Analysis
-
max time kernel
354s -
max time network
351s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-10-2024 22:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://hatching.io/blog/tt-2024-09-19/
Resource
win11-20240802-en
General
-
Target
https://hatching.io/blog/tt-2024-09-19/
Malware Config
Signatures
-
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exeINSTALLER.exeINSTALLER.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components INSTALLER.exe -
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid Process 3284 takeown.exe 1036 icacls.exe -
Executes dropped EXE 7 IoCs
Processes:
MrsMajor3.0.exeeulascr.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exepid Process 3576 MrsMajor3.0.exe 1644 eulascr.exe 5116 Bonzify.exe 3584 INSTALLER.exe 4024 AgentSvr.exe 4864 INSTALLER.exe 2884 AgentSvr.exe -
Loads dropped DLL 17 IoCs
Processes:
eulascr.exeINSTALLER.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeINSTALLER.exeregsvr32.exeregsvr32.exeBonzify.exeAgentSvr.exepid Process 1644 eulascr.exe 3584 INSTALLER.exe 3640 regsvr32.exe 3616 regsvr32.exe 3476 regsvr32.exe 4756 regsvr32.exe 4708 regsvr32.exe 3936 regsvr32.exe 3264 regsvr32.exe 4864 INSTALLER.exe 2280 regsvr32.exe 2280 regsvr32.exe 2648 regsvr32.exe 5116 Bonzify.exe 2884 AgentSvr.exe 2884 AgentSvr.exe 2884 AgentSvr.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid Process 3284 takeown.exe 1036 icacls.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/files/0x0002000000025c62-1264.dat agile_net behavioral1/memory/1644-1266-0x0000000000180000-0x00000000001AA000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
INSTALLER.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet" INSTALLER.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 2 drive.google.com 57 raw.githubusercontent.com 60 drive.google.com -
Drops file in System32 directory 3 IoCs
Processes:
INSTALLER.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\msvcp50.dll INSTALLER.exe File opened for modification C:\Windows\SysWOW64\SETCB21.tmp INSTALLER.exe File created C:\Windows\SysWOW64\SETCB21.tmp INSTALLER.exe -
Drops file in Windows directory 58 IoCs
Processes:
INSTALLER.exeINSTALLER.exechrome.exeBonzify.exedescription ioc Process File created C:\Windows\msagent\SETC880.tmp INSTALLER.exe File created C:\Windows\INF\SETCB11.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDPv.dll INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSvr.exe INSTALLER.exe File opened for modification C:\Windows\lhsp\help\tv_enua.hlp INSTALLER.exe File created C:\Windows\msagent\SETC87F.tmp INSTALLER.exe File created C:\Windows\msagent\SETC895.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tvenuax.dll INSTALLER.exe File created C:\Windows\lhsp\help\SETCB0F.tmp INSTALLER.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\executables.bin Bonzify.exe File opened for modification C:\Windows\msagent\mslwvtts.dll INSTALLER.exe File opened for modification C:\Windows\msagent\intl\Agt0409.dll INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\tv_enua.dll INSTALLER.exe File opened for modification C:\Windows\fonts\SETCB10.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC87F.tmp INSTALLER.exe File created C:\Windows\msagent\SETC883.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC893.tmp INSTALLER.exe File opened for modification C:\Windows\help\SETC896.tmp INSTALLER.exe File created C:\Windows\msagent\SETC898.tmp INSTALLER.exe File created C:\Windows\lhsp\tv\SETCB0E.tmp INSTALLER.exe File opened for modification C:\Windows\INF\tv_enua.inf INSTALLER.exe File opened for modification C:\Windows\msagent\SETC87D.tmp INSTALLER.exe File created C:\Windows\msagent\SETC87E.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentDp2.dll INSTALLER.exe File created C:\Windows\INF\SETC894.tmp INSTALLER.exe File opened for modification C:\Windows\help\Agt0409.hlp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SETCB0D.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentCtl.dll INSTALLER.exe File created C:\Windows\help\SETC896.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgtCtl15.tlb INSTALLER.exe File created C:\Windows\finalDestruction.bin Bonzify.exe File opened for modification C:\Windows\msagent\SETC881.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC883.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\tv\SETCB0E.tmp INSTALLER.exe File created C:\Windows\msagent\chars\Bonzi.acs Bonzify.exe File created C:\Windows\msagent\intl\SETC897.tmp INSTALLER.exe File created C:\Windows\msagent\SETC87D.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC87E.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentMPx.dll INSTALLER.exe File created C:\Windows\msagent\SETC882.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\AgentPsh.dll INSTALLER.exe File opened for modification C:\Windows\INF\agtinst.inf INSTALLER.exe File opened for modification C:\Windows\msagent\AgentAnm.dll INSTALLER.exe File opened for modification C:\Windows\msagent\SETC880.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\intl\SETC897.tmp INSTALLER.exe File created C:\Windows\msagent\SETC881.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC882.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC895.tmp INSTALLER.exe File opened for modification C:\Windows\lhsp\help\SETCB0F.tmp INSTALLER.exe File created C:\Windows\fonts\SETCB10.tmp INSTALLER.exe File opened for modification C:\Windows\fonts\andmoipa.ttf INSTALLER.exe File opened for modification C:\Windows\msagent\AgentSR.dll INSTALLER.exe File created C:\Windows\msagent\SETC893.tmp INSTALLER.exe File opened for modification C:\Windows\msagent\SETC898.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SETC894.tmp INSTALLER.exe File created C:\Windows\lhsp\tv\SETCB0D.tmp INSTALLER.exe File opened for modification C:\Windows\INF\SETCB11.tmp INSTALLER.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
