0f19ee9ee4fdeba85222f445181435044b8f8a2a
SHA512373360f0071e8ca50da0897e40554c12eb93f67d7b0688f06efe192130757686b627976be73f12bd6ea61560fea8aeb67adbb1feb90808c9f1c892a1da6da71d
-
Filesize
1KB
MD57bb0e198bde1236835395bdad5e0d311
SHA18d8cbb4e162b7be3e2b5bdb0c1777a53a9544a91
SHA25624ea66fd302b28149fa3f4003b02e64dcee0c9b3ae5c2387b61f985c41f33891
SHA512f399872e4d1b9db74bd5ad32f43407ac8d71ad8bc2e9e858b78ae9cf6787aed0f9e03d67fd9cff332a1f89796fff07741c162e6f04d739a213b282dfc57ceb46
-
Filesize
1KB
MD57879b94b12f502cfe66ff70136d92ca4
SHA19c316ab6d84a187cfeaf5b7970b36da6e8d369de
SHA256623c8ff49b888ec5b8ee39a5404c92d30f9ee86bfc9204cda5e319218ccb1a7a
SHA51229226fe8b6af819a6ceed5871c9b8a78aba9197a5504c6143f41c2ffc47af25063e54c782e7b373f5fba0c6c6310a550885d048fb8eb69d5b12f484389dbf2a1
-
Filesize
1KB
MD598ff12584dd2db5aa23ad37e739799e4
SHA1159f24681dcbcc9240a28df148031249679a5bb0
SHA256b04e73de36ef8f4dcda79a61ba71349f2c18bc1280fc3dcb8d3d93a8ad7fa2c5
SHA5123b0c8fed5d22c9f1b42b4ce73aabc6283f524c5c88fda36fb14bdef1fcdda6c69a92d2fdc279be40d4d3d3c6c4552141f4b547fe20b4f4f367e7eae9c27d9c8c
-
Filesize
1KB
MD5c69d78033e61cd748ac856a13eb4d644
SHA1ff4c9bdee506b2ab6601bc40ac0790481d98979c
SHA256984597e7ddba4de2b6e2cd618072efbf1f569a7c44edd92d6a0c878796619b78
SHA512bb53fa139a7d6d89b39b195445ad01f0e63a9a2c4d1ee07c77eac8d27e93c49f55e69c1a400c332917d6377b7ed8473c12052a91dcb031ada09ae1d4e7c10c31
-
Filesize
1KB
MD52db08e31ea7a38063a41c981a87482df
SHA105ab2bb7bfa279640491ea8287965c77bbf60a0d
SHA25648eaa9680960b891aca2a77c88441fda950bcfd7afdf72b52a40394d92f38b3a
SHA512c41a7389c5dffafeb604185a818db2ad34a5e10d2a93f035ba0358af28b16e06c5981d32f22cd82c0795f3fc6a43f156d08a5c14e6328e14d588f8914f7a387a
-
Filesize
1KB
MD585293a06740a2ebd56ac7ca9b2206ced
SHA1de85b60e25a582dbe985b06b945999c19bcd0fad
SHA2565c138815180f19aaf91a4294502ed21bedae8b35e52bf7799a3f724d803dc757
SHA512561d6a205f82a16b4402adacff7c3dca84e4b14cf51b298a3c289ba287426b58246c23d5bccc10621eb38728f063fddaabfdd82d6a4834dfc287c9883ff2da4e
-
Filesize
1KB
MD558df105b75fb8e546f79d5679dffab40
SHA122720241347f698c586c4b258e12ad66c147048e
SHA25667978f827a5fe1411cddf65ad77a45502c9157db5b8b0df07a69ba0ed157d814
SHA5127ee3df6be9dd1888b35d2653f55b27655a07d1d8f9274c072c028202df1e94dabcdb9493a892196585aef923ad54788d899a9d2bee242d15c23bd6417a1fdcf9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
44KB
MD5f71a810c639b08f63db9e5cf1f77e265
SHA1726e92a0034c009c359a4a54cdce92b453265a31
SHA2566541cbc186762418731639c2ac6f9b8efbe96682c1df4e4a5a3f115c5bf4b0fd
