Analysis
-
max time kernel
628s -
max time network
628s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-10-2024 08:53
Static task
static1
Errors
General
-
Target
trivia.json
-
Size
1.6MB
-
MD5
340602d13b6a20ea1fc4f3c3567925a1
-
SHA1
42e13dd8f2f2f2a6bd97fa5478a7b838c1436f84
-
SHA256
486d950df74f13356dc307fa4c38f8b33db342fc6922e9fdbb13ffb53904a671
-
SHA512
72d69a44e4a160e06af3c7dc6f8175dd242dd017feb6865d9dc5ef68c31a88b527210edade2e3620be8822ab9fe515defb600b7b372c04725741a736a87ef832
-
SSDEEP
6144:o3q6loPoec67JL7utRC7zK5NB9JDtM+6sV3jp+nTKGxKwvOixvaeZzlGG+zdTeLi:Dvc67t6zPFOw8TKmXFaAx+p9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\"" wscript.exe -
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid Process 3880 icacls.exe 1620 takeown.exe 244 icacls.exe 4200 takeown.exe -
Executes dropped EXE 10 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeeula32.exeGetReady.exenotmuch.exepid Process 3372 MEMZ.exe 1800 MEMZ.exe 5020 MEMZ.exe 4984 MEMZ.exe 1912 MEMZ.exe 5040 MEMZ.exe 3300 MEMZ.exe 3128 eula32.exe 3288 GetReady.exe 4732 notmuch.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid Process 244 icacls.exe 4200 takeown.exe 3880 icacls.exe 1620 takeown.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\"" wscript.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe File opened for modification C:\Windows\System32\sethc.exe cmd.exe -
Drops file in Program Files directory 37 IoCs
Processes:
wscript.exedescription ioc Process File created C:\program files\MicrosoftWindowsServicesEtc\example.txt wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\bsod.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe wscript.exe File opened for modification C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\rsod.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\majordared.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\Major.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\checker.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs wscript.exe -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
notmuch.exeMEMZ.exeMEMZ.exenotepad.execmd.exeMrsMajor2.0.exeeula32.exeGetReady.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmuch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MrsMajor2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eula32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetReady.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" wscript.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "244" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725056236125500" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 15 IoCs
Processes:
cmd.exeOpenWith.exewscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe -
NTFS ADS 2 IoCs
Processes:
chrome.exechrome.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\windows-malware.htm:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\windows-malware-master.zip:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid Process 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 4556 chrome.exe 4556 chrome.exe 4556 chrome.exe 4556 chrome.exe 1800 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 4984 MEMZ.exe 1800 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 5020 MEMZ.exe 5020 MEMZ.exe 5020 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 5040 MEMZ.exe 4984 MEMZ.exe 4984 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe 4984 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 5020 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 5020 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe 4984 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
Processes:
chrome.exemsedge.exepid Process 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe Token: SeShutdownPrivilege 5016 chrome.exe Token: SeCreatePagefilePrivilege 5016 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid Process 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