msedge.exemsedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
regsvr32.exeINSTALLER.exeregsvr32.exeBonzify.execmd.exeINSTALLER.exeregsvr32.exegrpconv.exetakeown.exeregsvr32.exeregsvr32.exeAgentSvr.exetaskkill.exeregsvr32.exeregsvr32.exegrpconv.exeicacls.exeregsvr32.exeregsvr32.exeAgentSvr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonzify.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INSTALLER.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AgentSvr.exe -
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
SearchHost.exechrome.exemsedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2504 taskkill.exe -
Processes:
explorer.exeSearchHost.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723837595041064" chrome.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeAgentSvr.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeexplorer.exeSearchHost.exeregsvr32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD3-7DE6-11D0-91FE-00C04FD701A5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575}\ = "IAgentCtlUserInput" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7B93C92-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD1-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD300-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32\ = "C:\\Windows\\msagent\\mslwvtts.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4ABF875-8100-11D0-AC63-00C04FD97575} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character.2\DefaultIcon\ = "C:\\Windows\\msagent\\AgentDPv.dll,-201" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{143A62C8-C33B-11D1-84FE-00C04FA34A14} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C85-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32\ = "C:\\Windows\\lhsp\\tv\\tvenuax.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlSpeechInput" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95A893C3-543A-11D0-AC45-00C04FD97575}\TreatAs\ = "{D45FD31C-5C6E-11D1-9EC1-00C04FD7081F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{143A62C8-C33B-11D1-84FE-00C04FA34A14}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C83-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8F-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\HELPDIR AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDF-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlPropertySheet" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}\1.5\HELPDIR\ = "C:\\Windows\\msagent\\" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C8D-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D6589121-FC70-11D0-AC94-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{822DB1C0-8879-11D1-9EC6-00C04FD7081F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64DF2F-88E4-11D0-9E87-00C04FD7081F}\TreatAs\ = "{D45FD2FF-5C6E-11D1-9EC1-00C04FD7081F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}\InprocServer32\ = "C:\\Windows\\msagent\\AgentMPx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Server.2\ = "Microsoft Agent Server 2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\Control regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1042" SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D0ECB23-9968-11D0-AC6E-00C04FD97575}\ = "IAgentCommandWindow" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD4-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD2FF-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913412-3B44-11D1-ACBA-00C04FD97575}\ProxyStubClsid32 AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C8B-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentPropertySheet" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08C75162-3C9C-11D1-91FE-00C04FD701A5}\TypeLib\Version = "2.0" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B8F2846E-CE36-11D0-AC83-00C04FD97575}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE8EF600-2F82-11D1-ACAC-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BD9-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib\ = "{F5BE8BC2-7DE6-11D0-91FE-00C04FD701A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BF0-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Agent.Character2.2\CLSID\ = "{D45FD301-5C6E-11D1-9EC1-00C04FD7081F}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C87-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\TypeLib\Version = "2.0" AgentSvr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A7B93CA0-7B81-11D0-AC5F-00C04FD97575} AgentSvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exemsedge.exemsedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 757061.