SHA51247e304391703a332af19c62de910d3b84d5a9c5c36f6eab3715e6bcce3d4cf10b751b1324471d86327a847bd4aa64618cd68dcfc26cdbae45e56c9f02071b039
-
Filesize
264KB
MD5f2b2da705b34a6f67832bf71bf64df47
SHA1d9993059536f794d06727cd498c28253034fbdc7
SHA25612751337e5656b1711f8c453737ead7b14ed661de8ba39b235ffb92a715f1552
SHA512103e08bb11eb6308865b778c54bd4b5d2701c5c5836f90d59cf79132514e5b4c74aba9c9a5b6017fa533171228ad41e9bda72778ad97a1966ef1eaf92edae122
-
Filesize
11KB
MD5758eae4af9d020681d430df7a7e007db
SHA1707778a243fd97b35056c9629eef0c23ddd76767
SHA2562c11de4c720091c3722aebd857bf71771e35d8004675df869f84dee2f369dda0
SHA51205e67645c9b2f76ecf384c849af27557fc29d5a8ec16d57087bc90b25690c0794308922ca7373c1a6d9c8dc11568868c8efc466b9df045ef040118e7085a327b
-
Filesize
11KB
MD5a07592980f8b7e357b17f8be158c2571
SHA1810ea42cd88ef7f9452ac2c5c02af2eb8133b1bc
SHA256eb41f16918d696b6502e18369daa0dbea1eb608ef1f73a14667629c55c838532
SHA5126544ca7eb1e1a7376329530f392431bc5107d8f81bdd3e45ededd1a9df7786c5eb79826c3511a5d286cea81070a532aeb801d9677c776d0e7a3cf3e9c81332fd
-
Filesize
11KB
MD525933bf413df57f8b9813aa393967482
SHA1df0ec9f5ef64c5392afb5d9c97f1313693cff22b
SHA25654bb50db9344f712136963d479b6f4f256091dfcce61f3dff23ad2d4355849ce
SHA51219d8f287b963d4f86e1fb624d28e464824b6af472a3cb5bc8e91fbc23eda8f7c5222c6cc02cce75a79875f4a3b91e5d7d79c30acd9bd9fb01dc387ccb3e1b2a8
-
Filesize
11KB
MD5150415ca3d84964af65fa5c5a40dbe20
SHA1e2f66ed421b039cee3417b537096b49b9b83b7ed
SHA25680f6c67fdfdcf46e44241caafa449b0bdd5798e53d4bbdbb5f8973baaa18fe34
SHA51240db20f5a67bccd5b6d6e3760f3d7c71c182cf717c9ed5fcaf5bebe8af2f9c6ec6100b71fef43bfe3033163858c2767803412ac3331a207b3d007f3a2b9572d5
-
Filesize
11KB
MD562d9b9761cf7cb43142d8da242eb8041
SHA18ddc74bc4e3f22b08da944df57fb31fc09d05f44
SHA256f517b7f36f1c2c321f11a915a1f1db882889c1e193ccd763f9d840df2d3e0fff
SHA5128e9a6580be79cefc9bb178d3bf5f605c25c2534e4fa0a7c060b7cf4704143db094922b9735e395eda2867a720bd4921fcb256502e7b36b0f6b08c3ce7ce53ccb
-
Filesize
11KB
MD53cb42a11667c14a54d9a61193902b7a8
SHA1bca86442506d4b1696e2b9e3c825219b38784009
SHA2565c2cf456c00b700dfc8f90916631a2d695f7c7e2bc460b9aad0d4e892a8d8742
SHA51256821fad7aa1c35e8cdb410cd34d873388b4dc00e298b6f4d39b5ff5f37568fb8ec3729ebf2984e4e982dabcb97802095b1e47a00de28f584621b219bae9da27
-
Filesize
11KB
MD59548a5e33681973638a49b66dfe1b1bd
SHA1853c4e8012ad01deac235af96886d458569316d0
SHA256f347ff59198ff1ac1ae4724523d8f38225b730e7b5e37b34f2c0ce9d11adf0e8
SHA512ea52fe429f0e950662a0bdc095de08aec75fb8872c4971c1896b14458b73ea69d2d8efbadeb485f584597cbabccd6959ccce6a90500694fa8214a9a47fcbc4d0
-
Filesize
11KB
MD55a146b69d3c96683b4a4df51a7b55afd
SHA19a10212a7a94a3dd495d7276d8e78c065c04f8be
SHA256c52ff950b0b7e18331086d77230fda90b33dafdc891fa893d54611a510dbf35a
SHA5123f023ae5b3195f3dc8aa6d99ae3f23ee6a9c389f83d8d2dd5d96b216e3b85c1b5d4dd6fa7545864f0e126f5db690fb6fd88b18cfed29dd8568dd2030be4a51f9
-
Filesize
11KB
MD523e61922cdfaa11419dec177677edbe9
SHA12144428b0337b039a46d6b883b36ec579b9b4463
SHA25661541bff55edc91131464841d2a83b56becdbf84d074b07957185b29995f5c69
SHA512bbd24bae80aa0d94cae8246033fc3d61b13bcaee6d2f3edde3681547abf9f21d0f76173fc0524cf6a5a379a153d7a0cbd6adf14dbbef8df2db195d4d0eea124a
-
Filesize
11KB
MD5c14ac14b26c79282857a55a282d3f424
SHA13a32fb69fdc61c1f3e5d81677ed0f6fedeb44d0d
SHA2562181dfd96089a02bd91871baef775b37426f24bf760b4b14e7829fe2aa3546fd
SHA512922937ea8c60caafcd14ecfc8d7ecbffbad0023c812ad55282280b231d5b4d0df5604f30ebbb656bdf2d9561ade3e3158cf08592ce2969ee10b940dc86518d8c
-
Filesize
11KB
MD59708c5557004f7cb3eccc6fc4d94993a
SHA1e011d6f2acbbc418a96f41010012d9573aa0ef63
SHA256b075e32f85da2feca2e7aab3cef6e754b8f1236f33d8adeb6f830e22f509c725
SHA512eea04d5d7a78d2b958dc6a48be3d9a72066e17ca296d44b6b0610229b06c6d82405e1029624df3e42cce81444c853458f3714c3d83e7675e1adfbf77f9dfcc3b
-
Filesize
11KB
MD5e47baa312dbc5a273e3ca899f19a4ce8
SHA1472590ae88e5171c8ce0968e85ef1b58af005c01
SHA2569c3ab2a1d5682a138c10d54898590eec18e6c1dc4b6acbd70d467a02fb5f0beb
SHA5127e5abd7fd9ce5255b0db7b3fdecf146f99beef9acd34a7383d3d09cf69d9ae23c2adcf1bbcd6a4a45ec262d7a00197194e342f8288dae6ba03200d54a1a93f98
-
Filesize
11KB
MD54285b68fcd5680d308484a568970c4ac
SHA1891f950550d99aa396004c8465b21cd2781962e3
SHA256d52643d65e758b07bebb6b5d3058fa383f58c80721abed54fad5092bec0b3706
SHA512a2012ef58e1f90a77918a3aeeb9e936f0aa2ae64ba4c1b4330b0fbfc340fecbe7b7d96fdfe96c74d15caf1b867aa373de227ff6aa765a0d97cdffc94cf27b9a3
-
Filesize
28KB
MD5f7daac50dc2bd1cbe83edf75cd7cefb9
SHA1f494ebf4a16dec7acec4f4fef607d727293905d1
SHA256fdcd2168ba7782d412e65d06e179e87a4591156457f8cb6b9bda0c4ef7dafe6f
SHA512c879c5da98940ce6797186e8d32dcc69b39cbb93163a9de092fbc8aac5ef326daf0bf163784c56aba3e01249d667d2758c2a3ee32b553f0f17a4a70758cacafd
-
Filesize
28KB
MD5ec2ce4edeb60ab1f1d54b59f5c47ccb3
SHA131ec62d3d996ad8e272f9d4ede8b2a9de87a6066
SHA25682556525a41a379d25910e5a22b5e95a3ddbd722c0f7487612a92a0bdc9241b5
SHA5125403fbab27a80901ee70c03396d9a92d4f5a621bd27147ad208f6fd75fd60a9de25a819edaaa4c4e847c5a6b5021e15a049966f52381e53fd7426c4ec5577f8f
-
Filesize
28KB
MD5fe30a1ea62f6f046c6733560e4a298ee
SHA15a692fbca7bd9401d3d718f624e4fe6d247dc10f
SHA25637ccb6c6c60bfe3ef4889fb44a389b742a8e4e21cfe53227724532f883e8edb2
