Analysis
-
max time kernel
79s -
max time network
75s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/10/2024, 22:54
Static task
static1
Errors
General
-
Target
-
Size
14KB
-
MD5
19dbec50735b5f2a72d4199c4e184960
-
SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822
-
SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
-
SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
-
SSDEEP
192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000 LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3608 LogonUI.exe Token: SeCreatePagefilePrivilege 3608 LogonUI.exe Token: SeDebugPrivilege 4980 Taskmgr.exe Token: SeSystemProfilePrivilege 4980 Taskmgr.exe Token: SeCreateGlobalPrivilege 4980 Taskmgr.exe Token: SeShutdownPrivilege 3488 [email protected] Token: SeShutdownPrivilege 3996 [email protected] Token: SeShutdownPrivilege 924 [email protected] -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 2528 msedge.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4556 msedge.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe 4980 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1876 wrote to memory of 3996 1876 [email protected] 81 PID 1876 wrote to memory of 3996 1876 [email protected] 81 PID 1876 wrote to memory of 3996 1876 [email protected] 81 PID 1876 wrote to memory of 2800 1876 [email protected] 82 PID 1876 wrote to memory of 2800 1876 [email protected] 82 PID 1876 wrote to memory of 2800 1876 [email protected] 82 PID 1876 wrote to memory of 924 1876 [email protected] 83 PID 1876 wrote to memory of 924 1876 [email protected] 83 PID 1876 wrote to memory of 924 1876 [email protected] 83 PID 1876 wrote to memory of 4964 1876 [email protected] 84 PID 1876 wrote to memory of 4964 1876 [email protected] 84 PID 1876 wrote to memory of 4964 1876 [email protected] 84 PID 1876 wrote to memory of 3488 1876 [email protected] 85 PID 1876 wrote to memory of 3488 1876 [email protected] 85 PID 1876 wrote to memory of 3488 1876 [email protected] 85 PID 1876 wrote to memory of 112 1876 [email protected] 86 PID 1876 wrote to memory of 112 1876 [email protected] 86 PID 1876 wrote to memory of 112 1876 [email protected] 86 PID 112 wrote to memory of 2240 112 [email protected] 89 PID 112 wrote to memory of 2240 112 [email protected] 89 PID 112 wrote to memory of 2240 112 [email protected] 89 PID 112 wrote to memory of 2528 112 [email protected] 96 PID 112 wrote to memory of 2528 112 [email protected] 96 PID 2528 wrote to memory of 3552 2528 msedge.exe 97 PID 2528 wrote to memory of 3552 2528 msedge.exe 97 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99 PID 2528 wrote to memory of 4648 2528 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4964
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3488