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 256613.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Bonzify.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeBonzify.exeexplorer.exechrome.exepid Process 396 msedge.exe 396 msedge.exe 436 msedge.exe 436 msedge.exe 2256 identity_helper.exe 2256 identity_helper.exe 3468 msedge.exe 3468 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 3696 msedge.exe 3696 msedge.exe 1512 msedge.exe 1512 msedge.exe 5116 Bonzify.exe 5116 Bonzify.exe 3956 explorer.exe 3956 explorer.exe 5116 Bonzify.exe 5116 Bonzify.exe 3120 chrome.exe 3120 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 3956 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exechrome.exepid Process 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
eulascr.exetaskkill.exeAgentSvr.exeAUDIODG.EXEexplorer.exedescription pid Process Token: SeDebugPrivilege 1644 eulascr.exe Token: SeDebugPrivilege 2504 taskkill.exe Token: 33 2884 AgentSvr.exe Token: SeIncBasePriorityPrivilege 2884 AgentSvr.exe Token: 33 336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 336 AUDIODG.EXE Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: SeShutdownPrivilege 3956 explorer.exe Token: SeCreatePagefilePrivilege 3956 explorer.exe Token: 33 2884 AgentSvr.exe Token: SeIncBasePriorityPrivilege 2884 AgentSvr.exe Token: 33 2884 AgentSvr.exe Token: SeIncBasePriorityPrivilege 2884 AgentSvr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeAgentSvr.exeexplorer.exepid Process 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 2884 AgentSvr.exe 2884 AgentSvr.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exeAgentSvr.exeexplorer.exepid Process 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 436 msedge.exe 2884 AgentSvr.exe 2884 AgentSvr.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe 3956 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
MrsMajor3.0.exeBonzify.exeINSTALLER.exeAgentSvr.exeINSTALLER.exeAgentSvr.exeexplorer.exeSearchHost.exeStartMenuExperienceHost.exepid Process 3576 MrsMajor3.0.exe 5116 Bonzify.exe 3584 INSTALLER.exe 4024 AgentSvr.exe 4864 INSTALLER.exe 2884 AgentSvr.exe 3956 explorer.exe 1824 SearchHost.exe 1280 StartMenuExperienceHost.exe 3956 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 436 wrote to memory of 4680 436 msedge.exe 79 PID 436 wrote to memory of 4680 436 msedge.exe 79 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 4804 436 msedge.exe 80 PID 436 wrote to memory of 396 436 msedge.exe 81 PID 436 wrote to memory of 396 436 msedge.exe 81 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 PID 436 wrote to memory of 2472 436 msedge.exe 82 -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hatching.io/blog/tt-2024-09-19/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa1113cb8,0x7fffa1113cc8,0x7fffa1113cd82⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵PID:712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵PID:780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6908 /prefetch:82⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3408 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6996 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3696
-
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3576 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5E1F.tmp\5E20.tmp\5E21.vbs //Nologo3⤵
- UAC bypass
- System policy modification
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\5E1F.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\5E1F.tmp\eulascr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:12⤵PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6572 /prefetch:82⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
-
C:\Users\Admin\Downloads\Bonzify.exe"C:\Users\Admin\Downloads\Bonzify.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"3⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3284
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1036
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3584 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentCtl.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3640
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDPv.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3616
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\mslwvtts.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3476
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentDP2.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4756
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentMPx.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4708
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentSR.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3936
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\msagent\AgentPsh.dll"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3264
-
-
C:\Windows\msagent\AgentSvr.exe"C:\Windows\msagent\AgentSvr.exe" /regserver4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4024
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
- System Location Discovery: System Language Discovery
PID:484
-
-
-
C:\Users\Admin\AppData\Local\Temp\INSTALLER.exeINSTALLER.exe /q3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4864 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2280
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2648
-
-
C:\Windows\SysWOW64\grpconv.exegrpconv.exe -o4⤵
- System Location Discovery: System Language Discovery
PID:5052
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,12248335760414461961,3213840112053259635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1348 /prefetch:12⤵PID:4304
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:696
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:560
-
C:\Windows\msagent\AgentSvr.exeC:\Windows\msagent\AgentSvr.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2884
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E41⤵
- Suspicious use of AdjustPrivilegeToken
PID:336
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3956 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3120 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa1c5cc40,0x7fffa1c5cc4c,0x7fffa1c5cc583⤵PID:3008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2004 /prefetch:23⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1844,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2044 /prefetch:33⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2204 /prefetch:83⤵PID:740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3276 /prefetch:13⤵PID:2760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3784,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4460 /prefetch:13⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4632 /prefetch:83⤵PID:532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:83⤵PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4672 /prefetch:83⤵PID:248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4376,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4672 /prefetch:83⤵PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4700,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3708 /prefetch:13⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5092 /prefetch:83⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4352,i,16295891559801789621,8344317407376286825,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5228 /prefetch:83⤵PID:1748
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3636
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1AppInit DLLs
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD50b09cd6ac06161155fb1549a38ca051f
SHA1b64626a94ae8bc4f1a103ef7cb1ceb71bc31eb94
SHA256c43fd79cab6882c5d584d37f8b56c7f7fe016b6fa8a3aa6ad1ce7479dc8d470f
SHA512d763782c96c79ca01cefb7c3c1bf1bd62330ac867f4507f31d9c5b22fb6cac907cfadfcde6f5085d106e171af48ffd3984732ba252f6f0d852a6ed35c6311330
-
Filesize
216B
MD5df4bde879feb97f88eb855ed6f89b43e
SHA13ae7f4501b2011b284742f64706e256338cb22f1
SHA2562e41489932115558ce2c62800daa364d67c5a49b2c31e0809b5649368e38cdfe
SHA51212e3ea84c156d67b8d0ed66ddcefabd4dd21c0a8403aff46e3d1a9372f88d0f6334102175a0dce1f6db86dc4114d857918bc08dca24ba44569d113d6ea9a363e
-
Filesize
2KB
MD5fc6e3548c3324769bfe498dc4b874ecf
SHA152ea206f96aefdd289d7ab084b3133e2da463aff
SHA2562c120c10ed96e475bff3f8b6cb9f5c59d9e5e9aac5c40a02e7d47c78d6e022a0
SHA512d28ff2cd7d63d91c3fd66b75f821b47099b7bbf3497bdae4ccf379234be7200ff4d39cd2a9b5ac6f235b0c45976737783493f16314c32d88471c0cb1104114c9
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\eeb3a451-a8ac-4690-a1ba-cfda7ec4f793.tmp
Filesize520B
MD553bc2425a275c2802bf20b248e9f0850
SHA1bdec55cfbd5994b2fd8b5f60846fa1c843709df2
SHA256dad3523928a135a81773f0c861d6d54abcf38604955f17800aaa0b5e66bf7b5c
SHA5121b1c48ba9b9ccd7ad8f47839be0937cb610b2eba3e011d4945559590e3b09b52ff4d7a5105a2763b75c9c919b5941fa6a39f62334cc67c2dc976c782ad3c8d75
-
Filesize
9KB
MD50c62deb22b6911ddf95f6378cca32f03
SHA199b13869a6a9cc0a8ad9c1a3773d46ecfa564350
SHA256aa0d7e86680a88c80729482d7f55ed42cad87634d2f4d795e36719d0f2d1d08b
SHA51209e9fe8ed512d671b82d84e428df7fd2a913803d4a9f3491dc7ce01343a9f3c5cc04577450b7f289d57c23ccf9276329e8d614cc80ea9401bb6449ea23aec316
-
Filesize
9KB
MD55d771f6b8e497e821d6efd5b458d8ad6
SHA18c079c98d77558d0e8b581631dfe614effa19249
SHA256750af77c5c9f10ca07abb126159f30897a50cf572d9fda84ae34a7f7c39e1847
SHA512b2c99c69b25205330cbddb353674ed43bc6cb5f4ba65662635f1199c13293e9e15669e8d6c99c0a757784c078cb9a1acf88ca5822282e7b4c1d7efb6c1498383
-
Filesize
15KB
MD53fe84db577b38c601f3db8bc178e4066
SHA13d68ba0ccecc4692eba2d5c09408e949bed47ba0
SHA256ce222bd221147e36ff19abcca38cabb397b61778394330d04b9680df9c01ce11
SHA512752276ca0caccd5ef3cbb1e53b3bb5312c054c824ec2bf15328745d70ea443a34914eb74cebabcaf1610602205f72203e7ebca960f5832f17d61156bc4173456
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
211KB
MD5a0fa0e590ae67213b6b1cbb516a45bdf
SHA1b64db8d37a28b1a83f6911d3c9a1c96f08d312ae
SHA25668fc9f050966a8fe36884bf04102ca5121067dcae36f090def4b89a14da31b7d
SHA512e2d0b22a6a5cfbd6c6689ec6befbac9cdd45c32f652b2191fec42b0d0fe52068a18cddaa23c1dc0a2de9d3ce4320c389711fe6e2e07e1caf2a318d64dc8e6d55
-
Filesize
211KB
MD524df12b4ba9cb3051b8a635db15f1a52
SHA1a9ca41e292b210ed239a483241118bc9789c816d
SHA256c79cc1880572fe2238153b0b7c0c9ad823ec4fa0434b65e819ddaa9d3f6fe049
SHA512e6e35a1437b1acdf46c9f54ea3f44484239e2dec40132c478f88a97d98e8dac7e3870b6a39f220714e7348cc8b51a629f447b35cbf4af3a81f6b444d191c445c
-
Filesize
152B
MD5302c3de891ef3a75b81a269db4e1cf22
SHA15401eb5166da78256771e8e0281ca2d1f471c76f
SHA2561d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58
SHA512da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33
-
Filesize
152B
MD5c9efc5ba989271670c86d3d3dd581b39
SHA13ad714bcf6bac85e368b8ba379540698d038084f
SHA256c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3
SHA512c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
70KB
MD54308671e9d218f479c8810d2c04ea6c6
SHA1dd3686818bc62f93c6ab0190ed611031f97fdfcf
SHA2565addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a
SHA5125936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
27KB
MD54aa91eccee3d15287b8f2a01e4254255
SHA1d89f8203934a66b5741256aee086c04f966cc6d7
SHA25679c601189597c9c5691b763f0ec6fdc9ec8339eea80e49713f76e9fe9199a7d7
SHA51246424f50d444aebf1dc3a93607b3a374d3e7e988137e291cd8ec28211d05a687d0b6214b45d6dbfd27608728df6b34138504e3343e6bbfd6e1c0af98199179e2
-
Filesize
20KB
MD5a6f79c766b869e079daa91e038bff5c0
SHA145a9a1e2a7898ed47fc3a2dc1d674ca87980451b
SHA256d27842b8823f69f4748bc26e91cf865eceb2a4ec60258cbca23899a9aef8c35a
SHA512ed56aaa8229e56142ffa5eb926e4cfa87ac2a500bfa70b93001d55b08922800fe267208f6bd580a16aed7021a56b56ae70dae868c7376a77b08f1c3c23d14ab7
-
Filesize
37KB
MD51b6703b594119e2ef0f09a829876ae73
SHA1d324911ee56f7b031f0375192e4124b0b450395e
SHA2560a8d23eceec4035c56dcfea9505de12a3b222bac422d3de5c15148952fec38a0
SHA51262b38dd0c1cfb92daffd30d2961994aef66decf55a5c286f2274b725e72e990fa05cae0494dc6ad1565e4fbc88a6ddd9685bd6bc4da9100763ef268305f3afe2
-
Filesize
37KB
MD597edd91866f66df1b9e540f76fa6a030
SHA117b7c05b6b82fb74eaa02741399f8c01016f46c3
SHA2566f74e794dae2e57c0d50ac89b83b1cf1426711588200893edc6f2cebc9626390
SHA512ed0ac2136d96d01d62afa7cef6dc61da3ad4f0dfefa9bb55cd19ddf53b01f1365953ae0355ffed75f3595f48ff3c6bbab25eb04e75535523678c153500924453
-
Filesize
24KB
MD5e9085bbce2730ad18477a5e6b2a053e5
SHA181b04f132e7c01d796d1730cace6a922eed47c5f
SHA2560d3da8c2f0f202ed280cfc0ce71a43264f3793e1f7d5a837822ebed5ee1af188
SHA51280f905992a6be57b31da4e63f69674a2c9a3c3f0e8c182103afd12d60d689936c5ac76a32bc809b672c564b9b65f1608960be800e72ce058842c698d1bea9fe8
-
Filesize
18KB
MD52e23d6e099f830cf0b14356b3c3443ce
SHA1027db4ff48118566db039d6b5f574a8ac73002bc
SHA2567238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717
-
Filesize
17KB
MD54859fe9009aa573b872b59deb7b4b71a
SHA177c61cbe43af355b89e81ecc18567f32acf8e770
SHA256902bb25ea8a4d552bc99dea857df6518eb54f14ffa694f2618300212a8ce0baa
SHA5126f12570d2db894f08321fdb71b076f0a1abe2dba9dca6c2fbe5b1275de09d0a5e199992cc722d5fc28dad49082ee46ea32a5a4c9b62ad045d8c51f2b339348be
-
Filesize
59KB
MD525534ad5d9d998a5d25f3cc598f41fbc
SHA166c6233f973376a42e3b1ae80d8530244164e41b
SHA256923cce0c041c93155bc962ff43c5d3189a7352800c67206ef03dea996f3afd93
SHA51242a81f8703a92d2c96d2a2d210e6396a931e9cf6d701d6df36e86e2957d83042d287361ab19b879ccbd66b1e62e122512a55774d5685b886c72323a27a59561f
-
Filesize
53KB
MD5cfff8fc00d16fc868cf319409948c243
SHA1b7e2e2a6656c77a19d9819a7d782a981d9e16d44
SHA25651266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a
SHA5129d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b
-
Filesize
144KB
MD5fc5aecb42adee9ae58e9c43c3c9d221d
SHA1efee94896bb4823e20ddba7c44f1557b5354d205
SHA256ef62057c9347494ee2788065b7cbad7931adf6893f6c27d66cec046a2994fd24
SHA51260ecf396fdf08e268caae64fc723aac0dc6b0a6ce178b92eb4e784248fb71758b8210f348b98153530c61b89732987b937374dcabc32a15f33aa90118ed65d7a
-
Filesize
20KB
MD5938a7a50fa4d288dcce25a70a94a25b7
SHA1c59996246ee374a9f4853c9d24315d64ddb51b22
SHA256d38fac30d5d7db7ea5a0fe0208a457f05c296b9037a61608ceb9c8deb5613a0d
SHA512438c092ddca42fb19642436e225e6e4f181e98f758d2d60ab4a537bc68ea8655bef5d15137db61912799307a6fe33d4d0111a0d5461bf9b85df8e2ba0f9623f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD541ace926e563da5b2648283c3d4eb09c
SHA19dc5a3570955ff02a796da398fe6f74f43f33f77
SHA256268dca16d3df8a5a40b6842a11bb4ad503f672d37b5bbeeb48a125f2d3fb0112
SHA51240786661fb1c6e4f635467b6765631b36de80159059ac69b6c7431c77dca8ffed5fce963bc0998cd1e2d27e2e7c19a259272a43516b36f0165c24ca1ce79a214
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5c84c19739ed18e574997da813d550332
SHA116347c4fe86455ea0ad6a19956c97e9912f1fd09
SHA256308fac748c389f5cb99947163c4afebc9309b2565b1108a71d4e91a56f11000d
SHA5120b8ce3f7d3566c1dca4f95bf53149faaeff10186974d6ac72e62b4663b34ec399a4012539c20edd3c91e442378eea33a90d5b269dbade209e66c8f3621e7b1a8
-
Filesize
1KB
MD5927482bece07f0ebc2c2c00acbf3456a
SHA171034955418a74e69629e8af71d70c549f8f4fd6
SHA2568f595a26c06702a42ccdece5705c0e947e4f859dfbb279997c11037983200b28
SHA5120d4ba538857ec546d9ffefce2c117ae64bbf4b460a37413a477e12133815dc436c2a0e4da8ac3d5e8679dd21d7581e9996edda60d8d16970d985d2ebd64bcdac
-
Filesize
1KB
MD5c8bd258ec6b5cf3685315f8a2d223608
SHA11e41985f20ad465d1180ede0657473780bc2ac4a
SHA25600b1bf3c49dfd320162a0c2cc7fbeab5fa41ae347662151354649e4ac077c4d5
SHA512c3708dcba120cba2e4cb63492ebf14575dbb7adb3ba5689922f592f92c1f27bddc7116f8c832d28f1067cb78ed5e3bc9e69f79eb7d848d35ea488dd62feb0728
-
Filesize
1KB
MD5ceb69a76fd814c17c3de3e93df80baae
SHA16a95d844c44d34b4dba33aa027f42aaeafcbdc96
SHA256c59ffdac1a2c3309c61e738fe07c0ec0c25357091acdc3b2d9f341dc0bfc20ea
