Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 00:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://samples.vx-underground.org/Archive/Builders/Pegasus%20Lime%20HVNC%20Builder.7z
Resource
win10v2004-20240802-en
General
-
Target
https://samples.vx-underground.org/Archive/Builders/Pegasus%20Lime%20HVNC%20Builder.7z
Malware Config
Signatures
-
Drops startup file 3 IoCs
Processes:
crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crack.exe crack.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk crack.exe -
Executes dropped EXE 5 IoCs
Processes:
crack.exePEGASUS LIME HVNC.exePEGASUS LIME HVNC.exePEGASUS LIME HVNC.exePEGASUS LIME HVNC.exepid process 1928 crack.exe 3384 PEGASUS LIME HVNC.exe 4940 PEGASUS LIME HVNC.exe 3724 PEGASUS LIME HVNC.exe 1180 PEGASUS LIME HVNC.exe -
Loads dropped DLL 2 IoCs
Processes:
PEGASUS LIME HVNC.exePEGASUS LIME HVNC.exepid process 3384 PEGASUS LIME HVNC.exe 1180 PEGASUS LIME HVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3384-14437-0x0000000000700000-0x000000000070C000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
crack.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\Downloads\\Pegasus Lime HVNC Builder\\crack.exe\" .." crack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PEGASUS LIME HVNC.exePEGASUS LIME HVNC.exePEGASUS LIME HVNC.exePEGASUS LIME HVNC.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEGASUS LIME HVNC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEGASUS LIME HVNC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEGASUS LIME HVNC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PEGASUS LIME HVNC.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskmgr.exepid process 1536 msedge.exe 1536 msedge.exe 3144 msedge.exe 3144 msedge.exe 2628 identity_helper.exe 2628 identity_helper.exe 3484 msedge.exe 3484 msedge.exe 3456 msedge.exe 3456 msedge.exe 996 msedge.exe 996 msedge.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exemsedge.exepid process 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 996 msedge.exe 996 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
7zG.exe7zG.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 2380 7zG.exe Token: 35 2380 7zG.exe Token: SeSecurityPrivilege 2380 7zG.exe Token: SeSecurityPrivilege 2380 7zG.exe Token: SeRestorePrivilege 2696 7zG.exe Token: 35 2696 7zG.exe Token: SeSecurityPrivilege 2696 7zG.exe Token: SeSecurityPrivilege 2696 7zG.exe Token: SeDebugPrivilege 3748 taskmgr.exe Token: SeSystemProfilePrivilege 3748 taskmgr.exe Token: SeCreateGlobalPrivilege 3748 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zG.exe7zG.exemsedge.exepid process 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 2380 7zG.exe 2696 7zG.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exemsedge.exetaskmgr.exepid process 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe 3748 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exePEGASUS LIME HVNC.exepid process 4556 OpenWith.exe 3384 PEGASUS LIME HVNC.exe 3384 PEGASUS LIME HVNC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3144 wrote to memory of 4160 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 4160 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 3260 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 1536 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 1536 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe PID 3144 wrote to memory of 2824 3144 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://samples.vx-underground.org/Archive/Builders/Pegasus%20Lime%20HVNC%20Builder.7z1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9023646f8,0x7ff902364708,0x7ff9023647182⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4860 /prefetch:82⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,13059448125946489780,8687715364377287625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:2444
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2240
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4556
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1292
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18899:110:7zEvent264491⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\" -an -ai#7zMap27767:156:7zEvent861⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2696
-
C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\crack.exe"C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\crack.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:1928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.blackhatrussia.com/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9023646f8,0x7ff902364708,0x7ff9023647182⤵PID:508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1197240597915074036,18393964520214588528,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,1197240597915074036,18393964520214588528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,1197240597915074036,18393964520214588528,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1197240597915074036,18393964520214588528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1197240597915074036,18393964520214588528,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1532
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4912
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3996
-
C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3384
-
C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4940
-
C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3724
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3748
-
C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"C:\Users\Admin\Downloads\Pegasus Lime HVNC Builder\PEGASUS LIME HVNC.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1180
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD577893629f675314915eca336eb9cd114
SHA10acb9ce1f06d6bd86173b619ba63092b3d907596
SHA2560bc3fc36a84395ee90999bdde15e97410e672f6cec07de4a38b80124b1ba74e2
SHA512a887dacd7666dd273153abebe3ca0743c98ee63fc6263835e09545858e1fd5e17717396b3dabbb7d8e17996aed57b12934b89d3af80e90494b278ccd4c92f6b6
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
44KB
MD597b9d0934aac9ec7750c429886a3b2ec
SHA151982c068fdc9bafc361f6d3fa99d234753ee825
SHA25630e6bf8542c65c5ab600cd1791857e6c431996188a5e160acbf49c4c8cc3a51e
SHA5126164c5f58c13df87524e070672651980e1521548a8ea23b1125139b8d18da3aea52f2f5136ec616b92f3d7d515ca1ac67d4518655223736dfe9b3062480a90b3
-
Filesize
264KB
MD5ededbc78f38744ad5b17550a98b73f53
SHA1f154b3116e3fb87aa613c52140a5f1228b439559
SHA256c47e765bd542b422b3f579d09b846405397b29a406bd54d6833891616b35e1cb
SHA5126ed318ed0c86c1cbd06c97e466b3c5c91d055b40640d134095b8bc7be23fd68a7a7c01a07bcfb79306a8dc20a12d60d7b3a1f4aa846d8199d5ac69d90fa164f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD5fcc05ef150af47f00a45bcb2403f119b
SHA184a639137d74cd896b97f993d1f7b40fd5e239d6
SHA25608e05d18312aef51f745605d3eea00fe5f707e367072e990cbb15c685556ca9d
SHA5125416c685aa8e8ef9d12bf3e41d6eeee633d93fa5cf873cec4c82bf0a72aedb3586c9c01737c040d394c9b3868001d7992f4efffc2cf3f2d82f40ef1602d18aec
-
Filesize
322B
MD5d0a3b9c55f4234942d087b13ba7bf4c4
SHA1ff54c511c2042686ef5ad22557fc0b2223a4a338
SHA256f542f8199fcb36c3f3c3494fc1ba6bf85784f70cf56477a4af212ea169009166
SHA512cf7ca16bc6416d5b5b28aee43dc08c41444ead63a81c62ed52253e9eee002f0879fe6be5e9c8ab6772daf355e8f95445759853ae5385cb0238bbbada65cad0a9
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
124KB
MD52be64591ca9bd45d6dd5aaf92763d66f
SHA14309ab620c7aff105f8dd1cc90581fb65ed87bbb
SHA256b34726463f8ce39a7552b1a42af64c0b7ec37fe2374b7645ccbccef92f15ff2a
SHA512951c3f4e9eb14d31d42a471e2b9960b01dccec57c83f2c6d567eec26555cb873ddc8e1a95109cc441e0e2fa44dafe211133f598ae78b7be653d549aed7966bb9
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
28KB
MD5ec9ade62d6fe51f2eae48d98f86829e6
SHA1ffec92779cc36f4f6e1b45018680b6e77e932b09
SHA25690a781d8ecd5b8260e2c0f945ac2fe81d68f4782a1103cac77c5c7756ddf12b6
SHA512289c23705c9018e1463b24f8fb04603a65873343941772668c3597125504503371af74a91fc3ce4163162fa07511194cd63988eab72c8d4faef6113021b2f045
-
Filesize
331B
MD5f6fee13cc865dabf50b4d77ae8c077c5
SHA1f7c765bddfc93580c5625fad0e325fc8be57d713
SHA25628f1f2a47c62f8967b03c847cd7c16a64165f02cfb5296ecf2a4d51378783836
SHA512da3a96f35dc16574ec942dc04e0856d37ba582a29323e31d38534921e73dedbd2a2e77a8e03df541df3c30c4429fe5cee27a43759d1042197704996deb04d142
-
Filesize
2KB
MD549c175fefc2273d39f59b5267fe007c5
SHA1479d2637da58a004fc7a65a8e78a2cd6ef154c97
SHA2567d69e5eda347300d7381d24a8df88d64ea289240599da71365156d27555c88d3
SHA512220ca37809636747b6981b54df61550429ea371be1ad0b22fe463dc6a33c63ceecce0d9ac2d18756492c1bdd39342627f836d867ee929583479d177fe5de14ba
-
Filesize
194B
MD5c753a51b344f5e0b7614e6b335efce1a
SHA1ecab6c44f7f65a04b594d3c1f5ccc151e1fbbea5
SHA256b9be628c5d1925240917e40326ded59765a86dfc8580b59d2e51f9925f3fc494
SHA512c579bb93537ef2b84bf17b99354eaf60da7719432451d916f15084675ab7fa9c5b24c8e370108b0fec1244d2a8ff44e1ace16fca9abf18c5a12f91f8801a68c5
-
Filesize
5KB
MD5c679ef0be3abb68a52651563a8dbcfcf
SHA1e8dcbb375f3eb0a4b4a715a19152f9aba0c3d56b
SHA2561206464b8917fce0e7437ab1ec1655247ff42ae6dcff75a2a5b96b13ee5d9bee
SHA51285750b1995e97492fda674fcd3be30eee43ce10179eecdee6552a8697033d35bf22ec7772cc5e09d7423f9951427eab751b519df42a7f38afc8ebcbaf03e1e57
-
Filesize
7KB
MD5b546863aa343a618912ffeca83b3574e
SHA17e7d15602ac333c54d42a299d2f6c0a3380da173
SHA25604be3dadafe64a05b00a5d9dfda37507c9946361fffb9ff2afab4a284124417b
SHA512af0fd034c9072558f84512c956ad806fd5ed1aec614e4fd2c69a91195eaa982cbbf54e51f0d074420636a067a10415f9d1ceabc61972b57374ddec0b6d010ee1
-
Filesize
6KB
MD5a6cfa7e51181adced5dc0466ee2e1062
SHA129bdd725f7e15c2c49d23896d922b7c1cf0e0dbd
SHA256ac40e18c65eb709b41aa814299eeb2bc37acbf69fb4852420875b33610001a6e
SHA512c92843ddd532a16c8401def12d91e57cd6efd56e88f099d3e7e36f9323a88cde6ac78481097536d150ecf0bb9e02c889d30ff1e3fe25c0ad6c38894bb08b8e97
-
Filesize
6KB
MD50b3dec781eaad93225e3a561ae5e4900
SHA159246fc1fc6a2cd559aa4edccb2c1b9ae02eff6d
SHA256d9663866ee2f7ffaa034a3940acfd959be1dad106af7aa53765093ac6ddd1678
SHA51244e56896f13650a83dfe3210c60debd86a0e2a1d9e347d6d828451c303c00788b6ac874e7680baba50ce83e70880e929ee28bd8b5da67a719cfabf6324c03b29
-
Filesize
6KB
MD5e2409038eb58b0cad9975ef2da70b565
SHA1a2e5a5974275274a4cda311f4bc09394bc8c326f
SHA256f680cbde072da37ed47c47ec4d3bf6ca3b133194ca363deea27df3253a93b7d7
SHA512c06deb1fd1bb0c501e7a7e26cdc1ea697c06ad98b62ad6fbdb6dc59dadf947c6d72a221cc8d62cf2aa42b04e05494c58b6c9457de9412b86a0de7f13c0fbfb0d
-
Filesize
175B
MD56153ae3a389cfba4b2fe34025943ec59
SHA1c5762dbae34261a19ec867ffea81551757373785
SHA25693c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61
SHA512f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c
-
Filesize
319B
MD58056ebcbc2db6348a18d4ae01966c275
SHA141e4d367ac7c2827260ad5728f2e63e3cdb63541
SHA256f095985cc833c5fe08eb35890a5aff287de50066a1e9895f796b20a6abce6f02
SHA512ca94458e9b2a3ad3243fef3b3a9fadb7a215a61e2cb383a38f528d61268d42a05f7ff15555dd0523928df9526361e5dda16ee4ceff5c0cc3564970aa37d712b1
-
Filesize
461B
MD54e66b99c01db2a386c2d5c3da7787df4
SHA1198647df4aacbf7b14119cf882a5666541cde8fb
SHA256d08e82379ec1e2c92de21e38fa9a0dc94d859a9e4b29885acfda0cb1fc597e07
SHA512236d94e2ec359221ec7ed51183101874c7c042449490a0d36944d647a080faef33fbfd205edea6a1e511040b44868ffc593ebb631fd07df5955e3e5d0d63a707
-
Filesize
933B
MD5ebecd86ad1ac8bd549a8ff5788f11890
SHA1db6e13fa4d4e84a093bf5e2ca0773f95a069c38b
SHA256aca71ca7fa596aa1670e4223c38add782b9fae969328348aed585a1471d9ffd8
SHA5125f659d16c04fd50802663356e3fda38a5e801faeeb0ab148ac48ca159aa5e6bfe390d9152250315eae854453c8f32d130a54ceaa72d428e9f92e19d78225dd49
-
Filesize
347B
MD575e8ab7bab70c4ccc4cb46f200b5e556
SHA1f6a07554c212bfe3a04c14e04def8683d7da0529
SHA256e51f6b51975d5c52473719e5372622f137f79789515296a62afe71841f37dca1
SHA512e6c3a27685968a69590735fffec863bec671ed8e33c334c7e67f00dff7643071bc07493cbd26a8fd1adade806339c5f8fdea80152818d6e072f7bf0a84fce3b9
-
Filesize
323B
MD58c5b4c6ae09cdf003df23a8e62ada3d3
SHA1d7069f53a63638d89da658137c49475af9bfa6d0
SHA2564d8508bb3fdb5a609547bf34e188e2808306077ab4accd64d81389c5d1803fb9
SHA512f9200af0ab98c1b698c57027ce62f536ce4d66eab68ff2635c342376c598da2d4119a3aa9cbafe8567bb7595500891477c0d8dce56ed4beff274fb015177b4a0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
44KB
MD583148e3b11ddfcfd756cb26783eb042e
SHA11ab53b5e19ace165933e45514478b3bd191abb72
SHA256a8cde3a5b3f72c46c845e1c8a358f145cdad348f91c1c90f129490a5e2144a5e
SHA5123b37e0b29e631cdc3067a6145f98d3e962402e0437aa91ac90710a1c50451df04e891b61438bb69a59ae2f67f0064d00ea0aec85607006b3c7512ca3b30104b2
-
Filesize
9KB
MD5c47169ff605142a6b2532fd2f86e86ad
SHA1817816df21cb4f9fb048f1f08fa73abcf32e4c28
SHA256d7ea91d0b8679e297714e47f34b9e629ab3722b2d9b353b25970f93e6d4a545e
SHA512c51a3b0632834229755c55dab45805bdb87827c6ee97558a486df953f034f0f6d6612656c6219d4cd92c8198f3e37115812c6fa5524fc4ea0d12dc6487a70877
-
Filesize
322B
MD548faebe40ec767a53ebe89a510f84f36
SHA147ada68bf29297e0fe608787026fee9c0062f782
SHA256bda1d59d1829324b02bdb9d1c0866f638c48b59110a69e5f382fef92cdb83ef6
SHA51223c8ad96e98e5e3bf4ef348b702f7814e729a49bbf93f936b836baac74ed5f82542cb9b553fabf353e8f3fde8b32f12586e189471dca83a9954892aaa273830e
-
Filesize
594B
MD55f36c4b6b1dd774c45207811acc65e97
SHA1dfa6eace8e7a1d08100001e63d690541a9437a4b
SHA256edf86f4fc3163b2930ab3eb124751fd6d8d3ea06ad1dfa04b1c26cc60c69a819
SHA512763941a272366cda216468141e097209e7154329f36ad97cf381e7ab0226de5671a0aa73b37c4bae980201b6cada1b5622537c713b6e704ba486442d4fb84afd
-
Filesize
340B
MD57f573bbb01b63cd3c86f426c6a1b47be
SHA139cd6eefdfba7cb0ff5d023e38e682783a43864b
SHA256f85445f5abbefff75660b7258a37e943e2a5bfa8e9039f520a39e943ccc7baa4
SHA51258616f2f79696cc16520dc92279387ea0155170f07bfb7e3d7895fab99779c639fd8b6b15af3566647c933fd9343218cb0d3432e2e2c7b4b9424b318ecc1483b
-
Filesize
44KB
MD5c2135f9c970fdd2caf0b1b3d565414c0
SHA13cd39675c7bf4bdbffb29e2d371cfab28b25c315
SHA2563ce50f8d3833195f3586ececc6fa9d7587a442806d3b182dc03e7a7f587b6310
SHA5123894a29730354808045e863e13c70bd00ec6d147e255f6e3b102afeb9c5a33daeb8f7bc7f50882ba110ac30c0e2ebd88e1514b3c650cf7f520fd362fda4f1876
-
Filesize
264KB
MD5d6b0ffd078c68c3e8fb9b520d6bbeef1
SHA10ef5f5a5f04ae0a556d4ce725126f9f7a1a860be
SHA256e85b23949bbb19f7017be6216f5fcded4e0f176ecbc5dd63f1c2194e98be8c01
SHA512cae27ea28026749c4f828b0a38f8c2550589cebf851d0f5357f766ac57d2a7c874bb99aea6ab88ca0078bcb52dceab8db5eaf8fa047847cb390039338e1a7aae
-
Filesize
4.0MB
MD55c6bee1d2da31697cfeb1f2e9209b4c0
SHA1b4215facc20e3d0b7a887a4c81223c40510fee1d
SHA256d6fbe90111c6b9148c898ce33561dc27de880ae17b6a8d7b8a50fafef129e6c4
SHA5125a1bbd8a5f66275b1c0dd03c21d0fb1560e702cd9f586d71d80d422cfa86fdaca5c8069b4c48d05c0047a5d01b45d0065dcbe29c6e7bb08f3332cf6b51d5a848
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
10KB
MD509aafbfbbb9ff9da26cce826bf142562
SHA14baf19598a28960ad5d2a3e7e78e09429db535a8
SHA256382c88cea24479c03b7618e5a39350b4b0ef6fdaf4a3b0541ebd40ebf079dcc7
SHA512c0272afb84710d52cae13ab9bdfa946ba3b08e66f1b35e122bc5554d6ebbccabf1068e4b9201930afcf90d202f18dfa84be3e37f083847c09dd239b443acebc0
-
Filesize
10KB
MD53b060cf10efc49aa9e5c0c26c146e02b
SHA1b6faa8fa44b27e295106959fee08b196a3e0e529
SHA256147b8fd5f3632fddc059bc32fcb54fed7b62b1a0e7c5616322fade8eabedd107
SHA512be6415c2c4f8baaf84b823964ee34312caacc4313ca4e0418dc325e3dbc0c83e8ccaa0864f6ba08fb307925e0c75b2045f1ee95ba34e6195c5bd9d3ed0e38a18
-
Filesize
4B
MD560bb6268824fc5b71e33c0090f65726c
SHA1ea47f392afb796d5328d41562a26a8df9dba8a1a
SHA2560d98daf3244d6d2c2a56530bf86da3b30c8d807b25de2579178620bee43ab6c7
SHA512989cc59335b070b9cb8920c78738feb063258ef4034c97a4c58bd719f43851cde6a14de0c152fb148920e0feeefc1674606993641a60f7300c2d7ce6ccc5b8d8
-
Filesize
10KB
MD5eb2672b8018195a7e71390a42a5e5d57
SHA19d95aa716c3758a7901a0b6d6ce0143dad0a61af
SHA2560efefa6cc89b487fe0e96c18e5d181f0ee117fdfa0555013ab85f6486da57adb
SHA5123261534bd37e816f216d56de957e723c5f7cb2e520b6b93380fc681fa0f07fd9bcee10e2cc27f4a078d54a1378c29014a8d8224c50674cf61bc5e3d1b808f971
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5c817ee3e05bb890f06f0d60b0ee8967f
SHA102e9082bf75cec9010952bd837767ffe5ceea9a5
SHA256cb689b9d166ba56a2f45831a652ae3e094b21c631dd280e3d48f9fba687ee045
SHA51284608cba39316972c072db3180986702d353bf1e80fde12e68c989c343fb35157ec467cb4387dc2041be316f4dcc4ab6a69dd0357f0b5196cfe4c169bd11d63d
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
1KB
MD5ea2cb56d80dc044f06509855af87518f
SHA1ff0ecb164dee25c5da81ba1b991f8a49ba66fcb2
SHA256761e12b5bf8888d753fda86935cdb251fb46239776f738ca3ac942e200b910bb
SHA512b2b775270a283879d1784be36dfd39c171ba7d50100dc683013bee6224d5c1fc82d79ff6b15738936c14f1c7208dd60c10f1f9db2e5ddc4f08b13bf4ebc5f14a
-
Filesize
38KB
MD5b5086eebe0a0a878807a677aeb4fc4f6
SHA1313913645d57696233293197c9e5cff932535e6e
SHA25669029912f948d6bd6c3084ca34885cdeef97190865f6838c9a928fad56b3f958
SHA5121a6e732b0cbd0b89b8b7fe4472d76df46f44d757b550526e88d9c3c01170332d3ef20304a8106cfb47923e466b6dfe6ffdc4b77350c4394ea9ebb72100e0787b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e