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]" /main2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8910f3cb8,0x7ff8910f3cc8,0x7ff8910f3cd84⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:24⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:34⤵PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:84⤵PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2564 /prefetch:14⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:14⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:14⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,14586805025239987156,9996680355496083710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:14⤵PID:3456
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8910f3cb8,0x7ff8910f3cc8,0x7ff8910f3cd84⤵PID:252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2104 /prefetch:24⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:34⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:84⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:14⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:14⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:14⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:14⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,8558321436937294442,3881230867982857254,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:84⤵
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:3336
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2104
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1916
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa39b9855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3608
-
C:\Windows\system32\launchtm.exelaunchtm.exe /31⤵PID:3276
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe" /32⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2820
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD546e6ad711a84b5dc7b30b75297d64875
SHA18ca343bfab1e2c04e67b9b16b8e06ba463b4f485
SHA25677b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f
SHA5128472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e
-
Filesize
152B
MD55c1372c54d7a6cfc74312e9dd0790b70
SHA1dd92040739060b16dedd16d8ca50462642faa991
SHA2564c2294a25dd14d9f7a64abef14b144d06d0ab2ad7d84352547d85fc9edaa0952
SHA5126d6c276960bdc45a6cadd41eb19f9e60842f4035c5ed56982775f04f5c521296f5a742ea8f3f49daf76efed0b8a5b4751ef759003ea73a659567a6536c47e66a
-
Filesize
152B
MD55289e12035c785291b20fcaad2594454
SHA1f6db22b959513ae1863125236c7d498d84e8e564
SHA256972369405de9a5581b146b1890e6eaf591466052ff0e17d158715ab3dc4cbbd6
SHA5125606fc9e0c02c3c42f404cbe2bedaf5cdaa8ff8bc9b38a938f97fd7e02aa541519b1f2efee00886c1574bed5d514539018e0c332af4eee62584055bb8f0bbf62
-
Filesize
152B
MD5fdee96b970080ef7f5bfa5964075575e
SHA12c821998dc2674d291bfa83a4df46814f0c29ab4
SHA256a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0
SHA51220875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff
-
Filesize
44KB
MD55c69fcb7daf55aa0644880f9b1c0821d
SHA1d234f0a137a1eb4a724261279bbfa9b322c184d4
SHA256fb4eae4c6945f38bdefa2a37e13fecc1d91d567098c245b2c50217e7307650e9