SHA512bc2fe16713d4d6868b648aee3196a028162f2b89b8d81a00b89102e45676d6ef79e1d0c885807e420e68eacaa493b23aa7c408b0fa11cae160f316107fc14e90
-
Filesize
1KB
MD506811c35ed59101c91f8fd79dc4cb55e
SHA1e7b566bbff4ba2b584fb427068b74eaa6fb881d2
SHA256a5ab0cfd2f3a82ac9f8a3a9454ef514ee0c8c4e1627888fb778c98837b5ace00
SHA51259beefbe826ab42d4b718ec66dad79f1c82a51c9caa3b372dd3167bc047285256e8d44f792b506f75bd7c2dd1d6f0ee3ef89119282acffbd9b572870ab0e5266
-
Filesize
5KB
MD527970c123269ed64d7ab386348a8b00c
SHA1fb7c1a8375d79898ebc2062e9eeb4f3f418448ad
SHA25673c7dc259b706b25fa727695bb22f008f403ee39db9a1672cbe02da9894dda18
SHA5125bd896deb698312e24c4d6d27db20dba233131776b4fccdcb7345502f5fecf2f1f5b5ca258bb0fb523630cc6640b3c5d3f4e13c8946e4d8853b42d9f304d0168
-
Filesize
6KB
MD508cb0e8bed038931a0772ea5e7760453
SHA1d624448315e2b58927237291ad32fd359089ad54
SHA2569d8188b09db4d4b9e5d32c5a2d1460659ed5c2032b6641b78e81f023b995822f
SHA51258c622f8c846b029541f7ce381dd9cf39037493890a2872eb977614d096c53fba1724ef87ccc8dbf58c058be80aa69ef3d1364dd7dc457c8280c90d823018143
-
Filesize
7KB
MD51f9a4af4a52e4ffe340a294dc1c8e922
SHA10b764c0b8d687531554fcb390756e0e3e18e2e41
SHA25682d1ccdede1cfcead5fbaf69cd808a6a47d79180dd622d59b43022424b062a24
SHA512760cf6c18d6b382fddb402b5178a68337a391965ba23df282649137667f07dc2245ad43bee10a493d3efb96713b7cdedcb6c24d3373df95b453785a1c26744a3
-
Filesize
7KB
MD5a11c3d161fa9a591fe5e2b5f4e7a70b4
SHA133f3fefc0a12fc5110c8fb5b98f96ae072480e20
SHA2564a71b8e9beb5691e127fe70e6cb343aa6632b0f8464ced9522e5c2031b8281dd
SHA5128a08d757b4850f03859807391af5fa3b10073827ffd59b614102b88be3ce3e2b47cd21c6f33a735598e35add9c83608c75445264bb760995d3d7cb0621f56e48
-
Filesize
7KB
MD5a00bc6fe2f6714d5a9c0dc9e784816c9
SHA1d6135eac261a5567dbf63d69140a623ddfd8ad40
SHA2565ceef00d76f1ca1db7d7b6334dec5cf7e2f99d61597e3cef78aabf58461b5e71
SHA512c33a11b3f10287c8874171ff082ec6ce4db72e1030b4290fc2f354ec4548444c15de651d05906c5cdc995113b7eb65c9092d10d1417383f400e02c65da125a03
-
Filesize
7KB
MD5aaadcaa6f8275906779d68de6370baa0
SHA122eedd91a13087cd25c87943be9e4e738fb5d673
SHA256494b004756612b24f0522797b4685fe2fa3cec9e20ffe280bba13db09c91decc
SHA512994466ebbe25d4fee1dc0ba38e2f370ad26cd83fbcae7f2e91f088b8b8fecc60eed74cc99a5fb1de377cc8439a0c63ac799e6f2b7bbe58cb3493ab2956a8da10
-
Filesize
7KB
MD520695bf4e6f31c589f168976ac72cc8a
SHA1b9b4874bb3d878669b3f60f994486d82ccdd9778
SHA25617c424a4ae9c0ee47f0458bead1ea64782889cd60dc13ec7daf828a32cb4c137
SHA512c07313205c8d2f381d5b94d929de9754d1bca4f68b75437b9b9a5953faf496a351a480d3a69296b3898ebb36537a07c97a67b42d9a69bc9431de01c136217a03
-
Filesize
1KB
MD59a21249eafc6b0e3e414c6c8ba9fc06f
SHA1019d4c3acbabc43ee1772c46ef4e3bedd3e09856
SHA2561400229c4a9f217d295841bb23e42a0d19bc3b34aab139edf5cf1ba925d09bb5
SHA512085ccdd69b129f9d3517acbb3b8ff4ff3311e03770873b9a6692f29f8449054949a0fef97cc6bd3e43d9a41d73f3c0f17602c130a8aff47daeb7021fccb7a2b1
-
Filesize
1KB
MD5478afff7ea46d96b81437147bde61923
SHA1d3fa071646bd4a8e8ace6454d9e266b286e52805
SHA2566e071f9c1d0b8848a23c4ffb4d49fcfd0d3ee3f48159079e8270a5846bd3800d
SHA51210cae2c9b6b59a0c91a619b444a7b744aa50d05996f6dde986cc27692503c3c64a16d0a4184736d332f2d5c576c4f9e81711f7d222c5a1114eeb4d93e03362f6
-
Filesize
1KB
MD5b53b51f06e3f8ce786b41a4103fae2a9
SHA1c1f66cdb5d13f10a81611901d7c98e1bf643c160
SHA2563af3525834a7806171a91afd6330a9a64d2c5f4c162d1517c954336b3daf1535
SHA512f09b50aec1b3050baeb4c4a5c2b4447c3672089523198b884a7ce756dd223f716801e017361acd7d95d5363b0d296252a7ba870ba49863e8ad4c1edd6c1230af
-
Filesize
1KB
MD5795d85d0b55230fcc550eb67a2d1b5b5
SHA1c0fb1762382f73841bd57f68d05946b91c7c62fe
SHA256bfc507256710efa47c3000dc3e20942ea18303ae515618f317dc76455eb3befe
SHA512f3a4687e9cb964f2c46f5e9c7bb4bba6ca7bc9afb7c3a4a83b5ad74e043d19dad3c41a1743c96547902614bc6b7b95a04500d5a1cc39be26607f9bc919a81397
-
Filesize
1KB
MD5314b152cbf96b666eeb30a47681d8598
SHA18fe5c10a6f66d8295090e9c8ba13c91e30c61105
SHA2564eba99030a6e5926b931d490b019d7490a47938f601bb7685345948a7be6ea4a
SHA5129c05370d820eaab43de8a1fa0e00dd8bbea8101f2796126faa64514e9c151338f3e0fc56d7d86c0dd6ccd65aa482ef3296e6b26dac4a76dffc7dc011bd796936
-
Filesize
1KB
MD5a2712b2d04d332d52fbcd287d0870486
SHA1342626da5946a106f30bae5d1fe0654b50ed5021
SHA25667c7d9b329e9c4adbee7a0d8307c0ac986f81aa611bff1d09029ec167e364f36
SHA512e43136d4634e9b9a8c17cd2916b1c08efd15c7d551167b4dd3b3751a038ee425c374cc4e4bf03c7b1e8ce8f14d434ad1f7c8d623fd79ebd27fa3ffb903429c13
-
Filesize
1KB
MD52ff14d1ad337be6dfd94f48853a067b6
SHA134d12157f04890044acb37b5853e7d2a9a30c198
SHA256853525f5859ee52d7cf62519c3fa481e8c079e1d50bc9f3efba19e6c4ebd12a7
SHA512b5a16490e7eb07a1ace775414d82fa9426a7185fb619f228566404f16105266e1fbbbf014fb2ed159f8c93a2e816763615eb83cc1da77a0707a7455f977a0573
-
Filesize
1KB
MD5582abf74c3f5e6d389f0cff7ac7a1029
SHA1be19e4a82345f1c153488812691c8c848626902a
SHA25695b986a69ad8fb292a886e5a6d68b1bde5ed09d47f20162a949855e97bd5a871
SHA512f1dc9bb7f006a7e40c08e1d3d98bf9a8efb649f12f5a7a34c9268a2858f153c47338f1c0c1c3af354e2c9adcdbb670d81fe9d3484d50edba14c30b1d8ded3186
-
Filesize
1KB
MD5919549214d66901975415eea3cd7b41a
SHA1ee14a62965ab85def90e8c74df09cb33a633fb48
SHA256f6cbcf4610092025de2bf47dc8e5f10840e72fab0df92502c42b579af6a2c528
SHA5129bcf966ec2cdcb382aa59ded63ceac08f07a602c43fea808944e1e8cf94720340b8e906d037d5ba0f6185364d6ad7ac91415e7188d3237c7d7d040e470bd967e
-
