Resubmissions
09-09-2024 23:31
240909-3h687sxfqg 1009-09-2024 23:24
240909-3dy22avhrp 809-09-2024 01:57
240909-cdp61syfnf 10Analysis
-
max time kernel
653s -
max time network
653s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
09-09-2024 23:31
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CryptoLocker
Ransomware family with multiple variants.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 7 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 12 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 29 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbb0f3cb8,0x7fffbb0f3cc8,0x7fffbb0f3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2884 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3264 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6408 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5940 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6152 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1284 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6544 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3676 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6452 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5088 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6504 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1616 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Lokibot.exe"C:\Users\Admin\Downloads\Lokibot.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-DHK2K.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-DHK2K.tmp\butterflyondesktop.tmp" /SL5="$B0108,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fffbb0f3cb8,0x7fffbb0f3cc8,0x7fffbb0f3cd85⤵
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1020 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:12⤵
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 2963⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1728351467 && exit"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1728351467 && exit"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:58:004⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:58:005⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\6AAA.tmp"C:\Windows\6AAA.tmp" \\.\pipe\{295FA75B-B637-474F-896F-3793F200D102}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002384⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\CryptoWall.exe"C:\Users\Admin\Downloads\CryptoWall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\Downloads\NoMoreRansom.exe"C:\Users\Admin\Downloads\NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7000 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,15237624222841501420,15851404629101019250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 12003⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 12083⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 12003⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 12003⤵
- Program crash
-
-
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 12003⤵
- Program crash
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2596 -ip 25961⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 12282⤵
- Program crash
-
-
C:\Users\Admin\Downloads\NoMoreRansom.exe"C:\Users\Admin\Downloads\NoMoreRansom.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-G8IPC.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-G8IPC.tmp\butterflyondesktop.tmp" /SL5="$14025A,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x7c,0x10c,0x7fffbb0f3cb8,0x7fffbb0f3cc8,0x7fffbb0f3cd84⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
698KB
MD51fee4db19d9f5af7834ec556311e69dd
SHA1ff779b9a3515b5a85ab27198939c58c0ad08da70
SHA2563d550c908d5a8de143c5cd5f4fe431528cd5fa20b77f4605a9b8ca063e83fc36
SHA512306652c0c4739fce284e9740397e4c8924cd31b6e294c18dd42536d6e00ad8d4c93d9642fe2408f54273d046f04f154f25948936930dd9c81255f3726f31ee65
-
Filesize
5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
152B
MD59af507866fb23dace6259791c377531f
SHA15a5914fc48341ac112bfcd71b946fc0b2619f933
SHA2565fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f
SHA512c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7
-
Filesize
152B
MD5b0177afa818e013394b36a04cb111278
SHA1dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5
SHA256ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d
SHA512d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db
-
Filesize
2KB
MD58a2031d6490e714dd90347e6955a94e4
SHA14163d043a74fa3ef808070853395831fed5283fa
SHA2569b6717e4bd6429d65da1411dc87141db7052d5c7fffbf54fe5abc89fbcb83e73
SHA5122e24d808e8ee434b4beb72d471719ea80539f7336212d846b4796c57f92ddbb659368266b534b4919a167ab131b3a83f9b17ec48d004ee413a0e1b5988e62748
-
Filesize
2KB
MD5a7e2cffe5a773771b75df860a6a06d83
SHA181c8623059909dc75a7b70ea2369e6202a44bc73
SHA2564dd7449cd0b2e04abbf9254594c95f89b8d6acbc8beccd034efacc2e640296e1
SHA5125e6f76695173d66fcbbb61f5772caedee095cec55a2030b1d26b5313d5a3f43187bff5ab82934f6e6574523b047d13686dd77d55654fe2c3be27b36c2852972e
-
Filesize
2KB
MD50c86099b1e8a83b7c2186c499cf7fa4c
SHA18d7b687c3efdc934eb8bcb53386885c9a9a0f0dc
SHA256339194094f9bb2ee828b59035c8329497d937b56105ed959205d1c560af82328
SHA51237f0f4661db29b3b154a433d9eedc292cbc5f5b335de61cf45d15d28b7d7fc3bd0613065e3ba4c8c721927c2be5747d200d965e93b5319016f9fcb20ec71847a
-
Filesize
2KB
MD595c66c47b073b647feb4ac0a690ad3b7
SHA1b85114e08380af11cf9eaad0cade755a26321b5a
SHA256e17d0637281aaaae139bc26160826c9c04633556a609dc305db812a0ee722c79
SHA5123e93c0947fa9ab652af0043647f1eec21ad25046e6799365c737c14635079767202455cf0c5d513eff627421cebd5b0724c3def32c79fa4de454bde215a6b2b5
-
Filesize
1KB
MD5e3e6f6decde410e6da5dd1f0c72ed4f8
SHA198173b65e8a8348a87322535b8957f35e31d0b49