SHA512b239a48afa469d777a0561af74e3119f8de71f0f127b36af6e873c50c650f7fabc9c1d282c68590d3d35772a1ccd003e457e70209cea0807d4f51624fdbf69e1
-
Filesize
264KB
MD57bfcb1803cbbf0307eb6e6bf0cdfc383
SHA107b4c07cd7834d4411b0155d58170ffeb963a7a1
SHA256e8081110415f02ec3df80d14e70503dc47e0eeb6231ab020a3a825330ef070c8
SHA512b05388d6894cf07b94b7e46cab474df4cad0b9f6bf5ab94702bc7871b22dd2f5122dbd21b6316cb22920ba52e788064dd342b635c9b0b071a4c85665ff3f54dc
-
Filesize
1.0MB
MD596077a25f5419814fe3dbd426298ea72
SHA157c7cf854030a28a01264e1dca4db02f634c7402
SHA2563b903ff39f00e7b1a7675e4e7f4628dabc63b64936dc450b0c93a4399489bd3f
SHA512282845c35dffa144c83517d9caf0fa5ecc5c2f02a728cb9728350fbff4c46e05e20071fb6d78812687b994576a9e33c53b2ceec5059b2843daa230df21a70f9a
-
Filesize
4.0MB
MD5318e0eb31669b74085909898b5e01ff9
SHA19576cdc7782647d6d69d69c4fa12e44bc9f2b516
SHA256024b352715f4b6006ce9c75e9ca866b0976619ef42f564ddac0a33298b0dfd94
SHA512da3abfcc62ca186b0979798d2fd24e60911fc633eac255f8e078785ff83b93aaf55ce21231e8fdb0b1de192b3849b6849e1d5e89aa354593074030fdf4ba8bd6
-
Filesize
41KB
MD5ad084ae94f2a62341c8a94c326acae69
SHA112a3d4b5b0224b69c252e6de42f9c2d38221e2d0
SHA256be5a10dd2bb7d409794492a1c6aab8ac0aa7f6f8ffb487d2eac22c10e556afed
SHA512c95be5871884c93e3f5d857f7065fa749d78573ef136577f3dcac7855ecd32231a990986be3b206b75b7ae31d88e2c55fffaf05da6bb4e41eb836f2a8d36d9ac
-
Filesize
215KB
MD51585c4c0ffdb55b2a4fdc0b0f5c317be
SHA1aac0e0f12332063c75c690458b2cfe5acb800d0a
SHA25618a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5
SHA5127021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23
-
Filesize
240B
MD56ce48eba6f8c33dee1d08369a877c740
SHA1d2ef41fd24723923fdaeee02bee9c78c9e6bbc8e
SHA25606890dc9f4b6cce3cdb5a78927194ca3621cdd0dfdc56f51d265ef94f3002914
SHA5125639093c258fa7878924e5b2e691eee778ab19fd085639108a38fd692d96e37b208993fc18453adc7ce03f269bd3cd0a2de58cf292d9146fab37ac7bbf60d537
-
Filesize
241B
MD51ad2b343b0e8284b1797fa7125542fe8
SHA11c89112049033f5be2e75d0477bbab7010bdbc7f
SHA2563b95c720b98088ba2a6178ad0b3e560c10f9712068c4620d04c9ad82a08eb56a
SHA51263a115bdb6109a1cc0205c8a8a43e7eb10b57730fa1787cf37405110b3b659b162835cb3201a0bfdbf85e14bc293baf3830c7259bd21c05d257e3e5d21278655
-
Filesize
232B
MD52f689d358c4fb4e6d320f24105b563d7
SHA1b690243b6abb02fed0de52c3bfaaba4780cd2570
SHA256343df5f8db8f98852bf3f6d310070e061b2c639ec814233e0b8a672100e8c46e
SHA512f91413ef2c30c3485b052102507e61b478241511a13d96c1eb5df5fc71307b970a034046e1502713e7df9289c5aeeb46ab937723820588d0711115e6c52d7ff0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD5095bf5784184747e9875652ab850763f
SHA1f97f5adbb001f5a74f4b579f80f9bb7a6efa9627
SHA256eae53284b3b823b76a0b8cf9ca47967f1615ae8337c7293485f6ee1d895005c8
SHA5128e1573f6477ce70f5f0573378cebfc7b73d1e8c6d56a3e4f40e67a7d759e2035cfe4bb19aaccff0269ebd1d051a6402b58cd94015e902d151b12bfbf511dc262
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5ec89f3b84272aba8cd47e957f204e4d5