chrome.exemsedge.exepid Process 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 5016 chrome.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exeMEMZ.exeidentity_helper.exePickerHost.exeLogonUI.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid Process 792 OpenWith.exe 3300 MEMZ.exe 400 identity_helper.exe 4004 PickerHost.exe 456 LogonUI.exe 4984 MEMZ.exe 5020 MEMZ.exe 1800 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 1800 MEMZ.exe 5020 MEMZ.exe 4984 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 5020 MEMZ.exe 1800 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 4984 MEMZ.exe 5020 MEMZ.exe 1912 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 5020 MEMZ.exe 4984 MEMZ.exe 1800 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 4984 MEMZ.exe 1800 MEMZ.exe 1800 MEMZ.exe 4984 MEMZ.exe 5020 MEMZ.exe 5040 MEMZ.exe 1912 MEMZ.exe 5020 MEMZ.exe 1912 MEMZ.exe 4984 MEMZ.exe 5040 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 5016 wrote to memory of 4028 5016 chrome.exe 83 PID 5016 wrote to memory of 4028 5016 chrome.exe 83 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 2032 5016 chrome.exe 84 PID 5016 wrote to memory of 1852 5016 chrome.exe 85 PID 5016 wrote to memory of 1852 5016 chrome.exe 85 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 PID 5016 wrote to memory of 2096 5016 chrome.exe 86 -
System policy modification 1 TTPs 2 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\trivia.json1⤵
- Modifies registry class
PID:4224
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:792
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffbe936cc40,0x7ffbe936cc4c,0x7ffbe936cc582⤵PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1828 /prefetch:22⤵PID:2032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1440 /prefetch:32⤵PID:1852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2452 /prefetch:82⤵PID:2096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3792,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4364 /prefetch:12⤵PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4704 /prefetch:82⤵PID:3872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4620 /prefetch:82⤵PID:3828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4964 /prefetch:82⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4996 /prefetch:82⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4732,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4980 /prefetch:12⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3416,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:4156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3780,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4480,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4692 /prefetch:12⤵PID:3376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3436,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:1652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4980,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=224,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4904 /prefetch:82⤵PID:1048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3504,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4332 /prefetch:82⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5164,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3788 /prefetch:82⤵
- NTFS ADS
PID:1992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5148,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:1396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4704,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:3664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1160,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4316,i,12862722968551229133,16373624052898712065,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1492 /prefetch:82⤵
- NTFS ADS
PID:5064
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2900
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2732
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\ILOVEYOU\LOVE-LETTER-FOR-YOU.TXT.vbs"1⤵PID:2776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MEMZ\Geometry dash auto speedhack.bat" "1⤵PID:2720
-
C:\Windows\system32\cscript.execscript x.js2⤵PID:2536
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3372 -
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1800
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5020
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1912
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5040
-
-
C:\Users\Admin\AppData\Roaming\MEMZ.exe"C:\Users\Admin\AppData\Roaming\MEMZ.exe" /main3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbe8f33cb8,0x7ffbe8f33cc8,0x7ffbe8f33cd85⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:25⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:35⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:85⤵PID:3804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:15⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:15⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:15⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:85⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:15⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:15⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:85⤵
- Suspicious use of SetWindowsHookEx
PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:15⤵PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:15⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:15⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:15⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:15⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:15⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:15⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:15⤵PID:2628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:15⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4584 /prefetch:25⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:15⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,7299981449181742005,7115683849326646631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:15⤵PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed4⤵PID:1004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbe8f33cb8,0x7ffbe8f33cc8,0x7ffbe8f33cd85⤵PID:2196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download4⤵PID:2984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbe8f33cb8,0x7ffbe8f33cc8,0x7ffbe8f33cd85⤵PID:560
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted4⤵PID:2772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbe8f33cb8,0x7ffbe8f33cc8,0x7ffbe8f33cd85⤵PID:3508
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser4⤵PID:3024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbe8f33cb8,0x7ffbe8f33cc8,0x7ffbe8f33cd85⤵PID:224
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2824
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2044
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004741⤵PID:4664
-
C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 2.0\MrsMajor2.0.exe"C:\Users\Admin\Downloads\windows-malware-master\windows-malware-master\MrsMajor 2.0\MrsMajor2.0.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9D3E.tmp\9D3F.vbs2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:2684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe3⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\eula32.exeeula32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3128
-
-
-
C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\E1AA.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""4⤵
- Drops file in System32 directory
PID:2116 -
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4200
-
-
C:\Windows\System32\icacls.exeicacls taskmgr.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3880
-
-
C:\Windows\System32\takeown.exetakeown /f sethc.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1620
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:244
-
-
-
-
C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 53⤵PID:4184
-
-
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4004
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3955855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:456
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD557f3795953dafa8b5e2b24ba5bfad87f
SHA147719bd600e7527c355dbdb053e3936379d1b405
SHA2565319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725
SHA512172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98
-
Filesize
122KB
MD587a43b15969dc083a0d7e2ef73ee4dd1
SHA1657c7ff7e3f325bcbc88db9499b12c636d564a5f
SHA256cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb
SHA5128a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1
-
Filesize
302B
MD58837818893ce61b6730dd8a83d625890
SHA1a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614
SHA256cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb
SHA5126f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
100KB
MD55f862f5c51b1ece6ec4a71924c5ebde7
SHA1eefb6ceda15fec7a01dfd60957f8cf1d96e56b6c
SHA256950e5b2f312a9b23dbc5f18f183fa566bf0bfcb5aca15fa298b652a377775043
SHA512949e3aa98194f0183294ef80ecb07389c71d9081a2f8712bd72ce8f2ab0e846e29616568b666b713ed619c93175fd70f885337fc2d1499bfe51192d4c2bb5817
-
Filesize
215KB
MD5e7e93ba4d658e0e7bf0ad48a53121f1b
SHA1653b3c3b4217de5b361715de970f386f5fbf9364
SHA2566ccf0a2f8fb8ebe57f9bd7b13142da134af6f0d3e8644c9660ce0e85f35d54bf
SHA512ade11c141e3c87f4ebad59e12ca9cbc6ba754bf825dc50f6750985b5ab2d34fc4912ae1149a74813ad0b8c11ecf011333b604b089d6e9d8c21fb18809aaf3d60
-
Filesize
649B
MD516b386055a6fa8da163cfe201bd1f4a0
SHA11906e8898519fa4a005e6a5a8c62f38e7d3553a4
SHA2564845e7620eb3f68629e78ef75cc61aaed6bd6b9de321a14156ca320d2dbf784c
SHA5125abbd2e29a66a974781d89c911dd96652d05f36533fe1dbc160e8aff5de82891ad7f88ad514657a6f36fd09dfc423dbbbc5d969a70617ed5693eff1cc81b88a5
-
Filesize
2KB
MD5423eb8e1d73016901f6fd8d4247b40ef
SHA1826baf990ebb5df13fff9e3e59f533e30320df31
SHA25607075ac836010e0ed24e7e0f5b7f675fdd8178b60c1efc468455a48ad7f3519f
SHA512eb3b57f4b789cbb62d45ba497fe2b6b76c7faf5b5ac71a4413a6289be07f10eb1c3cf0f5ac59b14dfa7e007c72dc9fad1ee0903ffd780f8eef60318ec418da54
-
Filesize
4KB
MD52b164a4c99c04e32801c26daff6dae73
SHA1b029c63d875051ab9263df5a54e39b254b7a84dd
SHA2567f673574f31b6c004fb6207b69a956ce9d28bf9fad1bc66bdc44c8d39ea35114
SHA512aacb66d2b250b538792139d63b7e45e7992253c89a4df26ee2db4fff75d87e5ac8b4d1e2163ed5f2319a96cd175bf1cac85ccc46970b9d11a40c7ee9f80aa1b3
-
Filesize
4KB
MD5da49393c41986552922c674c6f689e05
SHA1ce1bbaf4900737f935ee27b47db17a3b1e8ab375
SHA2560d95017809ad6ea6a877aabfeefc61636c5fb9646405dd8d41302e6b04a88b08
SHA512cf0a4b8b2ea10010a0d09669763e7589f5c2fd516dc48569ad499694d76a3ed77545a485321ac263a0a5fc125e32381e2b91c81abf3a608cede6fac0085616b7
-
Filesize
4KB
MD5d909a48526b4f5c6b9ec75a36f9b9d66
SHA1210d8a4a68dcbf515ec43bf8422be18c9563b8b4
SHA2569088c830dd6d9417b7df8544fb03034d0fe20ca5ebab904db1e6e9fab501db97
SHA51249bbc64739370591a6de782a9f29847e6d32f63f25b287acceee54b26af03ce7aafcff7e9700318d8f63ea5378d1f9bd4901f7c80ed41a4713a6cc1447ee0765
-
Filesize
4KB
MD589667aea444110d00c5053c71187ff64
SHA14862073c64e094cb41a54a1bc83c1070df3b0001
SHA256dfd2cf03e58fe6671e880a8ccb5b801e8bb44ccbb6de86baa8d894bf8f2f0a13
SHA512ff30920f66997c303f723c5c21cb0114c781fbf5bfefa248d6ae438846a9ed26d9ba284ab2ca6bf2afbc6e944b7092df0d0c7fcceb63a229393ef250f83e0c65
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1015B
MD55ce1eabe017d10cb46f8dce491ca955b
SHA1c8b502158a89b3d2e1fee48d2a4e35af41abd0f4
SHA2568a808fce39c9c0f4935966c3b017fa1918dc17eef5481c2f7388f67bd097bc8f
SHA512052514882019ddc316740b6ec6d5ae72a35274509151b2592978b0a318638e2c617903d784bbefb6938579eaabe306e5626ba0b1f687ed983bc212135910d633
-
Filesize
1KB
MD5d23a247d5f54f14ba92737176f53b320
SHA1df95ef32ebe2c7761cb351776a62d4bd3dced4cd
SHA256959fe7a8ec89f36516c45f26486da0ff4e4c61d9e596e106154a6a2ed2ee4edd
SHA512504cf2991b1e87f42a6a29d798b6a5c00786b8094526cd99a931e4936d9b87cc6dfa3edd0184c7f8ddc865a5dde1060f3fc01373fd1cf0792c1c8847be188c06
-
Filesize
1KB
MD561284ae04ab76ef01cf1b609d1337a96
SHA152842e945a12249ecb019f2a7a4192f2f6728646
SHA256b2065a80e7438798affb74ad590b1d14b3103be0b4784c08558607e4713b8739
SHA51201bbde219f4d35755abb9e48a3aff69103e36687a9af1d7dae0316bd05356653ea38e5276c8623f9130628f459f37b83f4a03883cee7e190f09fd2b6460d5b82
-
Filesize
519B
MD5ef818cacfe8d9c3e9b066e00c02f6f5e
SHA120980a0f6a8d80791c1b87348075d35a338c72e2
SHA256db6f9a60d2653923d1458ae655808c0b0cb024a55b855a60b13099112c177687
SHA512f28a90dcc1addec3428f227241a2674b7f5d919db23059297cfe4c5217e2c11def2000acacf4385d872959c49e2a45106d0f4101a5821ae26ce2cab748213b88
-
Filesize
1KB
MD597207cd72374a662940d7e37bf00f658
SHA12f4e46a5b4506545062081059f053374004227ee
SHA256bb8df7989dd101f02726f9ac636c56645200617e1e4e85397b45a794a9793209
SHA512b2c054b1de530e76d3dcba43bf659a62e925c6ed45a36f3b1d43e92ee99df60c7cf3e69359467c4151a85b8e351686556702c557d7cae3ea1880b52fb3c87a6d
-
Filesize
1KB
MD588494f40a7876c58ebe3061894bdad26
SHA11fa524121eeb1afd576f6c8849a233eadc26aaaf
SHA25649d2339fc67584800c0afcb90a604111d8a522f91fcb014fecc14768c405cbbf
SHA512466fbab04334654a20a0d36afa53da8051a842bba384ce54006d94c66a706deab172a3126fdb4771765a4abb698681e61435b35734feb021371628ab15340627