SHA256dc332cb4d1c02c0f0829c204d814b191e80822996f3b185e2f1d631686df5c39
SHA51273f1729ac13c8dcb17b7dfd3f52a2e84fefe59bc7dc99ec817de22d6f846170f8bfc0983c57e2d4d767c1a6549f2c6a405c85836a90dafdbd48086ba0caa012c
-
Filesize
579B
MD529dbb11c0b2255b403b05838cfd128ee
SHA1dffc222e03016bd805d6968cba48203d4bf565c5
SHA2567dd7b2453640f19f7d012cf0d4e4313169c33a06dbdca272a1ce0b81f6907bb3
SHA512e05bf50f22768d00794166a57ba101daf4b47d65544e3ec217cb7417c47d8c470fa1d2ebc3ea2ba21b3921ba77162dff0f305ba9d92b1d1e26d27b54082039ef
-
Filesize
579B
MD5c99df8bd4d64711b33650a51af41e851
SHA157b4e572de8c38c68ecbcc5d75bb23f5fa41df80
SHA256905a73ac7f50a243319f8e2148890ec159e9f2897b46d4961672fd428f7f89c1
SHA5120d7f95a5b1cb99c1bf8e548473a7cbdc36e12d671cce2646ea543b615dca68b60d5f66375523cd0c84f9b3229e5f39236dcec365b0e79363ff1deb37552e180b
-
Filesize
736B
MD523788b99ba2164d9c8c097d23b600603
SHA17c4a8d51d4210989f118aadb4f1e99602223c527
SHA2568dbfb2db2326e31f224373df7bd9984fea7dd8308aae1471f96bbd1256e7a7f0
SHA51284499b194384c9dad978254dece1ed91776150335330c482d194ec4ccad0ef971802f750e97479a12c40f5fd065ef086331dca243958bf5e29ddeb7dbdedeca9
-
Filesize
736B
MD54c2e3b0f368f2df10ea9f3a12433f616
SHA103a564d31866704128d45f45304226477d819a1b
SHA256151eed423192d27e152e63b15825ce5326c5b02f50e53f291491e0dfb53fd480
SHA512e1c3f983c3f816d35d6e75e27b35b0a6781d2a609dff61152e839b3c78d610e1705a8177b1a1e41f221ac6dd225b8127111fe9b88f6854cb5c50b10e6645e262
-
Filesize
5KB
MD55d746afd2fa09a247b6dd9f93674b1d6
SHA15be411c13aec84535c4ae11b478884d85f35c4d6
SHA256b115d7d06c85259ecc04dd4a5d36f7383fa03c15bccf18df4262ef3c4abdccd6
SHA512c66e27cc2b2af6fba389f01fa262485c75c372081ceca7863eae1870e36df276a30238942fdb068e3b4efc207350d7c55190750a1c6425e652046d12bb319918
-
Filesize
6KB
MD51f6c827da769d26bf8e35a214b5c8f74
SHA1dc3874e53ec84d1ee67a67056dd88b3cafc4a694
SHA2564c3df94fadc4c52258a213d08132a6df2dd94ec0a773361c93467e319f218567
SHA512c94e4d92ba708ed4c4db2db9e9f167f27b9f61c69689eab8dfbbc704bb966b31a38d0f5788ff8931f24ced1d22fe441170c8f3179699d46bb2e80589157de5b5
-
Filesize
6KB
MD5aba0c235fda57f9a419b8fa19ff47a08
SHA106fe6ba790a0899b908791b132b4a02429c49991
SHA25611ac0153d4390982005893ea8278753df4502172589875d16a12d5e702c1719b
SHA512fb601e18486b8e3a9f6ef6e3acf86d53217f14479d540ab6e85911810029c64c80f39b76e4995debe4277c9aa932ac8129170d5055442bcbbaf9bc6f089a8fec
-
Filesize
6KB
MD5d1d5786e6da2877f115104bdd3d2981f
SHA1712d61449aba40bf0b02ebb41eb09c9354e2b4bd
SHA2567ae4114e6aea663d8d50f74df86e0d10d7d27f0a6b1146d759f89692a14dfd54
SHA512a63ce60df402addcc8511e13e56fabec8aaa659cba8d18f5735272924922be3d63eac674ad5ec75661d0e524d5e53ab5c26d7b491ae5f978afc1f11b7f8eec6d
-
Filesize
6KB
MD5b58eca68bbd0f3da3bc5383070689c79
SHA1985e87ac457ed37df45a4b69e96a4eda389c08a5
SHA256db6e34327e6b450957ba63b40611e08eb0a113f4df787f5dd31b5856127471c0
SHA512a48f843c3fc470df113020ca1f01d55f48642e77aeb67d51503749e97c172546e021e8d9e596142d57ead645618bb411696ef835c5ae2bd9a801596944f3e535
-
Filesize
7KB
MD5084390c72a20588c3b5c045320843018
SHA1e2dce2d6d97d4ec36eb2b1730ea6ad74854ac380
SHA256eef40e8f7c60630334737cd851985c0dc343b533e4dd8ef53a96c8228799a597
SHA5121fff3d7fb23eb7b6f49324d44889f86becbbaabe0a33c0fffa67d28e635d16567e5afabcb365413eebfd9978765667b9333b794209dc92c129a3e45db31c9729
-
Filesize
874B
MD50027e3bd8ab04ae57cca25a0a56f919d
SHA10284c759be4e5f9aae2e08841e4d18d607e67466
SHA256e31302523f8509c0c9b3f54301fd971aba7473722a07da705eed2b2add74ef79
SHA512b27af3533a9774d93dd5468da00f0f7356530c1881a0502fa25fcd308695713893808886209a2ad441f49e20d13cbe55dd9f73f1732f6ce42d01b88f53cc05d6
-
Filesize
1KB
MD5261b449fa515635d5dc24ccd99e65c9e
SHA18e62d2603d8b3010434e2b2d6554703494a3702e
SHA25634bef333e0c542312848933bc381f58f592770ae33df698bb37bdad17b9901d8
SHA512cce36fb3f4fbad0994a92d89fc8a9f184e3983f7a6bf480803cf71e925bb541ddc4403c9d8124c54a4c0df810b9abc923cb4b47306f90a84a1214b9b186c3bd1
-
Filesize
1KB
MD557b2cb2ea0fd6e9c3f1ad2129024b889
SHA1a68915d64fbefd519ed5dc6f646a7cc7b8a35a2e
SHA256fc70d139c4d33d076ac0a438704881613f775174a237e696e81934285f8a8537
SHA51277db843a6674d9bfb552f3360f37e818a5a05087c31fee53f68175061e383d8dbb51eafe5267ccc999a1c1fd4306325b6284288e55fc5d873b5d244bb9c3f49e
-
Filesize
1KB
MD580109e1f8510f540115d90d42e67f866
SHA1184d2f20a17ce0aa761e70e9aca3ca75fb334a8b
SHA256edd27f59226e5e01ecfa3ac0cc470dcf798f2d9338736a310d30419895a7f599
SHA51285d80ba9c8e2e3900c77546e9cde942677f078ab358d249fe8941f28e6f823f32f39956cfd2f687a424396bb55929c3c1b778674776a00b20323f2e21b01fe1d
-
Filesize
1KB
MD5de561ce7d66ee02dba1942619a157d55
SHA19ef43cd47ed460d39ea2d1ef4289bd2977db9a08
SHA2562333d52af9caefdb7b7ccc7d291629a8b395851be22b53d14538dc91d06e76a3
SHA512c623722756def9911ed08ab38d4ddfca63cc750c2b1c0a62c1f67fbeb27cedc4a35a2754504c58be42274ee211ee10927a874523d15d841bf7a479b730e82f57
-
Filesize
1KB
MD57079a16d93dbac5792ecbe8d8fd7c1d4
SHA13e6118bbeba622a4e63e2b7b285d42c32711c14c
SHA2568d6854c20e3add9639aa2937e8b16223e7a4996c345516ce2ab4c93a26b08e5d
SHA5122e214cc798bdf64ae7d480cfd9f92fbf2c160738324bd6490f61bc867a4c4b7805dba292e3365b7c8577fbd7fb3ee7302e94b0db895725048a1ccc58ecd03396
-
Filesize
1KB
MD52b947b8975c3199fa5b93b88b257345f
SHA1feb72a47e0d072758e9fe8113dffa45e417c51c4
SHA2560d0aeb777ab66a99a6324e70b695248b3a7f214c61a272458b3c1cedba464b68
SHA5122e9bbb2501351b9dfe7c2ae6a4d282e27bb6d249864d30bd13fa24549c2a3aeedc2a1f5bbd6243a41e7c79bc63b915425e876060ddcdf0b074449de7575e4246
-
Filesize
1KB
MD524aa8ba243763c42ef3fc61d2be49e5c
SHA1bf791a58c7f4178b4dca7651920c11350a9446e5
SHA2566db0042d2e30c26715a838f42b66a81ca1d88f6a7b10fa9f8de3eb3004f98fef
SHA51238dba7eb263b683f86d205128c3ac83346def406779e9ea720176d7de0a1d0a49eac3bacca447c40a31a711b9da4b55e614630441b337e54260f18a6baa33e70
-
Filesize
1KB
MD59add672bdb7e10b42789ad4e053d4f56
SHA17ab9a6fc30b35b8199f7bad325df62b8eae3bb69
SHA256b0837ea191bd6ba03eaeac473704af708815d31d97a38c6ed500ca90070ea654
SHA512df96be43dc75e9b183948e661a632f9aa1b4769d479a17be5dca93f4db27a7807c10d92cdad8b2acf3d51b96dc66a7937e0edaedfac04fd9ea4ad9910a587df3
-
Filesize
1KB
MD5ed357b102c9431bce60a64df4942f607
SHA178f66ae8ca81dcae29602a423d0670ff97cb1de7
SHA2568ceb4bb4e4c264b1e626750a5e29fe189a393f9044cbd091419bebfc53df2186
SHA5122932f3ed8b922d336e6034fe60f8de13823a20d58ce350af22d19ecc7486cee779576fba9ff7d03371e4a313d90faa03a838035522b6150aa1fc93c26b24a150
-
Filesize
1KB
MD5e5b191e210a982fa7ba56b324ab1ccf9
SHA1608143632ac286203cb7eb025de22d5c50ff972d
SHA256d6bb627ea6ac5df7bb66c298136e6d41ad028b019f0fd7177bc740f0b67e631f
SHA5129b5c2ede049c806ccb5dad871eff22fc1d175dd2bb881377e732dd60a18cac74c920720ac315a80f02a91ac26c99a6dbaca110d49ce88ef8e629975cbd5607b5
-
Filesize
1KB
MD525e89f3acb43906b8a15e7230a3ac097
SHA18330f2cf1935dd7bec2cddfa5be11026b4c44257
SHA256ec13f40642dc28db2007cd3de950f0d147e0903d70b8b4285ba711ddd0e77e99
SHA512bf282ae8e53c332c4163285a165c28097e89c12d2d5bcf428c01c3bd55b9c99fd44c3b5e3b572f0841311ab106281cffae4a6073167ab79bb008ec7589cdbb3e
-
Filesize
1KB
MD5e2960ab62a310528b645557921790e06
SHA1f0e13b49c331df69e3371177ca5cc37cda99bb9c
SHA2567ae1cf5a66e8aaa834c1c4f6d9567b0a9b11787e713b48a00e6004572330caa7
SHA5127a00fc0a39b8245bb96d2bc48723ae3c45343502dfe90228b8b9d8420871cc5694b28b30b93f14a8a71d2aaf68e06412d4fcf03f9206389bb4d13830c34273fd
-
Filesize
1KB
MD5802169736c86ac94a1cded59669e4265
SHA1480ca1bb9844b9d9ff6b11c3f26e2382b81656ee
SHA256e29445ed59b355ee25ecaeb8ab6ff07e08d67f7a98a6942873f2daf0bacb2e9f
SHA51264ab28190c240a294673a8a493f2b2de1604acaff87d2bb1b9d89de4f3d14952efd9591f12077dcd8ff6e0d5ff8c44ccea611e3dcf594b4741ea88ec135ee70e
-
Filesize
1KB
MD5a11b063588593d1a735f65d3bb354c22
SHA19322067c181f3efb5c87843730cdcb66678f4750
SHA25647d55f74bd374edbbba7f05be0e032df310d9c23521053c87f07850ad91bb02c
SHA512515cdf69b6b07b30eaf2be81866b9f37df83f4aa2e5af9399aa31cacd585a32d2cd66a0a4c153d8f6d5c0fa947af597e03a4f0a830a0f069a69d09080ece46f5
-
Filesize
1KB
MD50453e7a8fa2719c13405033ee43223e3
SHA181c4fe8eb6eca91d87269fa6bce9240c5e7ae2dd
SHA256084cbb4083288b700913db2be994388823845d434e98df5b75802a518cc85d21
SHA5128da30af3f3d552db158fec471116b133305e13df0f51135cbb841a328cdcd73a8292f87cd789b63638838be804d7e199257054c42d0c276c4979b8ddcbdec296
-
Filesize
1KB
MD5cf8348665f2342d596c00ec54eb98abb
SHA1fd7dc7bfe0d731708dd9d1448fde889168a7dc21
SHA256fcd8c9ecbe167b77dd58bf90acf321e869a532ffcf196ffba7e97405cad9b8f8
SHA51290551e9a29e18394b13aad2c657378fb3a53c505fbe0c88ef8da2bd142329001a333cf9b751cb1ef75e44814af73a6620bd265e361e09dab5d4f90f8c34b86dd
-
Filesize
1KB
MD5b7496e58e15c09d2046c5ec2f61ab075
SHA195384ed66da9fab4aafbe5c1aa6f632c0c879c09
SHA25649ec95f9deeba5c44a1f622f65493a505a21343548ec92043839e42a7bd5a16b
SHA51277fd0c59e621984f9e553f95f82fe293452fbd5830253295cdb4be421b1182f188ebf928ace280377d964f3d343858992db7e24595a939b1de6b0c43878f05a2
-
Filesize
1KB
MD5b436a24cd914ebfb2eab02cfc26d0889
SHA16dd9b999b77c8fa72f1d35f0b2f5b07e5340f2d6
SHA256f9ba5f44574b9a25cd91948698a382bcaa465f8f81f23df797043ecb541abfbf
SHA512836f14d5ff8c9df89d81287f0c3e32a33a6d06d24121927903b44bbb155c82dd0dbf87be14a9d881d877faf9f1a463faf599926816cbf2bb16a6961e5262a675
-
Filesize
1KB
MD577135624d4fe44d2e96531315b16c79b
SHA1b204a2cece43f2ecc4c37ae6ffce149fad408e36
SHA256112599f34dcc9f9250173e81899437199b0b237b3e7c0566447fa50e376dde98
SHA5126aaebdec31f43d925a94ccec3524064cdc407e3af27c5bc651be23e4ce7c97de0f07434dd2ff888438ff898079b8eb4950e29284353ff6ad96cc70945a4b39cd
-
Filesize
1KB
MD50d23582de1d209aac462fd7ca3081e9f
SHA144e1e7cfc4f4ddf0a6b1c7984a68b73563e97d38
SHA25653c00e6c61c50153ae5cecd1620fc099a9ba79ac177f16567de2f69076c16317
SHA5121c8f790e9f50550ee79df8dfb91e93f9f4b5df1ef0e5e603c8bcc8fa584c18347d7d096c2cb776a52268cd955c66bea8845c6203e59b414f084dddd0677ddbe1
-
Filesize
1KB
MD5573162d75cef58e33bbc60c7de0ead44
SHA1738991fc26fc9123f6911d098fb56750f4571288
SHA2561ab5d7bac7d4dadbb9fdd5cda44265c2929a2c5053be4d4e89699408e4ec3460
SHA5121c406a8c00db68409c66e81078a2c84f7068c63f0b82c771130f57dc29ad5c2ae1b8cab025d177f66a60eb5866a262235005e694a735df6550162e59af398fbc
-
Filesize
1KB
MD59848438ebd6f5b0c2bd13e5b143b30a3
SHA1274678fae41de63301ae38bd15df2faa3a8fb1ab
SHA25666691b6495ec75930a3ef8382f0c93f7802e1825c23619ff939ca85e592fcdd8
SHA5127243b9a87e0b4d1a02f0715095e32992496a9c0ad6b74402399a541e3c0af185fc7d15101a69090363448f737b697e5505fad92a4a1ba8215b87faac9aa20739
-
Filesize
1KB
MD55d42e5fdc0d5316b7d5a0eb0621d08b7
SHA1e0b8d8fb9a06d9c49f26c37c6753c22f8a613a8c
SHA2568c3f5b54d9513a332141a467daba77bd1ca0aad632265b06fab9d4da0740962a
SHA5121c600712c7ab3eeff405f7807df71a0923bd97edf674e7122d9331ff32ff1be317cdcf899648be8ea4374507808c9d060cf7775427b1a9489576f82528bdaf05
-
Filesize
1KB
MD512b6882337391d34c28fd55ba1b12044
SHA10db26f09f2b8019913d504897fe989a60e81d53c
SHA256957b2786fb3de07f8afa80a1f3c957dcf8d780bef0f6c5daf6fd06c2de89f104
SHA512317536ac025ea89602f2119dd6240de0e7c9e5f832fdf27d1aa96cb3070eae65fdd349d0a780e15fa422da25d4afb240df000e112df733533460e7accf0f090a
-
Filesize
1KB
MD56a3ec350794c935455187c82b4c9d69e
SHA16a158dac984c03321cb17a4d026ca920eba65b07
SHA25655aa4eb038a3b8ebed45a65e6ab10fa266b6b7f0de910a8e79c843b02ded9962
SHA5120cc0e973101f04ed7902ec8faddc1a7b2c2a7c0fbe8c0a3d5ccdd4e01f2a6be47e54ff97688d65af10ef50f4d082a58843af962a318b0a6a9d651ff0bba3fd83
-
Filesize
1KB
MD589440539c052e678ef088db1bb715f7e
SHA1f0177763a945823a21c11121d9dd3d2c0eda2743
SHA2565a48ca53295dc0c524097ea891f3803e86e31e61b9a9ebd868a6a4a2eb9ba31e
SHA5127e5d1d8fe3888d2f342d8e1571574e93443253cd61af2f043761d83c859128101c7a7e4b1676b542e30f78ce6465e9a0c0d8636f55f1ae7c34070063a5c92591
-
Filesize
1KB
MD52047f9611f34e854159c97a332df1dd8
SHA1858789d684300d428b2e72b7bc998d83d74ff401
SHA2569a5eaa3d4ce2b4db5e9ee4136d71500aab7276c452f7a7fd4b8e3b49cf3a5fec
SHA5123dca9d1671d79efaa9e9cc941501b19d0fc918616e45d8425478e8a15efd0d0219a0c6a4a57ec104d5f01de61fd1105b63182617a04176568013dde44b5d1690
-
Filesize
1KB
MD59f214099623b70b889178883ffe752c8
SHA1a86f3f1464b72e0627ac589bcfefc0792422d489
SHA256f8b11e3198371cbd6085edde505578407f90b0c53786d7d8a3a9669710be656e
SHA512de43733183f4eee58e3d08c5f79f47bb36559db7c21c2f0fc9a8533972d99ba9802d1432cec7997a58579560a997487660f078857faa09462c25f1de033df825
-
Filesize
1KB
MD5bee9bec228d9251f72b4aebf724fe66b
SHA10658a01708dae4f4da13a3455368ce55fc543f54
SHA2561cc42a758a2ff3aa731c34a80cc90012997ac189234cba3d5f57b3f22d1c250b
SHA512fb813cccf25df1d7348e4ccf9b32fe3d369c164fa2a491c7556617eb3f2760908bfd36a7b4456f6e70ed73b7b3cb7c8e0fdedc546ad6456a60a02ea004747dd7
-
Filesize
1KB
MD5f49aa191208292caa43cf20c05ef9196
SHA19e1f94e20b51ef308ab1526aca530f2b6d8d1a27
SHA256bc7e160b959861c180d54a0dd123f68f87b326fbfbce5f597728337dc3fa68c1
SHA51289335bd1328cb6427231d23134fde14e43a927164edee5bfcab830a6d57174d9ac4abfc3cab01edfbb3fd414994a1c8549dd0b5473c8b5f7eae558403b6c232c
-
Filesize
1KB
MD5cf7ce1707737d143fa20a2909988b5bf
SHA11a3db3b45d7b03da7eb132f6c4cc6f1b40c37623
SHA25628f6618a2f957443075eb437f6c368fbe7e8687d0319bcac45dbb49de3a3db34
SHA5122d334bab7b97603b04c4d6763fd345ba6df2a219c14bade31472564b43c2cc5cc78b190455066858f2fdb9d5825ff1b533e156baf037c5762b5fefba0d99a2c6
-
Filesize
1KB
MD51dfbe008f99da628db62420d9cdd539f
SHA10c6049a5245d100dafb5abfc9d369b09bd6be7f5
SHA2567196227205a5f2272c8164bb7b5d8734a29979ad3fd1899d777ecc9641ac2d9a
SHA5129b7ee808512949467727fdce82c2ea68cb2a5c8f231cddd9d24f027a2ae7fb95f9d9fca5a6f371b89ebbadb3261dd5e5a356e1d1513f22473a1ef3a5e3f85822
-
Filesize
539B
MD565dfa640303650da127972a4cb205801
SHA1d5f09ef2e3975fe6d8f125fa6b57090ca317a480
SHA256a051d8a043d7a4721521897d085602d338ec80c9e73ddf12547c4b4c4e4c0c33
SHA5120e5d24311fa4e27bb92b437c35d653e8063feebc34ef1bcf7e79406dd7a4322198e70122b0b7f4fd3084b084302e0e880c03debd0eec0b7574e87eff40879ac4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
1KB
MD5761383f9efff4836cd90f04acef68b76
SHA1148fe737870457550b3daf187bc1f3f2ee005fac
SHA2561c1daec39e4033fb04dd15e299cf07cf69494a8740fe9596a7c37469ff133a5d
SHA5125e36e6318ca78ce9c5070c79a388a4383e43bce3ac9f50ac6a304edb75841ac84bd54f22256241497a78b15f0cc05002179cd78d7c798ea69844ab1045a41225
-
Filesize
10KB
MD5ea45eb8fb051b6444a2fd38f4c2b50f8
SHA1ecacbdcb5e7799b69c70b724c69b638cbde6a585
SHA256a2685cfd3f1cc25ee280530e87853da6d1d106d8d1c4212462221e2e0cb08ee9
SHA512ca309e4c19fc7db589bb7cefe429763a99d2d89f83efe9576ee3b32ac04537a8c0d7bf6080651293bef9775297f19c20873e356a1ee6300c4f05d5620a3f9619
-
Filesize
10KB
MD5984f4c224d202a3693feda38d306d5ef
SHA1c36244fc2e993e8a0f5663a1efd4c7b415e40851
SHA256866887f35e2234ac4cf08fcffc79ca2ab37bb59248823ae014bb8566e921abd7
SHA5123dd38b1ae525047d63b330f74c79286bbce155b1ebf403dcc62b3d63e9307eb4cf5654c37ac5108bdddfc93c19a48bacf0d6353e9f3a7a42315546adb45fa768
-
Filesize
10KB
MD5f9eabe0ae3fcee238584d319ee37a62a
SHA11284624212687989fcc41801040bd7d802118d72
SHA256dbaaf255a1fd2dc3f73b7315412428ddd191e91b75d3120906cbec28f67f0c9f
SHA512cb1f77174e4effb764b8dfca8dff016c72fe74e5aa04acdf9509b364f4c6e60bf626828d7caf627e3938ddeeea75d7393e370582dbd5b16ed8ca53f01aaef42f
-
Filesize
10KB
MD5af67155e7ffd87de08c0d5ffb8cae733
SHA1c16bcbd9bd9e7d838f78c149bcf3fab59917edb4
SHA25600f85627c4551c66e10358abc6366f8cb895bb62326938d6f1716df7f6514eb2
SHA51222fc435f7cf9282253728ef28ba4b8098c19d95adf6ef90f1ef7a52d0431eadd4f8b74128e3859c3c07066abcb48aced662bfaf74946d0110f0bcd7962aa2fb8
-
Filesize
10KB
MD543cc587dcf239c996aa9c3bceee1f1d7
SHA1f3c50fca108460a2cc064d05d3a75a60843274c7
SHA256ab210868e049bdc05dffc40fcb98ccee278ad93b97be4ad170e07461ebc680c7
SHA512ca7a2efb088135bd632b3bc7b215cbd4e5838445afc260eb030eeca46c922e114fee0f5ae475910f77205c5cacd786a0d16f76a28147f32c41f9de2f62ca3d1e
-
Filesize
10KB
MD597883bd7c979e62ad1e12ad8b91d73d8
SHA1b352fb80af26a3b94fbaf3bfc9c5f8d1e713f82c
SHA256a1d1c7f7cb8f34a86c1e5f41caefc73dc9676a8a1aad87a5ce6385d883e5a03b
SHA512ca68ee44703b0a8f456d963436bc256d7d033f0bec6de15b6ed18b2cde553df36e4e51e74622395224bd312a58be1606d3bbd922968c16e3657969ebe730aa75
-
Filesize
10KB
MD592baa0a3394c4c64c47eb7a4a015ec08
SHA1eb3f46ae5e34ab6730e71e8e49c225537bd55440
SHA2567ac9bad7e339fcf9a3a93539004a13f2c8b5d5d4706d5d30294a59f15dfb2761
SHA5124106ef7d3a9d7e18d03a3da68a8e8264385f6b0f0d8bdb2ac057d2b419177ecac1577473f593c445f0edf0e77a52188aeab3367608ba6260133a5c6676c130d8
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
Filesize
18KB
MD5e7af185503236e623705368a443a17d9
SHA1863084d6e7f3ed1ba6cc43f0746445b9ad218474
SHA256da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
SHA5128db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
125KB
MD5ea534626d73f9eb0e134de9885054892
SHA1ab03e674b407aecf29c907b39717dec004843b13
SHA256322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c
SHA512c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
Filesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
300KB
MD5f52fbb02ac0666cae74fc389b1844e98
SHA1f7721d590770e2076e64f148a4ba1241404996b8
SHA256a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA51278b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
416KB
-
Filesize
148KB
-
Filesize
752KB
-
Filesize
752KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
648KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
272KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
328KB
-
Filesize
80KB
-
Filesize
5.6MB
-
Filesize
32KB
-
Filesize
584KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
456KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
624KB