SHA1996abda65c9afa47890e396f7882e8c0c0fd44d3
SHA256d15ec94fbc4b48e1b312114a7fa03e7e809a29b16547684f2cfc6872e0c80bbc
SHA51237468b3b426c11929714bc33487a4dd15b211051661a9f9e467547bd131586e0bba3bb200a1a034bf90b30adcdf3bc18029ab618f73adb995aa693442dc368b0
-
Filesize
116KB
MD5487b9df50d2ef58eae67bce3e5f66b8c
SHA1de762175d2c9a61b4f1ad673849474bcca25178c
SHA256c23e318b854a543f0222069b01f5a13b0a2f9a2094421d9d892151312f7e9996
SHA51203d2ad97a2b68051b01b6544e3351027b6cfaeffc2a699fd82f6a79ae1d9f5be229a77c1cc82b4bd06a0c9f5c85f2d73486e857f064d39698ee718ad34345c58
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
28KB
MD56b74c93f4ea220cea0cf8b5b1ef7f8b6
SHA1da12a86185836a8b45d67a4c7d7e045d537a55cb
SHA2565b5de14e80f353faec2c6584ee44015f61855521e55eecf4388bb2e5b96533d2
SHA512e07449dfe9117657527d7bde1bc46a9377b28391425c35e8e16a54ae553630495fe990a80f9fb0251ed5c062f3def2efc94ce2f7c754398cacb0cb262fee5881
-
Filesize
125B
MD5c8102409c73eccd46f2ad0cced47ad9e
SHA1ff8e2d84cbd9d2d38adcb877e2cbb94799d267ea
SHA25667ff921835fcc0354cbb5d5e26c5fa9bf69214906f0af41e700b71e5e0c41ee5
SHA512dcf92db02506ac69fc6f59553556d35217214d59dbeba1366e4ec0ca563d1897cbd308f90ba0aaf09eb1eec7cdf4a6edfd07a45a97e74e21d5ed41b3c3dd3a61
-
Filesize
331B
MD5fdaf49035d5ba7bbe7fb426fb40ff3dc
SHA1b8e99a3ba70e45e12626c43f6b043cd359e2ef51
SHA25644efc38580dfab4c83f83f259b42b5248fb4e79d00d6e5297a7d3198eda09910
SHA512bc93c6d31e48099c587ffd11a2e881277ea0f13712405f68d5ed70feae448aeb1ce9c333d01ccd324cf2b9e8b74b6e53903a7f0d21945e86df6c5017d6af1b48
-
Filesize
814B
MD54536148e67a41e334ca7c2abadfb0c48
SHA145a935cb92eca439a6fe4f4ecb93bbd278598fc7
SHA256aba4a5156d375bc8d60e987de6feaa2feb97f21d6f83d705fc0f8c8814593418
SHA512ee7c6770fb198b68a92f72ff9e3bfba08833ed1a121212ebb025454b1306834e6e347f7e2fd7a2f00ed6b75aeb3023a2ec9d8042790ee33583411bb944372030
-
Filesize
693B
MD57588ac7e042a1304ad302fd6d96687a1
SHA10597695e12a2a7e2d32b084bd7e64c8f88f6fe37
SHA2564139aec76ef2abf2f4eece6e28126c3eea3e47e7f2ae5216bce176130c947f55
SHA512518a1819e563149be71da5c2dde3e7d04a3150a40b30dfe9b161ddcf3d636204d7b51942209aec72e17d66649a3b2d3c4c514c6bf432d1b5081be58e954b2830
-
Filesize
6KB
MD5c90d9447432b275b1492d84090480ed7
SHA15d9b34fa029328d56a963fc42db070a986fbf4f1
SHA2563fa5f9c1f643292ca94ea3bf17bd1b69e85f00b9d78ce7ae4790f32eaf4ae543
SHA5128484a897543fdaf1cb1d01f0a14be34947bd310d95277a284f0f598beb9c43ea5575a7358f28e698be1aac0a52e4fe132bdc1f2a965c5e5445c4eb1d2beada38
-
Filesize
6KB
MD586293f0fea78ca5bdbb525fbb671729b
SHA1af1ba876bd5bf0ac40ffd93d05ec5ba4b1440c4b
SHA256609e05dcda59728077832b390499571b39bb3b3eafc8a80411bd173e5514add5
SHA5129d602593d6091f53e730acc5a37f69729433cb87f2925a04c792e9bd00571706a6e31b5bf9ccbba4a30e25629cd5a4bd69e92baebdc4f9465a38f76290696e7a
-
Filesize
6KB
MD599b343a37501e6b44fa635592e50fec2
SHA1203b8636a839484f718ceea60ebbf0e2cd1c4cbc
SHA2566ab70569ff6817b753c7216d43fab35bac8b3868dc53c4f3a29509e40664c20a