-
Filesize
10KB
MD533e0c7069f807043c2c3e8a222117684
SHA12775a73be7708301fe3d388b153f1d79aad6f63f
SHA256bfd9707a24c99c437e3d1d463401b5da08d8360cb24dee410a04afbcda757165
SHA512c12905befdf37f7cba2ecfda1b8c7ca50e91c20e6e0d28bb7141bbd0514dc54fe9501f928cef0b760b6b17ed17cbee120268706b6b88ff276044af24d44d8ed4
-
Filesize
9KB
MD53fda6ba62aa0d1fd784837e8eef9be93
SHA1af869e1c7fa14214faa3ceb9f5f72ab6789f9631
SHA256e2022ef087298bd24cdd144cb99e41c431c03c49608428e382cc523b4487def7
SHA51266f26751119bfb6b1517c06ef53bcbfd4c99faf044e9ddac3c8fa4662a268ced83d290bbac31ef11e2bd9ab4282c159084a174f7829951c6439d92389c9b535d
-
Filesize
9KB
MD51ede8fda1d59baf088c52bafa2a93e40
SHA15ed724460f0c155b2c3a106b7ca3f1f421d55451
SHA256c91926d1181f824ed2a1a529102ab63b44da554a5a9a8fca6c87787a3d80bbb8
SHA5120a330fa103d027c3e074ee6a507c7dea889cc964bbc79f502ac7ed1e1c4ffd55e0b561bc19e9850a922e6fc62678f6d34f373efd45799b72052a6411a235ee71
-
Filesize
10KB
MD5c12be26ff5b7832ffe487fef21817b23
SHA16e26081ccfef226d223890130903dda07e4e967e
SHA25682b7b07563087a68e3931e7fe46eaa8c20c0033849495554d8432385160ad174
SHA5126e6149acb8245fc2e06d1fd3ab82c5f854d9f4852970243433e1916d3f748b0dfa4bbd373ec10e576276829f903113887bcc68ab243e09de010037d633290f82
-
Filesize
10KB
MD56f6ac9f5f9d91cd1eca4234e7ad9dd32
SHA1b32e67a4bd59e78062122e6c71a0bc8ffcfaa373
SHA2565e20155138dd19bb57524561dab11529d0504367ea20e5ef0a4d057d149de744
SHA512bae76503d79ade1aeb594e40719b5ac0fef543bcc3fc5bf00955e472036373c674f72b576ea7fdb4f8f25bb9b28fb53f83e038573513b2cbc5eeb540dc4a5247
-
Filesize
10KB
MD5aac8e817447f26cd7e9f744c3e1b3f58
SHA169afdd32e61125afc749a1283412873108a74fa4
SHA25622e55db93976f2c8a0c122b84ab9046b82f532f31bc1030e19bd700b74acfc21
SHA512b8aa5401271db2879d6acf5e3917e1dadb4dc8002ec546bb213115452dbb61773a3c59a6fc96032359851dce15a922a1e3fec8cb8d6eb7cd6121155b69ac4d76
-
Filesize
10KB
MD5a395328daa4e77fbb1356bce0d115722
SHA1e379d2419be03a1337e3364014c5a92aec864244
SHA2561ed44a8b0d956f68efbf62559f0195f25a261ccb99e11f8e88a03542742b5f48
SHA5125e5441f4e82d233a762e23f3bd802e3ac5d725ced59000ae83b0289568b67daa0a38b47b9af3c68095a6de2472da12ff3391a59b611696bb22835df35393dbc1
-
Filesize
9KB
MD500220cb7eda4d371d947c6abb11fd9f3
SHA13ec8ec13b9cf16f4c5d857679e94481e375b77b3
SHA256fe202e8f51b9d1b0bc4c827c204bd7a8ce7548a504b41904c8800416adb0b156
SHA512593fedf688ac8de2d5135dce2145714a401eb78a3464f79bc6122e0037f107f4399d688178a6a416baf132df4993482ec41a53ad866460e51402c9b3cfea502a
-
Filesize
10KB
MD581b01de7c65f75af167af396d1a43dc5
SHA13ea56454e17a291323f711418fe96a48fb082a50
SHA256658df2431c8b3e29851dbe7161a575ce7680b98ffa1150d820dea6ad04959bd3
SHA5123c7c163673def895a0586d97c2f7ac89288bfb6810abb3e7a4208a677871b8bbc308ea748efd0bd182fe0e7582ae2811df9f4a749150c8fd2c19c257e025f230
-
Filesize
10KB
MD544dea07c66a1e4eb4a03ea00a1e2fa3a
SHA14861c0c519d28f01fa7128aab29ea4b06179dccb
SHA25636886ca9f9d0990afcb0c39510e052c2c5a956e8151e52fbc7ec69b2dfa479f2
SHA5121cb2a8ed096d8cbd5d6e77e421aea40bd579c4a1252d0a5be15547859b36a8712626c4032789acba2f6248029c23a62af97644e05579437a434ba822a528b990
-
Filesize
9KB
MD52a8fbc0ae790da20a889ee3fde279fd8
SHA192941e6d65d2611475beb1c97467b7c14d5947d2
SHA25608beffbacc9ba04c5b5298df9c5c2f55e3fbee136fa2132c65f2ad52c5d7ecf8
SHA5127b3005947333062e34aa885063f6bba9f57e5b420c5f475357fc6b324dbd1731b47c3f2fa172b36d11b988e8ea6618d34d2bf51ee8668a441c7b74f83636575d
-
Filesize
11KB
MD523aad183b8621b991512ad22f95b36fd
SHA1d87514553762123cc9763c86ebfcbc880d94f9a2
SHA256bbdedc6cc2e6206f0a6a1654edccac822dd0cf6b19f58bde7dd3ee59574d25d0
SHA512b321853bd459f5511a75a46a25eb3ab77e814bc6807323bf1b0fe19fccfbce5af2ccf160c4e3d89d4673b84e94aa7e955eee28b3ef3c34f7e467d2810af305e3
-
Filesize
15KB
MD56667074e11334098b6fed83a080b2116
SHA19fae1c00f978feecc58d4b1fd11d469f092414c4
SHA256cb22dfb70ee02cdb8f11feb99c5e9d6d2715c8a9e65e8d10553de2a2e3232175
SHA512a93a82c508e6080c7ede7f234dc00a615f9224983fbac56e9d0ce7c5a37ae2aecfb99f79b521ede35b06ec4f844adad6ef525d5163b5d6d2cfe523c2ba9dfa0a
-
Filesize
213KB
MD55fe66e55816e9611e3f3ac2bd8390aab
SHA1020732d462ac4f133bb39783df806bc88c34c44d
SHA256b09dd7a35f5b703a96c401d922815973be07bc106fbbaf4499bd5d28790ad8b4
SHA51200bee3cc717939833e45971edd9e4bc77cfc3255984e5abe917cb3839d888589aee08e9ceb5ef9d8a60fa881266485f421381e3d4bfba2e42b7a4c4dba58c63b
-
Filesize
213KB
MD567f1a23733e9638cfe4e7d22dd9384b4
SHA13793911a8771789a6ef1311dd6aa70467caaa64e
SHA256af859cfb82ed8abb4956b07a9a950c2b8771dc06a24e0cee9971f2d5156fce22
SHA512aab8a9140e75213a2f1da6c41eb64ca348b373434e011cea675705fb460c68bc0cc929863004dce480f4d0401487adf2f8eab3b790984f2a717434d5306903a7
-
Filesize
213KB
MD54ce91f3a64cde09e3dbcb8af4d92a393
SHA1fdc015a1f3de1e787371e114e61ce78e4b055494
SHA2560b7ec0c6ca8998c93b11e90255a90ea62233fd5623e3c916c0aacfea24a88f04
SHA5129f00352db5c141b43e1cd4302857df3f867b20823da6666b31926f491c751caa24b9e8df9965b243c5e8c56f607ac0a0823555dc0716da71c27db58bd3c30458
-
Filesize
214KB
MD5b7aa096a22f63d7d070b47955e664c06
SHA18aa8201799d07a709f8c8c86fa3f4ed541e75ddf
SHA25677e2530a8888d2635a0f204091ad6d69301a410824aee56bb2591f8fc755eec9
SHA512a9ff49e4c92771b69bb32fdf2cf209d7eb78c21a9dac5655bc5fca99e80a6e70077d8987ee3a9604092bd6899e9ad93eccad07b5460e247555db4a06209ef43c
-
Filesize
213KB
MD5b8c9c0885b7d9c187c7162965d930cf0
SHA14142f55b7515d946cffabf386938622177ac205d
SHA256c31040a69b13519c830d7790d27ae0f5d78161ffa000c4633cf1e7ec0ef67bdd
SHA51292e93037d742b2c837bbdd9d2513d3d8faee33f6625f433c88103dbd083cfccb894149d253b69e9c8e3c234a7d69d71718438255e36e1c9d0500a7b083617231
-
Filesize
270KB
MD51ebe1fda4610ae824d00469f6d64011a
SHA1173321438de4e486ce53a931fb2caa327e48d8f1
SHA2562a8c7290e0fe0e893ac76d5be6f89d24e087cfe92b558c7ef8b8aa68bc8c00ce
SHA5121651239ffd0cd219b25aaffe7cb0cd7693dc823bd278c875e9b02813ba52e24678b517a35103ed99a0e1815241b5006d0f0edf4aae77e41a43f7c2ace93abe28
-
Filesize
232KB
MD5acdd7cae8fc40ae904aadd40393af1ee
SHA135b42622a094ead93cb32070ff45b96bbd72752c
SHA2568e3333896656ee4a462036019b500c96a77328eb4e41063ce773b4cb7c0bf34b
SHA51255e73f43fca62b7ac2edbcbae5b4d3e3128f0a3e5850157c52aac8b5c702ec7c4b7e3736512c403a86ffe0fd2bcd5ab3a9814f1a5daa3d10cc7dd7a7cf8b39d2
-
Filesize
264KB
MD559d590575e421ceeddc90855bf513a17
SHA1b9222fa44930596d35f05f630d58360ad97599c0
SHA2566457e15d11b76e9a24b2a13dffd4a903065b8a27dd12b167f3813fc867d205ad
SHA51205c5e7870515db9ee28c7ac48c14ef610d80c5b75f5b32f8af5fab1b5d46078ab650056ea25eae717d930f02d5c352ee11f16b563b18b00d10e34244f475aa39
-
Filesize
152B
MD53e681bda746d695b173a54033103efa8
SHA1ae07be487e65914bb068174b99660fb8deb11a1d
SHA256fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA5120f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8
-
Filesize
152B
MD59f081a02d8bbd5d800828ed8c769f5d9
SHA1978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA5127f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7738c9b6-37b2-46e1-af8f-c3eb25a9b175.tmp
Filesize6KB
MD511b2ca3bd8ad4866f6b3c9d4bbc4d471
SHA15a9f5320168f2ad2773242a4360c65dfe55f5651
SHA25673f162b49f563b39ffd5d7dd66aa2d5beb0f9a7c5d4fe3b19ccd65f9a08d7886
SHA512fc567ae371cb5d93c9e3ecc383c37cc1c8fc8df8058db18738823e8fc0f850cc675658f82610bb6a351045172cf0cc36ec789c16c948adc017039d92d4d1b9d4
-
Filesize
213KB
MD5f942900ff0a10f251d338c612c456948
SHA14a283d3c8f3dc491e43c430d97c3489ee7a3d320
SHA25638b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6
SHA5129b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5844c689c0629cf45502da030c1542080
SHA1d118f5306cc1e960b8b8132d1ee3705bfa7b73e0
SHA25687317e34ca6a506841fb7aa840d1dd0098a00c8a6b16d79fe2fbb1c599aa553f
SHA512cfe94323c507ed9c6a22cc0a8fbb25bdee4a338cb9c362fbb036f15efba273e252752b2a985c09b8155bc018aa7c7d4a3b8ccdc22a7f4fc2759f2a3446b9a370
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5e4f750fb83b59dc3821d4e66809f0717
SHA14ba405a501f5df883ad0677b00494f36003c1a9c
SHA256aa26eeb9dde387b593701808a23ad8641767acebfc4d3afe9f5ec87fcac6bb4a
SHA512a5ae2f33ce189c7c12d304d0348c9f7388a2aa109f441d8f9309c5c33dba3f12bd4bec2f58a26c033df85dd30570c6c7535db33c8ae77b0241088dd42d58e4f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5a0271f7bba01596216657746321dda89
SHA1156a2586634b223518cd5bc9d048c3fd6127595f
SHA256c8876fff922941c0a2d160e55d675f378266f4898469e8d10ff4b97608123837
SHA5124f49130c16460d9b49c2509e8f2594f5a045d89c67129d0b6886bf4200f63ab28261cde265a18046c6d47c3723b8e471a8fdd16eedebfd5de8654a0b4d9be3a9
-
Filesize
783B
MD55246f2e6dcb004da15dccefcea9c19bc
SHA1095c70bea9c65ae85d9c115e222a74f93eb39b38
SHA2563d8d7f74d5a34301628fee575bc01a3dcb24d86169785c949c5072669795c969
SHA512d2633343cdf6c9692054d6e2229031ec95c744d7888e321d2bec0d01c00bd58493a79549b11b819fa2d4c79ea580d4067670a21a7c3c23e2ff14dbfc59f24e22
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD595a061ba99297596c933d764428e3811
SHA17e80bcb645fbeacf86beb39a0867b5b10542fef5
SHA256bedb264c1945a845706853973386e80ced077352defe61a83ee0fb50f9234389
SHA512f2dc975e1abf2fe1523fd02d619feafcd4a369117be783132c439d4bd0f848c814916d52f6b13953a0c69a261bc5b94040eb779c9fc64977c429699b99285148
-
Filesize
5KB
MD5adee605e2b53a6b8b226ee994a459613
SHA17e7a92d030cd440ecc3ffc74f9b41d2c33482263
SHA2561ae38015d24dc60b20f19171201103dcb8cd982fa56c20cf558dafa5125d082c
SHA512e1f902b913f06d7897635ad67190a4941c50701f3c2498385ff2bdce1f935250cac70f6bfa94a6c1ccae9214b10f0d0c53bf9f487e039eb3dd5dd56eac347e60
-
Filesize
5KB
MD5644576e835042e225e48139b8ce6b73c
SHA17804847a27a5d045f81211d6f136d13c3b3030a9
SHA256178fdcf254a13316a93f0de2db1a73e0584222d8e2ec5809f209bc268ed283fc
SHA512a4d303ebab612a99a17dfd2a005615395e28a757fd952ba8e7b884d14357167fd6c756b70fe5c86cf5b14058a32d1e6a2036ef633166321878168876acd5ae9f
-
Filesize
6KB
MD575502b18ce2d63c80309edb88be11e13
SHA113e44a88f6bfec103c58739f49a18034dd9e6f21
SHA2560ddf807321c73bc38409999292428bdde488522e26c0d9b1ef59d525dd7358ef
SHA5125e75e41bff4e205816b6f3003aed4e56acc06c088f3733a5c764d455697b1e93ef532d3bfc0a45dbd438c7d59309a6a919603d1b0d23d5aaf43d347dc4cd9fe6
-
Filesize
6KB
MD59eec6d9a5e5b4c22bf185dad15007f9a
SHA1447f59a4f400c4c343d9fd318e0600766a72a994
SHA2562ebb4c41b086be836abe531b344214b42718b9f77f7c775bd80287011e963854
SHA5126d0e50abf5a888d5013555c2d960e057e9c6b542f1106e8b4cdd7887ead96e7b77286e5f22c8d29357cd2327272a27edab56c4870592774c263a0f3968a5a731
-
Filesize
6KB
MD52909dac263297997fc1685240829ea30
SHA1eda91698968f438c66f3df194e42ba6e9920aedf
SHA256c4db296ada6293fa416e169f3124d7934521f8d351daac60fa7722767a7ae159
SHA51285ac5f615050e00f2f895eef94d7970a1713863047bd22dbff4762f6796d3c0bc7b770f1314580e93adf349bf5602deb081d94bbf3c88c10d46bac1ca0b461aa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59310b77ae4b3d4f92363254499a2c16c
SHA1a0540fd89a0950775a68ac322c7eb08d1ecc4717
SHA256e588be3dc63db4e0a1159b26e93b521529f7104d8f9b91b1cba0db495b7d8afc
SHA512fb3aa52076e6c202ad9bf20097c5847aaaaa1383c335e657b244d972b793677a336410779d3e150fd6671ca55b68d52243cf64554fc70a9756f65bb015e9b756
-
Filesize
10KB
MD5072229b584346b596b2936ef32320c9a
SHA1bf6ac93de38cb69257bc7c748a84756a7f34dc76
SHA256a101f167af79b94b1097c7b8651253144cfa5d8e3b5268250b043847e37fce0a
SHA512ab08a9f7f90d59464148ce46b86c01799c99eeca0c443b1484d1138aa206f4cdfbc28d0ecbad23deff6d26d9b165099586569297cb0a5b7b609c746e93347dc0
-
Filesize
11KB
MD5e7f79445482bfd51ed8a66cfb9256e36
SHA150eeaacc2f66ecdbd8f675e2486e3200db80d902
SHA256ffb89270d24dda1b2b38909cfd05fd098b3f4058e52c06d2a36923a55d36b30e
SHA512f91c8395e15678353a67b791f38205c3aeaaf13be5f4239484d303ae48b110e36cc026cb2c60876468f52ba2aa00dc57aa03aabece365dee64891e790ac9bb6f
-
Filesize
11KB
MD5faf9f1fd10596467a6761d485991d031
SHA18169c8818cb02193734d9e75d830ef10ea2f42ef
SHA25654edeb85375cd52183442e62fe5a43e2eb41668e21b9ecd0b180ea6a0269e647
SHA51229cff2a8b813feb5d7a74fa9bafeb66cecb559fc9603964bb5fdcaecc0eb6cf3c3a7f7d48e87b4188eb67f33d1c8dbeaf53ff8ca9852f4dbb9a6bf1b273c48c4
-
Filesize
11KB
MD59bfdfb6167ab42e9345329a7a622f1c7
SHA1ebc400bec41b9e09ff83b2a0b3dee3fa0e9c063b
SHA256c15cfd7cc089597e72bc9de56f3a61fd244ae30e95f4a38b95299608532ba5a6
SHA5127be92c4e666fac91131ab2c07abc9428329fe78975facf8cd2af61b1e7cda70751bf882049f7757b044f1b9bf70ba469248135f4a076307589f9fd6b4253a7f0
-
Filesize
10KB
MD5197d950d04a7365bb36c91d3ac2514c0
SHA18cf9f0fdf1d930bb84d2ee81141bd3aadf128f8e
SHA2562b849554517a6102e340a7daf4a0418f014a5d8d0516496ae78d52d21c85d53e
SHA512bf9da326f9547385a05f5b13ef489b14306fb39979828126e1f5c0677a69e14c4497111348703222b13303f9558c197a8a64c58dc632032a49e1661942ed8793
-
Filesize
2KB
MD5fd76266c8088a4dca45414c36c7e9523
SHA16b19bf2904a0e3b479032e101476b49ed3ae144a
SHA256f853dddb0f9f1b74b72bccdb5191c28e18d466b5dbc205f7741a24391375cd6f
SHA5123cd49395368e279ac9a63315583d3804aa89ec8bb6112754973451a7ea7b68140598699b30eef1b0e94c3286d1e6254e2063188282f7e6a18f1349877adeb072
-
Filesize
671B
MD5d4e987817d2e5d6ed2c12633d6f11101
SHA13f38430a028f9e3cb66c152e302b3586512dd9c4
SHA2565549670ef8837c6e3c4e496c1ea2063670618249d4151dea4d07d48ab456690c
SHA512b84fef88f0128b46f1e2f9c5dff2cb620ee885bed6c90dcf4a5dc51c77bea492c92b8084d8dc8b4277b47b2493a2d9d3f348c6e229bf3da9041ef90e0fd8b6c4
-
Filesize
388B
MD55f9737f03289963a6d7a71efab0813c4
SHA1ba22dfae8d365cbf8014a630f23f1d8574b5cf85
SHA256a767894a68ebc490cb5ab2b7b04dd12b7465553ce7ba7e41e1ea45f1eaef5275
SHA5125f4fb691e6da90e8e0872378a7b78cbd1acbf2bd75d19d65f17bf5b1cea95047d66b79fd1173703fcfef42cfc116ca629b9b37e355e44155e8f3b98f2d916a2a
-
Filesize
58KB
MD5bcb0ac4822de8aeb86ea8a83cd74d7ca
SHA18e2b702450f91dde3c085d902c09dd265368112e
SHA2565eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4
SHA512b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1
-
Filesize
1.2MB
MD58f6a3b2b1af3a4aacd8df1734d250cfe
SHA1505b3bd8e936cb5d8999c1b319951ffebab335c9
SHA2566581eeab9fd116662b4ca73f6ef00fb96e0505d01cfb446ee4b32bbdeefe1361
SHA512c1b5f845c005a1a586080e9da9744e30c7f3eda1e3aaba9c351768f7dea802e9f39d0227772413756ab63914ae4a2514e6ce52c494a91e92c3a1f08badb40264
-
Filesize
1.2MB
MD5cbc127fb8db087485068044b966c76e8
SHA1d02451bd20b77664ce27d39313e218ab9a9fdbf9
SHA256c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9
SHA512200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41
-
Filesize
58KB
MD587815289b110cf33af8af1decf9ff2e9
SHA109024f9ec9464f56b7e6c61bdd31d7044bdf4795
SHA256a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4
SHA5128d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc
-
Filesize
483KB
MD57907845316bdbd32200b82944d752d9c
SHA11e5c37db25964c5dd05f4dce392533a838a722a9
SHA2564e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476
SHA51272a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0
-
Filesize
93B
MD526ec8d73e3f6c1e196cc6e3713b9a89f
SHA1cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa
SHA256ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0
SHA5122b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195
-
Filesize
14KB
MD519dbec50735b5f2a72d4199c4e184960
SHA16fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize9KB
MD52bd80d8934b6bfbbe1dc2aaf1543a0b3
SHA1f3515e3ce85722f6e4d1a1471a9a9c83d9a3ae45
SHA256c20411c3ba645c96fcada1bb8c11b0882ff4d72ddf644e621011923d0c8911d8
SHA512112cf656403ee56da86695e80d03ff81a0024234f287b0d75a5a6306b7cb053c7880c8c7f010e62ad5e5ab0bb0d9e4270dd8abf2f670d8b8ea52155d30fa09ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize11KB
MD580e7e51df0c50f171aebe19eef8537a7
SHA10a59b75f12812e935f1232d86780e59d80e9e4dd
SHA25610d6ea22f17b3c21006bb31d951261649278cdd2a029796cd3043b3b810444a3
SHA512596383c9226ff6fa83489d75173517f20d56eb35c89f523f22eff63c0c4018c3ec9eccc59a399b6c0bdcaa8a77937f1c62518b2501f319a1384ee31803128298
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
936B
MD53c761ce22476d04f0477812caf5b7100
SHA1abcf13660825139c4ffe61aaded89f092e651782
SHA256401224fc27c1d33940d36dbc8b9a57a282142c345cf49736d89342ebcc7afd09
SHA512cc30d7ad2a2ee846b0cb97a4a9bf2211293606291ddcb683d5142ebae546b5168b2143e607de8af6b8aacba3601d0e1753caa14db86e1bb6974636052c1ab6c6
-
Filesize
2KB
MD550ac8ce2c235e0d9689861187532ee1b
SHA1df8e996a965fdd2b4f31af50434139f649075fb4
SHA25635306b156d60242156557abd95ac2ca42f2b595c2dab8603e34f6c4b477c8f3a
SHA5126579f7dfb7a9f06b3b72f7e6fef3fbd18cbc6184e8a78de5e957fc68b63a4cbc7155ccdd10fa6c6fd57f69a7834264c030205417a218587a323dbcc9f2f55ccf
-
Filesize
4KB
MD54263d002b6a51d6c594b0bfe3cdf8b6b
SHA1114ff8eed68be7aa0bbe3595c247dc76732efe54
SHA256f6af1c2b2933eb1981a5efce41078358adb8c90702001b1b1cbe17db0536d30e
SHA512a808e9bd6fc818b8dc0b177e1ca6640992a523221dfb57ab1394522303b0c7d609053a9c48eef5876d0f61b8d55290554f38864b48def9451869e1a1c10d6df4
-
Filesize
11KB
MD51882f3dd051e401349f1af58d55b0a37
SHA16b0875f9e3164f3a9f21c1ec36748a7243515b47
SHA2563c8cea1a86f07b018e637a1ea2649d907573f78c7e4025ef7e514362d09ff6c0
SHA512fec96d873997b5c6c82a94f8796c88fc2dd38739277c517b8129277dcbda02576851f1e27bdb2fbb7255281077d5b9ba867f6dfe66bedfc859c59fdd3bbffacf
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
8KB
MD563ee4412b95d7ad64c54b4ba673470a7
SHA11cf423c6c2c6299e68e1927305a3057af9b3ce06
SHA25644c1857b1c4894b3dfbaccbe04905652e634283dcf6b06c25a74b17021e2a268
SHA5127ff153826bd5fed0a410f6d15a54787b79eba927d5b573c8a7f23f4ecef7bb223d79fd29fe8c2754fbf5b4c77ab7c41598f2989b6f4c7b2aa2f579ef4af06ee7
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e