Filesize
1KB
MD5cb17a307f4d4e1cb34235260bfd8f6c4
SHA1142d7a45604f4616fced2cd31e246fe665115f4c
SHA256debfaec085eb5651d7883e5c78389d5383b7c118fe61fff68ef32530176ac94e
SHA512a52964afead71a1dcd442ba0e4244b80a911358bc2889acd50d31d0844a67c7d49dc6a6462c0754991f337ff9b6c443b56c64b342365cf62d9e8da6495a5cb4f
-
Filesize
538B
MD5284b39c53ce3ae0d0cc7441e5740dc70
SHA1355f789ad24e3c1de46568f1197dcaa9adfbff77
SHA256a6452c5e7b218071de5bc2ce717d1a910546afb6205bb1eb75df148ad07cb2dc
SHA5124840bc34532aa86b88b04a5064cc78498051d379010c22aad0176b18739c126320b1d8cf1e303b541c18c13b0a392fef862291141ad4e7d11e003669c21b7a5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d4c3dbd9-5861-4f97-916d-857e5107cbb1.tmp
Filesize7KB
MD55b1e6f2e0ec506614c98d5199261a03b
SHA1ef166abd59b0fe72a81f29e4f5c6b189f04e0978
SHA256a035a30515bc069a06812cf88d41bf94b7c2bfa1a5e151901499eeb287083982
SHA5128a9b27cd250b7a6fcedc15134db7cde86330c44dc79c51e77a569556b25475722bd44f4de4be838ed210f6d4b20d2dbb4ec8cb13f976c90148cc1c2b0bd3e310
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5cc63306a026876c81e930d2fbf861f02
SHA1f04cd439bc9f04f4a7f7214a34712b0ea2eaf772
SHA256df82540c2a7de8ace70a47e1b0b3073101de368ef56de840de1c3966a72ad138
SHA51216b9435b46051a4610a8d410910705d84958004b59ff5e25cfec26818a5ea5cdac659dd3c6ba4131919615670914219f99cccecfdb334e33c3aa78e0cf7456d4
-
Filesize
11KB
MD5975e67e877bb1aa993054aa4ef6582de
SHA1fc2a3ecc726813793f7b8de5358ae29431f0942c
SHA256ced8bccb798a453ad58ff35c446eccb20c39e44f22c9022f48854cb045d6e5bb
SHA512f88309191732501d3f392d86b720bfdbe83ad1015fcfb2e29637b9c0c86260d19409af13e5403167a1da74508997a670b8dd56b456e172a98f0ccf53657e5b09
-
Filesize
11KB
MD5dfad2ecd80270dd5065c78ff2733f75a
SHA1a4130f480da51e4e01650195bb0d2e727c1978de
SHA256801a5f5f27891c07c1fd047748a223f13076d4c2c35a26dfab69457268bcef1a
SHA512e446b979676d9d3ff5da9f0c58435f6be637d8bd2deb5c55ee47aff08d3ac2d05ab44093fb51029c17c08c0d5530304af57dbfa2684873fe7a055c5f5d8f43ac
-
Filesize
11KB
MD5001a6bc4c599ea749788f138557ce28d
SHA1856b8aeebb64532ac5ec45af54fc2f1582f40e35
SHA2569519c1199e68027a574fe08412e8ddcc5f71eec05b64d76c814658176c9d48be
SHA51212a72921d8dc27eb07a199402746635aa6bd9ba8aad8b043897cf86aef066839a9c10cddb2fc797bf0ab0375d8f5a06d41fd761638d9ac445f7e23064bbeaabc
-
Filesize
11KB
MD5f1e27f40b5d172c07d4621a533adaf21
SHA117ead44f06298002340851399ddd118dfc4e82bc
SHA25678555feb9970ad570b2dea7a8a1d74c5f93e698efcc184807c16743753ca80fb
SHA51276cde42ef9be81cec002897b80275fc4758d19cdae1e0ed9b38d8abaf84b77488e71018e88098a9eb0eb71d5367ad19eacf139ded79b8305d1a8f3f03000a309
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
391KB
MD566996a076065ebdcdac85ff9637ceae0
SHA14a25632b66a9d30239a1a77c7e7ba81bb3aee9ce
SHA25616ca09ad70561f413376ad72550ae5664c89c6a76c85c872ffe2cb1e7f49e2aa
SHA512e42050e799cbee5aa4f60d4e2f42aae656ff98af0548308c8d7f0d681474a9da3ad7e89694670449cdfde30ebe2c47006fbdc57cfb6b357c82731aeebc50901c
-
Filesize
997KB
MD53f8f18c9c732151dcdd8e1d8fe655896
SHA1222cc49201aa06313d4d35a62c5d494af49d1a56
SHA256709936902951fb684d0a03a561fb7fd41c5e6f81ecd60d326809db66eb659331
SHA512398a83f030824011f102dbcf9b25d3ff7527c489df149e9acdb492602941409cf551d16f6f03c01bc6f63a2e94645ed1f36610bdaffc7891299a8d9f89c511f7
-
Filesize
73KB
MD581e5c8596a7e4e98117f5c5143293020
SHA145b7fe0989e2df1b4dfd227f8f3b73b6b7df9081
SHA2567d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004
SHA51205b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6
-
Filesize
40KB
MD548c00a7493b28139cbf197ccc8d1f9ed
SHA1a25243b06d4bb83f66b7cd738e79fccf9a02b33b
SHA256905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7
SHA512c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830
-
Filesize
60KB
MD5a334bbf5f5a19b3bdb5b7f1703363981
SHA16cb50b15c0e7d9401364c0fafeef65774f5d1a2c
SHA256c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de
SHA5121fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46
-
Filesize
64KB
MD57c5aefb11e797129c9e90f279fbdf71b
SHA1cb9d9cbfbebb5aed6810a4e424a295c27520576e
SHA256394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed
SHA512df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a
-
Filesize
60KB
MD54fbbaac42cf2ecb83543f262973d07c0
SHA1ab1b302d7cce10443dfc14a2eba528a0431e1718
SHA2566550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5
SHA5124146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e
-
Filesize
36KB
MD5b4ac608ebf5a8fdefa2d635e83b7c0e8
SHA1d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9
SHA2568414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f
SHA5122c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4
-
Filesize
60KB
MD59fafb9d0591f2be4c2a846f63d82d301
SHA11df97aa4f3722b6695eac457e207a76a6b7457be
SHA256e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d
SHA512ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a
-
Filesize
268KB
MD55c91bf20fe3594b81052d131db798575
SHA1eab3a7a678528b5b2c60d65b61e475f1b2f45baa
SHA256e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175
SHA512face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6
-
Filesize
28KB
MD50cbf0f4c9e54d12d34cd1a772ba799e1
SHA140e55eb54394d17d2d11ca0089b84e97c19634a7
SHA2566b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1
SHA512bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5
-
Filesize
8KB
MD5466d35e6a22924dd846a043bc7dd94b8
SHA135e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10
SHA256e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801
SHA51223b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247
-
Filesize
2KB
MD5e4a499b9e1fe33991dbcfb4e926c8821
SHA1951d4750b05ea6a63951a7667566467d01cb2d42
SHA25649e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d
SHA512a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a
-
Filesize
28KB
MD5f1656b80eaae5e5201dcbfbcd3523691
SHA16f93d71c210eb59416e31f12e4cc6a0da48de85b
SHA2563f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2
SHA512e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003
-
Filesize
7KB
MD5b127d9187c6dbb1b948053c7c9a6811f
SHA1b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9
SHA256bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00
SHA51288e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476
-
Filesize
52KB
MD5316999655fef30c52c3854751c663996
SHA1a7862202c3b075bdeb91c5e04fe5ff71907dae59
SHA256ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0
SHA5125555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44
-
Filesize
76KB
MD5e7cd26405293ee866fefdd715fc8b5e5
SHA16326412d0ea86add8355c76f09dfc5e7942f9c11
SHA256647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255
SHA5121114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999
-
Filesize
552KB
MD5497fd4a8f5c4fcdaaac1f761a92a366a
SHA181617006e93f8a171b2c47581c1d67fac463dc93
SHA25691cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a
SHA51273d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25
-
Filesize
2KB
MD57210d5407a2d2f52e851604666403024
SHA1242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
SHA256337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
SHA5121755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68
-
Filesize
4KB
MD54be7661c89897eaa9b28dae290c3922f
SHA14c9d25195093fea7c139167f0c5a40e13f3000f2
SHA256e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5
SHA5122035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f
-
Filesize
29KB
MD5c3e8aeabd1b692a9a6c5246f8dcaa7c9
SHA14567ea5044a3cef9cb803210a70866d83535ed31
SHA25638ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e
SHA512f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e
-
Filesize
1.2MB
MD5ed98e67fa8cc190aad0757cd620e6b77
SHA10317b10cdb8ac080ba2919e2c04058f1b6f2f94d
SHA256e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d
SHA512ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0
-
Filesize
11KB
MD580d09149ca264c93e7d810aac6411d1d
SHA196e8ddc1d257097991f9cc9aaf38c77add3d6118
SHA256382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42
SHA5128813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9
-
Filesize
2KB
MD50a250bb34cfa851e3dd1804251c93f25
SHA1c10e47a593c37dbb7226f65ad490ff65d9c73a34
SHA25685189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae
SHA5128e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795
-
Filesize
40KB
MD51587bf2e99abeeae856f33bf98d3512e
SHA1aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9
SHA256c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0
SHA51243161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a
-
Filesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD551c86b1007a3604f962e89c38d09e170
SHA1e77f28554ed546cc83d81154223df0625f0e1a94
SHA256bbe36877e25a179c6b06a9244925c1eaf3a167887e77b8ae7f74d09f99f0e092
SHA512fa54eff7bdf2575cf977613ce94ab0d798729662f46583be018734d68164f7f7c5900a8383f7e1b79b4eaa974c3cd75b205305ed52e2f9350f7b92ba83779bf4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize11KB
MD5e8700b7601cd2e535dcc18b2e8fd5dec
SHA1680a2d173573f8f5ca938697b8e39f84fef9d6ad
SHA25600f98873089fc941108b31e34e8a973906e6a50a6608b354dc7d4ff205c8c8fe
SHA512ad3669318cafa95b71450833d2b4af76263a050d7596c0f57379b7a05ded70d5426ea3d8f053ffac1bddb4c06d6618172d78f9d1f700ae40e0655a1d1404fb01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD570869b502db2336ec71472857496d07d
SHA1687f080669a1f17c61a69418d4a9aee183418803
SHA256eb818be74dc82a42a58ebddc0497d05f251661f115f254c4234e30e42ad51603
SHA5129f9de88ffc1c164a8f60af22721b4fe6a2e16ffea88c1e821a4fc799ae28309675454a72a6b75b49dd478190f3d805b8ae2f7f594295b3a261f6511357f76d4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize11KB
MD5ab0ed1f03c702fef0fd542550445d1ae
SHA1186580bd489c797af2c4235e035fff4db9e6877b
SHA2567118589fbc9c3fb0219b014f7c2531ed70aef692986c4dbcd17a20acfb528321
SHA512f54e661070e8bc614d70b8b64cb4526987fee83271a43559fe095797fe5f309ea34749f4f8216982a28c64280cf2dde0dda811a9de81ceb6f7fae9a31fa00acf
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
6.4MB
MD5fba93d8d029e85e0cde3759b7903cee2
SHA1525b1aa549188f4565c75ab69e51f927204ca384
SHA25666f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
SHA5127c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
Filesize
381KB
MD535a27d088cd5be278629fae37d464182
SHA1d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA2564a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5
-
Filesize
160KB
MD5237e13b95ab37d0141cf0bc585b8db94
SHA1102c6164c21de1f3e0b7d487dd5dc4c5249e0994
SHA256d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a
SHA5129d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e