SHA512aa1c4964baac70fbda853d5c74668d9c5ebcde3c26aba66c8532f483952797b4ed50139d35adbe1beefda37ec74afad776afe830719ae1e79712558d8342eb15
-
Filesize
5KB
MD5e04a758d2855cb9549098f16c05753ef
SHA1d1e04417c612813744a04e800c2898f0018bf15b
SHA2562b9b33137283d1d244eef1db26ad19c676f504abb096993f283c985e8840dc21
SHA512bac0c323414c74ee0f1f24273870fb5c1df1c0ef142ebb26cd8804dee644ae54a54f7219cf98f05a47c82effdd9637766d3101520d451e59be755dd1872a1ff8
-
Filesize
36KB
MD5d3461746c42bb5b0c150fdc01d5caafb
SHA1c349f6f8864223f018b10760df1841a6c6f188de
SHA256a9ce8518bb56e5a79aced37f39da6158349da3bd9f7abbd6c1255c7912a574be
SHA512c8c628b76a6b205e26e1a1a6afc6da6254fbe61aa1335a72bcd4c0ed20ea5f2cf323e7901e216a423270fc0ffa1332361c6b5b1be943165c1259483b4cc3e9a1
-
Filesize
538B
MD5d49f8f9b36cf3b5db7a70d648ab83017
SHA191c1e7797a68d2e94fbcddd686ad77c537aa2503
SHA256e9f6355b02940568b1a6bba848bda350f6b12fb337b5401ef19868addad9ddbb
SHA5125ad72b8fe46a4b2c22fe25f66f93a4bca8649e56638b1b4b2be6c446f1e641a61c9446cc6d7a7acf78b0219f038973e814a5767e6c70167436e9fd70a4d302e5
-
Filesize
319B
MD5a8f537899152da20d9fd70d3f3d02a97
SHA11091259d5e005ddd5d9e89ab0962a2945a737415
SHA256fe7c3f5fd3e940f09caf329c06d02d0a3cc0b5e8e3dcd67c437e5476a32173d1
SHA512803e41b9823253d2fea2915d058e094512775218bb84112d4d0096d9b390d8bc742764f06a57044adff582f09d0a9a9079925b1acdf8d4a90f2bac44499cb389
-
Filesize
3KB
MD514afd3c4073140796a4fa0c6c900c83a
SHA103abb975c9a5df18f5b92da6ee4a4d289889a222
SHA25658f79a5e484ad72c60411860c4b49d096e4cad1367dfa434992241ae58814a6b
SHA5124903f2ddd8c7e19e326b52ecba0e7da5db6fdcf1593e72c476a90c3a65d5c30c2009979cc9787248f325b38add0e4d6ffc55142ee914f848e9f0c30da97d3a5a
-
Filesize
1KB
MD50259baa143d0461f809bb048453868ee
SHA1d72e01a34cae357ca8d3e11696273e9eaf12506a
SHA256fadab36da4a6db11b7b013546ee0d75425c82c448bcdfee84274fb4a33e5cee5
SHA512cdae5c8443ac2d3570d11a9a7f5ba2c09ca9aa9ed5b7129997037c29c36fb3a7e9fa86c768be2ab9fd63cad236ad48b58e8e7511030515f114f083c3b94fc294
-
Filesize
347B
MD554a5bcc45f2b8a77fa12362fc1507b56
SHA1ac6248686d419b652e14449dcd563d7eb5d78273
SHA2569c32b508bb0bdbab038c4a86dfd4bc452ea644e711bdea9cce628d0ba2d1339c
SHA512959cc0158ad937eb106c15ce47ec43740dd9d75229adcad966a54952b2488747c123f64623579244cfc22e67f057570dc3a4e927b461ff4873e4a6402a178d61
-
Filesize
326B
MD51d7ccee29ac1ec31cd1dddef85250ac8
SHA11f339444d658351ed14fd1c96a1d21192a2f9f5d
SHA2568a9444db2f1f550eca25a2fabc152deeb03f8be15b34fbc8c94275ac3931917b
SHA5125c007bb8dcf3d0614b5873e65623228df75192445df4689dac9299a21caeb85d048e78795a9cdf5df170d154c00f1d7af667a54eb11181751ba13e1597c538a0
-
Filesize
128KB
MD5de387c117670d3fb2cf581e55a786738
SHA1b7b91b44b494d25a1978ce5e82ea0f6fee6cdfa9
SHA2564e956983955268d7d50ebdff3382f821ec5fd7ef31b56137b5100886f8853765
SHA5127697c46cc477cdd08f858b9818194f8e1fad96b90d1c1cc39d67d355c1498e0120a9866e727784b85633600bacfbaae244fd5dc84cccb8aabb54cc7ac160583d
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
44KB
MD55c4e8f4b4bf6f9b70cff21ec62d18e75