SHA512a81c69a0c3702175b781022ae008917396f2af909d2af905cb59ba927e55544e5a682fd302930a2fb01f61496fe89ffe697362b79ec09726a2e2d96bca0336b4
-
Filesize
14KB
MD5ac031dc74cac272ef0cd63b82b835e13
SHA12811476cecb44092b296a62b2a420f898a95d78b
SHA256d32df713d5c0bf01cbfef3a349b644eb16ceeef7d7da58ac293528167f5aff5a
SHA512c5942c0dff3f07777b631b0251526498f1f008b93ffbd5f8ca50baea28fa5e2b20333b7eb008642ac41987d38bcbb61042467c9180d29a8293a4be8d0703fbb1
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YUL4B0YX\www.bing[1].xml
Filesize17KB
MD53d7e69e883df0877e71977e9353b9cfe
SHA19f42076b441ab4bb301f1cb68afc4e1e9c03539a
SHA256c38899c01a995aecb0b2faebf388c89e7c812a3625c42f856aadcb4fecb92383
SHA5128bbf4e89498e6f32278181632ade9eeb142e560da91bb7b0b9a68ba64e3d4663304f64344fd291ed59c50ce5ff32e3ce1cf117b1608e86dee63fc647286619c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\YUL4B0YX\www.bing[1].xml
Filesize2KB
MD52ded6b3f5bb22af28d0709fda4dbe47b
SHA15ef5950509d965cf64aa646d6613a212cadb9436
SHA256af01a08fd142cc7169c98fae9aa9d0549e8e8a8fe29b007b2a66831ff1d260bd
SHA512a040a4d029b6ebc515be71ba130f307c6e1952ddc76c6c8b2cfed606efbbfcee762a12e2212108b91924cd53375e5e985e6d752291f40304e30df32779e8a30f
-
Filesize
257KB
MD560d3737a1f84758238483d865a3056dc
SHA117b13048c1db4e56120fed53abc4056ecb4c56ed
SHA2563436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9
SHA512d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]
Filesize239KB
MD52f8f6e90ca211d7ef5f6cf3c995a40e7
SHA1f8940f280c81273b11a20d4bfb43715155f6e122
SHA2561f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6
SHA5122b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8
-
C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle.zip\[email protected]:Zone.Identifier
Filesize82B
MD5537feb917e25ff7e33db6c91c6ec8717
SHA1a21c7bc720892b24cc7fd2d977af79eff4eae726
SHA256cddcaccbb8c39190d9dee85549bee3e28f081277290447915586f3448f769a38
SHA51270c1379dcfbecb045f8f77241d8e62e40858865cefbd6bffcaf774c584bf6a573d05413d4d7b13f5719551b8910df835804144e01dc0b8b85dfce796e146cd34
-
C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]
Filesize396KB
MD513f4b868603cf0dd6c32702d1bd858c9
SHA1a595ab75e134f5616679be5f11deefdfaae1de15
SHA256cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]:Zone.Identifier
Filesize83B
MD53e2f255904b73797127ea9d236cf8cc4
SHA168e1f5f57b3d83b9b0e85083aed64cfe08621d27
SHA256748a7337beb099985aa4df4d5dfad20e9feb8d453700093549f606b509a96288
SHA512f47d894e1996a672570fa3057094ea13da68b7f63f6f1374c560d4a2ee72442fd9b8b86018de77b3ab17adc8b96b79e1b27d847838321179a21fb79cc5b928cd
-
Filesize
5.0MB
MD5929335d847f8265c0a8648dd6d593605
SHA10ff9acf1293ed8b313628269791d09e6413fca56
SHA2566613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d
SHA5127c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd
-
Filesize
77B
MD541d55995d0bd51e578a5b6bc1133430c
SHA1e92c870fcc807d9a8a49f3ba6a2cd7d1bc31e4bb
SHA25611a76b4ac393a1b8ecd5be2b6d208054349b425173b8306d9d2ceed45121bf7a
SHA512f2a62d0bf3841ef7503bb051746014308ed751e085d7465ef0ff72f0a54502fd91f6cef3aa3f964721f2aecc943dd422398f661f286366eab646167181320d3f
-
Filesize
110KB
MD5ab648a0df4fe7a47fe9d980c545b065d
SHA1ce28ea7dd117289daf467467a592bc304c72d4e6
SHA256905a849721ec95ab08754aeee9a60b3ed435d36962466fcbe5cfca63dfc455cd
SHA5127ae99da55fbf1c31c5281e5f4e10ab2bc33b89effeee82b574eb4b60541c5ea2913d5d99836608873da372c78e75436ae7e535568f48d81cb9dd26d2cc1b3a8c
-
Filesize
3KB
MD5c92a1d4d0755c886dd137c6cab43c35e
SHA1fc16175e58ad1f67c57e7fdf55333fdd0e01d936
SHA2566ab1ee65e6c9c5e31fe3680fc92a2a0ae73f216e966f5582a2d9c265357238d4
SHA5120525880a1f4cc7dd912ca4006fe4bd02bf1218931fcb56489a0ec728a682fdf1ecd35e8797c665c63dc19d8236942d9b832a6a8c46e00df02afa2c65327dd9de
-
Filesize
2.5MB
MD562e5dbc52010c304c82ada0ac564eff9
SHA1d911cb02fdaf79e7c35b863699d21ee7a0514116
SHA256bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2
SHA512b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946
-
Filesize
612B
MD57f7a48e14d6f587bc2510c3b2c70748d
SHA1b486f01f29741b19465e272c1411cb3820c457b7
SHA256bb921c71c1231c37904da9e78f9d193311149cf8b7b0e368ab9370caa5751eab
SHA512fd2894f315ead63c0fe7e3c80afbdbb9a86368018de6ca9b590af62a176511fe3175be52d0ff2abfd2c1b217715ca1bebc5d3cf49bf12099a20fb768cc96cfd9
-
Filesize
302B
MD572c0fcce0c92f6adfe3b678b6d4d271f
SHA1492c9f222106c79a3be43fc0c96c6897b5bae2a1
SHA256c4ab7d3d619308716afe7689bcedccbbd1b73055e7218b472f948e9078b1fa5b
SHA512c8582ccf9a26cb084bb9739d52bf7afc269ed2dfe5a270a83c479f5ae617942ddd0168aa770d592682cfea2aa6997bc20296106667f72805dc7bb6dac9c183dc
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
Filesize9KB
MD5286b072e6f3da6c06aa7e6fa1973db4f
SHA1936dafc9fcaf483b0da9388523f0077e65f95ac2
SHA25602e9b75595c9f314033fcb95ce5cd7a3bb41d2775076f16ccd5025ff9d7c12d9
SHA5120e1f24633d563e058af66d78aeeda941fccfa74824fc022f63052d0f100c02c93a9708b4d688b3ba6debbf379e4f135ebaab4062e55584031601b921812a30c5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize7KB
MD5d5986eb2674f35064d6c3fe3255f8ca9
SHA18038c01b2326b73b6d93293323634ca85bcf50bc
SHA25675ccec3c3a64a8466c4743daba3cec94cb068ff635a48128abc969cd52ee79d2
SHA51277c87a6f013ccbfb3bbca65186b8c9d8468d09c10255bf45f49234fdf1a9ff030fdfaacbaf0892d6ab1a24df4d4025f33dc0eb9d41a7aa7e34378b5e126dd7b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize7KB
MD59bc2a26360c9688be16b1e24ebcf275c
SHA1e1de5e60c00acd04644a7250b7ed68e34553b326
SHA2563bd4105e64075e7e25b9e54a0189cb614e199c99063693d29ea4d99f12fcbf57
SHA5120b81b52f56e7dbb07f07f6427fbc99e5632049d94f147a978561ee83c0f165e5c10c235b4ff7ed91ede8f664dd487da90fbf987c2b00e6fbf1a9cec1fd5f7d8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize7KB
MD51cd3afc29897897912fd52097132a7a7
SHA161f5c4d453545e2a0dd234bc1022861cca61401f
SHA256b35e98f5784923acd139ebe090ec1f69bdc46eec54f47894f8590ad6c3e7a22e
SHA5120a8d5bae43f2b5c1a4837042934f1aab69cf4f18aa573cad74ab48b52b09cdf35ae830ca0a27e83b2f685829a6ea46ea90739a41773c4333c317798a15c98116
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize666B
MD5d3dfbf154799404f78668c4b42549174
SHA1f85dcd2fc5e6991583575a894a4967af38fc504e
SHA256db22206174e788cacfeb6c1496e07bb74d47b89bb1624806f51a8448b5b2fa43
SHA5123205c0f887a598e77452d997b702048bf41154b1304b0451cd2a58858924bc8c2492b66d9ab8dcfaf6f8dad6a46ee401c4f6374d8f18762224b32105b5a84689
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5c64199a342974957c76eb6246c2f2687
SHA182357963bd3d2373fc2e8013ccfae04eba047151
SHA256d1120ef68449fa6e0c925c656d197dbbcf2601ab633ba90a41d14392dac32c13
SHA5128fc6e0603c1011a7ec7f5003dc4db4a448bbcea480fe39cff28122523b2f416a0af15fcc33d3ac6d91a3791c01aa5ee6a39782a26ff771039fefcdf260953efb
-
Filesize
27KB
MD5208a7f7f9da1dafc4412f2d2aaa09748
SHA16daa946d84889e057e5b8c810cfa07c5891cdf2e
SHA256c72158ba9774a026c6246308541a55283ad1e4047403dbe4189dd0ce536a05bd
SHA5124047708788c703779b75b7c188ac0b6e9594767c2cc5d0afbe93062761b76f6f4f0dcbd2d2cc846128c315553d4a6acfbd3b5b70e6b3d3580e5c8516cffc3cf7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Word\New%20Microsoft%20Word%20Document311259731662597954\New%20Microsoft%20Word%20Document((Autorecovered-311259733856190992)).asd
Filesize27KB
MD58214c588f11a8b4427035d8eb6b48a1b
SHA10ec6dbe842d90c40cb29480bc77507a6b6a94223
SHA2568aea567659384aece1f6275acf2ddd297f5d4023b2401a6dac15e1136c39aa61
SHA512bedfd6f684563da8ee867fdd806e50b54810464c12b102d8c8727bb6f978480d9633dde27cc84fe2f95a7724b5ac06da609a54e7589ba487d877826c3def195e
-
Filesize
2KB
MD5f5b00fd6913e2e1628f340b935ffeb72
SHA1cd40173aa5c2395cecd8a85e6bc19bde8d057e0d
SHA256b504442787e2b8109eb56fb652c9201ad833fac10a5c1a5a91899f27c9138d65
SHA5121c76545f62be67b5ed316ecab7c797d4633a2c2cb54dfda3bd3e61a5e1f52b4b50d28378e8cec36608c895709ec9fe16517a9b46dacc96b4cdc9058e1972fe6b
-
Filesize
671KB
MD5b6a1c3dee30ae984547a08ba85b1ffbc
SHA17d6b6f2d114ce86ed8c2814ad4c920b5051eb98f
SHA256bd99aad600f97f7ae57f5f3b813b3d981d5b6d7c49e90a3b1216b3d5b4e4a51b
SHA5125d0dfa99fdb2639603e4c2756b36ce4265d9641c486db0671ae2d3bace52c58ee77047d317fa5aeebbc389c5f6f3d410fe8a96bd86e877834978e72aafd185e2
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
236KB
MD50575625e5ced1be9f4018c5afa456406
SHA170f86daa07564d318c2825e08e2f70e8bcbd7967
SHA25637e612d9c4d2fdc46c132a1ebac107c720e45135f5c79956140f8d38a951332f
SHA512992f17fe1348d9f4d5f3870302a268998194e8d59c1087b3474568434e8dd90aeefe57aff7d0caa91fcfe7239cf9e9f38094b3767ae9d9bb592c41942282088f
-
Filesize
121KB
MD56ec216cae1f0e898635d296bbb1a7539
SHA18725949a62c581e4c55d7338dcf3f67997840278
SHA256431b9b7321f734a3f11b23e638199ff1f0d9abe9374ec299484d9e47f20b4ee2
SHA512b619a5e8ccc0473d99453108085b1678a75dc816bbeb1d5301cd265ff8aee18e214d4e7b877d0d5d13921238d45581cb89021c4dbfb9ba2f3bddb4d4f297ddfe
-
Filesize
275KB
MD56db8a7da4e8dc527d445b7a37d02d5d6
SHA14fcc7cff8b49a834858d8c6016c3c6f109c9c794
SHA2567cc43d4259f9dbe6806e1c067ebd1784eaaf56a026047d9380be944b71e5b984
SHA512b1b4269da8a0648747c4eee7a26619b29d8d1182fe12446c780091fef205a7b5e6fb93c9b74c710cca5d2e69600579b9d470e31a32689ecc570d0c4bbe4fe718
-
Filesize
236KB
MD54c8bbc6463c293014ebc570d8df35403
SHA1aee8b60bbd853603234a68905e268cc45152237b
SHA256646b0a869c221a54fe1f311e8576bbf9c5ee6e1e4f4f15a327115cf7951ad395
SHA512aaa15c109c4a7eacd9fac1520c16c8b2a9bdc93c9b6afd29b3145e3a74d34fd07502532f28d27edc2cd8e9384657371f82555e3dab1c2c0da956c69d463bb67d
-
Filesize
38KB
MD55968e8a8caa61b46ba347f8c521c1f2e
SHA188f9a7ce6e77d191c9a57ecf238ef5e9e9ba6c7c
SHA256a181f8925c8c66614be38de89e6dc38cf85715379a10de8d9f9d70b04891ca35
SHA5126b0659ff7a5548cd1b752a72a70b147d1c9676dce14148430961a7b5204d4e3a42de5530d423ebb879f8e5c72785a45e5b20bd40cbf93cfaefe981534e96cbe3
-
Filesize
341KB
MD534d9f50e01c3a96e38e1ec5b9396ed8e
SHA100ec780f782ba768139be42066b3f10597db49bd
SHA25608d41c7805018926f91e2b0f306234b63a0a3ff63eb1021e5652ccc4725fd054
SHA512fc797f279058aad12f57ead27fc1871b9e64aaa5e455c65107cdae1e3dbe573742fc822f70ad8dc66bd64f12d599393fed9a777e5f5266a7c8d617e404913ed3
-
Filesize
4.5MB
MD533968a33f7e098d31920c07e56c66de2
SHA19c684a0dadae9f940dd40d8d037faa6addf22ddb
SHA2566364269dbdc73d638756c2078ecb1a39296ddd12b384d05121045f95d357d504
SHA51276ccf5f90c57915674e02bc9291b1c8956567573100f3633e1e9f1eaa5dbe518d13b29a9f8759440b1132ed897ff5a880bef395281b22aaf56ad9424a0e5e69a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20