SHA11d0c31ef95eb593dd19e5bfe8b40d874c012c794
SHA256eec510bd1c3854f0c5d668983ad88517877b0085206335ee29f94b169b91b372
SHA512db55092995c74614ac576e6e3ac16a549d2085b07a6c033c50a24cb7091170e26adc9e7cc7a13daed47d876d5654d5ed125244939649a41b9e28812964439eb7
-
Filesize
319B
MD520f6d2ca6f57c998b9ea83335ad8efb8
SHA1dcf1e5ee7ff5ddff2d75021944e40adfd48a6395
SHA256efab165460397baee1ca930d8f81b85ef25ce2cc69ccb94f01bc9b0fb7a224d1
SHA512e0e67971a561f81bbb2a1bdd9dfd746e0b7ea54faced9c6c58b719112f7ccc4aef492ee986b7aa14f03b6e1f477af6b2ac74b896ab50f641eb7cd8d307c85ce6
-
Filesize
337B
MD5e41d0f357a5a3ecd847cc9ed01b32f15
SHA16a5974b7310c986ba89a8902a3eb572b8ee42ec6
SHA256ff1399c731a93ade468ccc837b0d736188f7b8cdd8d2ed53566ed27f946e6566
SHA5123d2b24a0a966bc957e07c4e80199bd264fc2f780068d6048c3d147198115c20ea10413510b9e94559ed13715a44f796eb4d4e670c860c7276a0c239145c0010e
-
Filesize
44KB
MD56409b89cf75e99bb74a8493ab7889e7c
SHA1d736f067c5de25cbf96d6ad15e455213f7f72155
SHA2567b887118c1c4d68f64b60c2d59082bd0d00aeab529c5b9a372b845c92897c54e
SHA5123c81348c4541472fbb989cecaa0852cc9291e2c494cec4799e4682688edee38f7f0b00190c36568b1f03c443d864e207cf69ba9626a232dc85a731c4509250b2
-
Filesize
264KB
MD57c3bbc6de690f3d7f6e1361ebc6b8d38
SHA19b6fa2478f14a80b98f98c6ebe545a90b1eefbce
SHA256446f06889122199be2f303b21b2e14f0dcf7ff8add5323183afe4009ec26a717
SHA512c7c010fcbf4f65171f48c5ad179d0ad287a00ee6f8933f9cb2be3c3ce0d1363ecd5641bf12130d3d9506230a0ccf5503eab6b731cc603dd267226af520f95f60
-
Filesize
4.0MB
MD503d688d7aee88f80e816267ff056b431
SHA110d60bde7f5214ceb308df4e4585de7017046bc2
SHA256cebd4a9eca33c5c6eff06ab80356ac7dbaf87ddabf8f85e1374a08b5d3c56824
SHA5121890c79b0b278b21f4163af9a82256f7ea2df51d42113178b08a617fe3ab344f33e7c628bdf26c46b8770b0d63300fa0997728e67338c1c65f23fa43f40e39fd
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
10KB
MD524d898729506d0f79053a698c0972763
SHA1c895c2fda7dd1e558f0eb0ff578a47243dc1dace
SHA2564483036fae16e0b2977b7ffd8086a8b06c8bb0e37415beb691706358b0cacfc2
SHA512a3d1e674779ad55666492575c74a785c089ba327b9574eecfad8b4d3af2d987848de8c0f761d76c4d3c97f0743297fa03da323dba70c8b923257ea3d1c1691ac
-
Filesize
10KB
MD57d5712d220eeb7128a6befc22d1ea424
SHA1847f92805d63f2304cb3cf8f6ae776b6c9481f13
SHA256160683cda3b2bccd7c453c339616a1642573373626f1957b6b6078a6e176cde7
SHA512034ec0a2ab587d761f0ff0bb4ad2d2764ffb3e009815f0589945c41d14c9946d100760f7a367eec5b92c683cd512dc32f3815b73e07d5d5d6f874589251f0441
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4B
MD5c67aca171f989bdbd5bbec4f3362aad4
SHA170cafa292b4336443301006f8c52e4d601b690d1
SHA2562ccb531bffd651a1e09825677ff8850d6b1e2377ee7952ead4ff0f44436e4b46
SHA512c53b4504987d8a4e56e6719a8836ff491466a15cea6f7dc59ea95eece8ec391280083816fd63c75356bc0727d4d4599394afae7ffdf10730f5feaef137d887db
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7bba5e0f-cc76-4657-bcc0-0094f0bd8d35.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf