Analysis
-
max time kernel
111s -
max time network
112s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
09-11-2024 20:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8
Resource
win10ltsc2021-20241023-en
General
-
Target
https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8
Malware Config
Signatures
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Exelastealer family
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4652 netsh.exe 236 netsh.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 5856 powershell.exe 2080 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 5620 Tools.exe 5888 Tools.exe -
Loads dropped DLL 32 IoCs
pid Process 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe 5888 Tools.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 89 discord.com 124 discord.com 87 discord.com 88 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 80 ip-api.com -
pid Process 5936 cmd.exe 6068 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 5940 tasklist.exe 2660 tasklist.exe 4300 tasklist.exe 5848 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 5496 cmd.exe -
resource yara_rule behavioral1/files/0x0028000000045225-410.dat upx behavioral1/memory/5888-414-0x00007FF969590000-0x00007FF969B78000-memory.dmp upx behavioral1/files/0x00280000000451f4-420.dat upx behavioral1/files/0x00280000000451fc-441.dat upx behavioral1/files/0x00280000000451fd-442.dat upx behavioral1/files/0x00280000000451fe-443.dat upx behavioral1/memory/5888-455-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp upx behavioral1/memory/5888-457-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp upx behavioral1/memory/5888-461-0x00007FF969590000-0x00007FF969B78000-memory.dmp upx behavioral1/memory/5888-465-0x00007FF97C140000-0x00007FF97C164000-memory.dmp upx behavioral1/memory/5888-481-0x00007FF9690D0000-0x00007FF9690EB000-memory.dmp upx behavioral1/memory/5888-491-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp upx behavioral1/memory/5888-494-0x00007FF968870000-0x00007FF968FFA000-memory.dmp upx behavioral1/memory/5888-496-0x00007FF968830000-0x00007FF968867000-memory.dmp upx behavioral1/memory/5888-503-0x00007FF97A770000-0x00007FF97A785000-memory.dmp upx behavioral1/memory/5888-495-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp upx behavioral1/memory/5888-493-0x00007FF969210000-0x00007FF969585000-memory.dmp upx behavioral1/memory/5888-490-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp upx behavioral1/memory/5888-489-0x00007FF969000000-0x00007FF96901E000-memory.dmp upx behavioral1/memory/5888-488-0x00007FF97C110000-0x00007FF97C11A000-memory.dmp upx behavioral1/memory/5888-487-0x00007FF969020000-0x00007FF969031000-memory.dmp upx behavioral1/memory/5888-486-0x00007FF969040000-0x00007FF96908D000-memory.dmp upx behavioral1/memory/5888-485-0x00007FF969090000-0x00007FF9690A9000-memory.dmp upx behavioral1/memory/5888-484-0x00007FF9690B0000-0x00007FF9690C6000-memory.dmp upx behavioral1/memory/5888-483-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp upx behavioral1/memory/5888-482-0x00007FF96A320000-0x00007FF96A343000-memory.dmp upx behavioral1/memory/5888-480-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp upx behavioral1/memory/5888-479-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp upx behavioral1/memory/5888-478-0x00007FF96A060000-0x00007FF96A082000-memory.dmp upx behavioral1/memory/5888-477-0x00007FF96A970000-0x00007FF96A984000-memory.dmp upx behavioral1/memory/5888-476-0x00007FF97C120000-0x00007FF97C139000-memory.dmp upx behavioral1/memory/5888-475-0x00007FF96A090000-0x00007FF96A0A4000-memory.dmp upx behavioral1/memory/5888-474-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp upx behavioral1/files/0x002800000004522a-473.dat upx behavioral1/files/0x00280000000451f6-472.dat upx behavioral1/files/0x0028000000045220-471.dat upx behavioral1/memory/5888-469-0x00007FF97A770000-0x00007FF97A785000-memory.dmp upx behavioral1/memory/5888-468-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp upx behavioral1/files/0x00280000000451f9-467.dat upx behavioral1/memory/5888-464-0x00007FF969210000-0x00007FF969585000-memory.dmp upx behavioral1/memory/5888-462-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp upx behavioral1/files/0x00290000000451f1-466.dat upx behavioral1/files/0x002800000004521c-460.dat upx behavioral1/files/0x002800000004521e-458.dat upx behavioral1/files/0x0028000000045227-454.dat upx behavioral1/memory/5888-453-0x00007FF96A320000-0x00007FF96A343000-memory.dmp upx behavioral1/memory/5888-451-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp upx behavioral1/files/0x00280000000451f7-450.dat upx behavioral1/memory/5888-449-0x00007FF97A790000-0x00007FF97A7A9000-memory.dmp upx behavioral1/files/0x00280000000451f2-448.dat upx behavioral1/memory/5888-447-0x00007FF97D840000-0x00007FF97D84D000-memory.dmp upx behavioral1/memory/5888-446-0x00007FF97C120000-0x00007FF97C139000-memory.dmp upx behavioral1/files/0x0028000000045226-445.dat upx behavioral1/files/0x00280000000451fb-444.dat upx behavioral1/memory/5888-516-0x00007FF96A060000-0x00007FF96A082000-memory.dmp upx behavioral1/files/0x00280000000451fa-439.dat upx behavioral1/files/0x00280000000451f8-437.dat upx behavioral1/files/0x00290000000451f5-434.dat upx behavioral1/files/0x00280000000451f3-433.dat upx behavioral1/files/0x0028000000045228-430.dat upx behavioral1/files/0x0028000000045223-427.dat upx behavioral1/memory/5888-424-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp upx behavioral1/files/0x002800000004521d-423.dat upx behavioral1/memory/5888-422-0x00007FF97C140000-0x00007FF97C164000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c7463fb2-6ffd-4419-ac8d-809398b1a0b3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241109200056.pma setup.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\SystemTemp chrome.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2340 sc.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x00290000000451e8-325.dat pyinstaller -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 808 netsh.exe 5932 cmd.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 4168 NETSTAT.EXE -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4812 WMIC.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 948 ipconfig.exe 4168 NETSTAT.EXE -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2448 systeminfo.exe -
Kills process with taskkill 11 IoCs
pid Process 992 taskkill.exe 5544 taskkill.exe 3820 taskkill.exe 4832 taskkill.exe 6040 taskkill.exe 6136 taskkill.exe 5148 taskkill.exe 4212 taskkill.exe 5780 taskkill.exe 5860 taskkill.exe 3124 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756561197074574" chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 525939.crdownload:SmartScreen msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 5108 msedge.exe 5108 msedge.exe 1208 msedge.exe 1208 msedge.exe 1188 identity_helper.exe 1188 identity_helper.exe 5364 msedge.exe 5364 msedge.exe 5100 WMIC.exe 5100 WMIC.exe 5100 WMIC.exe 5100 WMIC.exe 5856 powershell.exe 5856 powershell.exe 5856 powershell.exe 4812 WMIC.exe 4812 WMIC.exe 4812 WMIC.exe 4812 WMIC.exe 5992 WMIC.exe 5992 WMIC.exe 5992 WMIC.exe 5992 WMIC.exe 1592 WMIC.exe 1592 WMIC.exe 1592 WMIC.exe 1592 WMIC.exe 992 WMIC.exe 992 WMIC.exe 992 WMIC.exe 992 WMIC.exe 4692 chrome.exe 4692 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2256 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2256 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 5100 WMIC.exe Token: SeSecurityPrivilege 5100 WMIC.exe Token: SeTakeOwnershipPrivilege 5100 WMIC.exe Token: SeLoadDriverPrivilege 5100 WMIC.exe Token: SeSystemProfilePrivilege 5100 WMIC.exe Token: SeSystemtimePrivilege 5100 WMIC.exe Token: SeProfSingleProcessPrivilege 5100 WMIC.exe Token: SeIncBasePriorityPrivilege 5100 WMIC.exe Token: SeCreatePagefilePrivilege 5100 WMIC.exe Token: SeBackupPrivilege 5100 WMIC.exe Token: SeRestorePrivilege 5100 WMIC.exe Token: SeShutdownPrivilege 5100 WMIC.exe Token: SeDebugPrivilege 5100 WMIC.exe Token: SeSystemEnvironmentPrivilege 5100 WMIC.exe Token: SeRemoteShutdownPrivilege 5100 WMIC.exe Token: SeUndockPrivilege 5100 WMIC.exe Token: SeManageVolumePrivilege 5100 WMIC.exe Token: 33 5100 WMIC.exe Token: 34 5100 WMIC.exe Token: 35 5100 WMIC.exe Token: 36 5100 WMIC.exe Token: SeDebugPrivilege 2660 tasklist.exe Token: SeIncreaseQuotaPrivilege 5100 WMIC.exe Token: SeSecurityPrivilege 5100 WMIC.exe Token: SeTakeOwnershipPrivilege 5100 WMIC.exe Token: SeLoadDriverPrivilege 5100 WMIC.exe Token: SeSystemProfilePrivilege 5100 WMIC.exe Token: SeSystemtimePrivilege 5100 WMIC.exe Token: SeProfSingleProcessPrivilege 5100 WMIC.exe Token: SeIncBasePriorityPrivilege 5100 WMIC.exe Token: SeCreatePagefilePrivilege 5100 WMIC.exe Token: SeBackupPrivilege 5100 WMIC.exe Token: SeRestorePrivilege 5100 WMIC.exe Token: SeShutdownPrivilege 5100 WMIC.exe Token: SeDebugPrivilege 5100 WMIC.exe Token: SeSystemEnvironmentPrivilege 5100 WMIC.exe Token: SeRemoteShutdownPrivilege 5100 WMIC.exe Token: SeUndockPrivilege 5100 WMIC.exe Token: SeManageVolumePrivilege 5100 WMIC.exe Token: 33 5100 WMIC.exe Token: 34 5100 WMIC.exe Token: 35 5100 WMIC.exe Token: 36 5100 WMIC.exe Token: SeDebugPrivilege 4300 tasklist.exe Token: SeDebugPrivilege 5780 taskkill.exe Token: SeDebugPrivilege 5860 taskkill.exe Token: SeDebugPrivilege 6040 taskkill.exe Token: SeDebugPrivilege 6136 taskkill.exe Token: SeDebugPrivilege 5148 taskkill.exe Token: SeDebugPrivilege 3124 taskkill.exe Token: SeDebugPrivilege 992 taskkill.exe Token: SeDebugPrivilege 4212 taskkill.exe Token: SeDebugPrivilege 5544 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 4832 taskkill.exe Token: SeDebugPrivilege 5848 tasklist.exe Token: SeDebugPrivilege 5856 powershell.exe Token: SeSecurityPrivilege 5920 TiWorker.exe Token: SeRestorePrivilege 5920 TiWorker.exe Token: SeBackupPrivilege 5920 TiWorker.exe Token: SeIncreaseQuotaPrivilege 4812 WMIC.exe Token: SeSecurityPrivilege 4812 WMIC.exe -
Suspicious use of FindShellTrayWindow 61 IoCs
pid Process 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe 4692 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1208 wrote to memory of 1628 1208 msedge.exe 81 PID 1208 wrote to memory of 1628 1208 msedge.exe 81 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 2700 1208 msedge.exe 83 PID 1208 wrote to memory of 5108 1208 msedge.exe 84 PID 1208 wrote to memory of 5108 1208 msedge.exe 84 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 PID 1208 wrote to memory of 4360 1208 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5548 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty81⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff97bf846f8,0x7ff97bf84708,0x7ff97bf847182⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:82⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4536 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff7ae035460,0x7ff7ae035470,0x7ff7ae0354803⤵PID:4972
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6384 /prefetch:82⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6116 /prefetch:82⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:82⤵PID:5380
-
-
C:\Users\Admin\Downloads\Tools.exe"C:\Users\Admin\Downloads\Tools.exe"2⤵
- Executes dropped EXE
PID:5620 -
C:\Users\Admin\Downloads\Tools.exe"C:\Users\Admin\Downloads\Tools.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1260
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵PID:1092
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
- Hide Artifacts: Hidden Files and Directories
PID:5496 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Views/modifies file attributes
PID:5548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""4⤵PID:5552
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"5⤵PID:5580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵PID:5408
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1208"4⤵PID:5736
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 12085⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1628"4⤵PID:5804
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16285⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2700"4⤵PID:6024
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27005⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5108"4⤵PID:6060
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51085⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6136
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4360"4⤵PID:5988
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 43605⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"4⤵PID:420
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47205⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1140"4⤵PID:4384
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 11405⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4884"4⤵PID:5428
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2660
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48845⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2236"4⤵PID:4640
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 22365⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5192"4⤵PID:5484
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51925⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5200"4⤵PID:5420
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 52005⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵PID:4100
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵PID:2328
-
C:\Windows\system32\chcp.comchcp6⤵PID:5884
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵PID:5056
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵PID:2232
-
C:\Windows\system32\chcp.comchcp6⤵PID:5832
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5012
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"4⤵
- Clipboard Data
PID:2080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard5⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"4⤵
- Network Service Discovery
PID:5936 -
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:2448
-
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵PID:4852
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\system32\net.exenet user5⤵PID:2296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵PID:2236
-
-
-
C:\Windows\system32\query.exequery user5⤵PID:2896
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵PID:4128
-
-
-
C:\Windows\system32\net.exenet localgroup5⤵PID:4508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:4884
-
-
-
C:\Windows\system32\net.exenet localgroup administrators5⤵PID:5292
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵PID:5264
-
-
-
C:\Windows\system32\net.exenet user guest5⤵PID:5320
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵PID:5276
-
-
-
C:\Windows\system32\net.exenet user administrator5⤵PID:6012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵PID:6036
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5992
-
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
PID:5940
-
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:948
-
-
C:\Windows\system32\ROUTE.EXEroute print5⤵PID:4024
-
-
C:\Windows\system32\ARP.EXEarp -a5⤵
- Network Service Discovery
PID:6068
-
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- System Network Connections Discovery
- Gathers network information
PID:4168
-
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
PID:2340
-
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4652
-
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5932 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:64
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:928
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious behavior: EnumeratesProcesses
PID:992
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1452
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2980
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x2fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4692 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff96e36cc40,0x7ff96e36cc4c,0x7ff96e36cc582⤵PID:5508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2024 /prefetch:22⤵PID:5784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2116 /prefetch:32⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2496 /prefetch:82⤵PID:5492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:4080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:5192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3700 /prefetch:82⤵PID:5864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3788,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4704 /prefetch:82⤵PID:5960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4944,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3700 /prefetch:12⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5020 /prefetch:82⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:5692
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5884
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:6052
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Service Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
2System Information Discovery
3System Network Configuration Discovery
1Wi-Fi Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5cd2dacffc275c8071fcde956de153272
SHA198953146e634d1e999baf09ceb9485edd175edf5
SHA256271198889a5e286834e20e834b3a9a33a8505f2077e2bfc09b4dc3683c5b7bc4
SHA5123d955334ed40b97f1a9a7d4048819fccce1c42163d4ab04e3c6b35ecb5cd4ddc8f0d9f4e32f8c9fa5b2e2cf570290bf502684d1123832e3799789ef693ed0e33
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58cee74b8bf3e55857f3fff6e59a656e0
SHA19dc75ec8d277ebda5d48597f33d562ae4648a967
SHA2561d7421e027a4196b3a487579ad7e1619d38946e8825f4392181a03a2d0042774
SHA512245d519245d583eecc6ec0eca623d6908b26d7894962d00dbbfdb89d8f9334b57b2564a8457f064e77b306cc8314f83af558da707f0959d36fdbdd14f9a2c71e
-
Filesize
9KB
MD56b074037473fee489fffc7eb2d24a257
SHA14c3160d727f0255b03104f267561d07faebda23c
SHA2565475342061ffe579d89c700e48186991e567c4d06ca5e8c58d39a5fd78edec78
SHA512b2a7225bdf9faba9abc5159cdbc5c252b7d32f404241f77e6e501e1d9e3afb973f47526a4243102ea9e96888a7127a9e5222ac2b9e943b5fa6677a8d9ca8e4ff
-
Filesize
8KB
MD543911a6ffeaa35874ca541a21e66bf20
SHA1f181b23dcf3f85c78950a2183fa45225b066d6fe
SHA256fbb3cc8bc95dd3bd4afa16b3795d111ff984ef9f9c7565124bfab441f230b66c
SHA512a2a8dba517e04911264d79b474d03316479f396d1614b28988b76b61331efa822fd0c3f93484d4fae710b252d08eb10b6c0a50953736092d1e725b4348da708d
-
Filesize
9KB
MD57b5b9b494f0e8fc00e5b0bd39a7213d7
SHA1e97cea936739dae5fb4c6a77dfd25772c0b85128
SHA2566ebdd29129c520c0f3dfeed3e69da82d1b57802f07f7d1c78f8700242ad7538e
SHA51275ba22bea60b0c9fcdd76c0fd3a81733f5c32d03321eec0b7d1db876ff667a5a6f51097225de05aea4f966ae5f4cb8eadab8df86dc3c3f6924cd7d486a859d81
-
Filesize
15KB
MD59b2a8d2d15c662128004b668f359f58b
SHA126aa26ab6a8b1b67b7019eea76f518d43e129c1f
SHA256c1b5c302139f096820266794dfaa284c378ac0123d9f0408b1330f0a3c8dfdc6
SHA51219e72ce43b3f86844d022da25d2ce0cea87f571a871d43cdc40c9eca9e96ce9c25c21ef5bd87dc5f03dae6429add39a6975c9220fe290240a8cb84d63cd757b5
-
Filesize
234KB
MD5abadc8379cec0bc27226d9b12898de4a
SHA117984b18a40d8ef2a532f62875739abb05f08b41
SHA256dca9da4ffa855a6dab31ff50f79869b1fed4c79bc8405cd398138aacd1163cd5
SHA512db458803936044f42c8a656ada4ff930a4da9bb12540872278b23a9268caa48be6bfbaafe6b3c9b0b54d7ce5793ae4a068d10f19ad7658353dbec45c36737f54
-
Filesize
234KB
MD51d42430e9378bd108d5e306facb79651
SHA105cb764caa3e6930deb3bbca9596c5d6cbca1e5f
SHA256c1e45616f720502abc8fc51e5ea798a3de41bb111c69b49e91791ff91e35fd65
SHA51295fb28b2ee55d668116e378ec9fcfc893447881df4018cebe3924b14d7370c5e98c87cf5d6b73c83b2a7c1bfd3b1c0521338f9cbed3e654d2c045bdaf4152501
-
Filesize
152B
MD5467bc167b06cdf2998f79460b98fa8f6
SHA1a66fc2b411b31cb853195013d4677f4a2e5b6d11
SHA2563b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd
SHA5120eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286
-
Filesize
152B
MD5cc10dc6ba36bad31b4268762731a6c81
SHA19694d2aa8b119d674c27a1cfcaaf14ade8704e63
SHA256d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f
SHA5120ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56
-
Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD540c08d56c5feaced74b97ce197f08750
SHA1f71cfa4a4b48f984eb060106888867e8c17cd7e1
SHA256ffcaf28ad64b5769cdf720bd804af7c5fb5563dd373e13954c8ac88e5247f543
SHA512bd20fb8daa8844c72e2c8f855d64d76e116bf25e617454a8dda582e7520f62c325862230f600ae0f50b3556eb5934990bd1bda20c6b4a3d4c3b92bb023d7e79c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD56d6fa7e8b98e22a229f140a85a303322
SHA1e11c3d97fd66fa24fc863274853ca8eb7197e665
SHA256151d279fbfc89cc69f461ba4d50d048d4a977ad881ecd512b9dafc571e7e5dac
SHA51272940adaffa94cf1653b7dc032c3b4ed7b12877618119f3241b39a76fec9770ef321762f73c6a3cdf57f40a2b8819bbcab188ee72589601c45cf112ec877933e
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
5KB
MD54d94b053ace1199438cd3f853f6b45af
SHA17e9c5b02dc67c59c0864b104e7ac7c5dbd41a6ea
SHA256c7e647b0278bf2805c1a6106a6d3afbac0d7429135760971b4e4640665492c73
SHA51223b43bbb775094a2eed06df331fbd34486e41f509eab2656ca6707aa4c978501475e5a217d2b69fef26aa2f258865272c3c9a0d431b57704a1249de69af55926
-
Filesize
5KB
MD5f8defe7701720c812ae283f7fe6101ae
SHA1d2713d27a5f668e56bf3e93d4f2246206d566574
SHA2565d7e3b3dca48a5227b999a99dcce3bc8eb79ae9ca9bd996f59a3e8bf46fb3633
SHA512ca508e16a0d8bd7438fe209b33fc303aef91507fe6e38a518f27b5466ca62e37dbdf7f93ef89570eeab90b9530235b47ad45a6db8bfabcbbb288650b76a52cb0
-
Filesize
5KB
MD5fcacdae72b723d06ede44142131945d1
SHA1ca2158fe18e5cd5a3568b0c1d4b5d560add4d59c
SHA256afcb5499beb28348ce5ee421903fa4a2a4352ce64ca48d2ec73ceddd088983d3
SHA512588d5bdc4621e6db265fd675812d567d96064c7e9a7f353a30f9a505625d3ecac152910ea81b1feb327ea827ec379eb5b00512b1ad4e5543439f5d916cf255db
-
Filesize
24KB
MD53b964859deef3a6f470b8021df49b34d
SHA162023dacf1e4019c9f204297c6be7e760f71a65d
SHA256087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5
SHA512c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf
-
Filesize
24KB
MD55c2d5c900312f44e72209416d45723cb
SHA168fb8909308589149399c3fb74605600833fbbc1
SHA25656f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8
SHA51207c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5580d30a6d681949e596f05ce3ca93643
SHA1042cc44e68a563f0c4eb269a8592103d7313d5f0
SHA25660bcf5242a7d70e213c8c5626c4438287fba94c0fdbc256b86a44e9dfda077a8
SHA512b70cfae648b3f55cba3eca54b5e6fa5310c7048f0163f111678350fa3220b2f3b54fd85f0aec4ab537645203f6dd8111a273776f1a85310bd3001ba70125d8bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c1e8.TMP
Filesize48B
MD524649e46612a671375a1ab65ee29b5c3
SHA19cc1b5fd3108d9e81d4bfeab14add156ae55119f
SHA256a656f4728e2d21532f30a015a662b689a762805ab30b23bceaf1b4207be6141e
SHA5127bbd3eed84bd5fd4e13e00fbcf3345cce520b2d455ff4347351c00e445f8d7c2c2fa47bba3873111491320bf72638d8856389a6d595c509f1d261e9a1be4ea74
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD5f50cb573bf68fc7fdd739ba328fa61d6
SHA112d574bf118fa1cb4d1cfa1b314705a2209858df
SHA256eb335cee61af7d0aae01f89740ac26ec9822cb155e924bc9d62b505f261b2551
SHA512da09c678ba78bfd251c61ef109bb8df4a01c04dc5ccd6c0d8665beb5e1bcaeabc964670f7b2c13c12ea27363460ea7c1c01940b57bc4a289c972ce4ec67e6022
-
Filesize
10KB
MD55163964754e61aea387d5ae647cee41e
SHA1f37072bd81913515c8199cfef6bc58c89b547720
SHA25624a38b2059bdf38820b3a55ac8414aacf386b4d0f5aff8fb4fa1d46b4ddeada9
SHA512705dd1293022c886b19607699ea3fc1c543b7f3e62db1487292835289634a07408e4e86f38d41e4c7a2c73f20ab7904948410f0722315c0b4eed893ffabe1188
-
Filesize
13KB
MD5880dae70b2022931ac7259ff2b6cb587
SHA16d0e13222c5ac1b61470525885002c6a8a1ace5d
SHA25603545ee011b3724f77ed178df31eab23d40b26c65be095ebef9bf73aabb682fa
SHA512b0c770455431a673f8570b6f486b40db773afa0a1fac9938648374d2c5a2292b5ae52ed5a7ee153a111da59cc3c804296927f310e1391f9012acdc2554040994
-
Filesize
19KB
MD5bfd3c6838dd6567689830b0c99021718
SHA1f7a15bbb3732c52bbf422a75c2f2e242dc1bafb7
SHA256a6e3e745e6f5590f0e11c706999c7f71c9c560d93f13580cc34e10ca4feac748
SHA51227d64e401a4606d6f2c86e52f0ec70ebfc066676aa092291a6cc170ab52b0588367d80dced7373af2188f6e341dec72660d26cb025137f5b309177927d8dddad
-
Filesize
14KB
MD53710aee34cc4b6cb3e89f8b2a52e17b1
SHA1f00145afc0a4c83f06b38f6dbc9998ebfe115155
SHA256b1d90554f94827be99762b40f1a266f42e8d09fb846aa3e0a4b3a60b2708db14
SHA5120f79916b30fb3b3eeb548a96863483d2cafacc62dbaf06d3ec9636c94553561f05a1eaf486f579afd838dd9eec0e4486d79193f8ab3e501d1df22f1e169a3970
-
Filesize
547KB
MD5008d9948364685c06f3456c4f3e7af80
SHA19bc6abc0d6a737ec2b12466686cdb2f64c3cd94f
SHA2563107f161000b6e7940c08888c54add2d6a08ad4ad26e563245433d92987d8dc7
SHA512dd03e3a053c5dc016b11ac1b618e28c947da9bc4b20e9e8425ee43e202a095eedb31d16ffc1ae1bbc735cfcf218cf425843800aa54f200fe3d9fcaad8ac8868c
-
Filesize
291KB
MD5ace708a6df648a83b4a31bfd121b2ca1
SHA10dc4c32f31a3bc7efc263fb19154cddf3f0c74b6
SHA256fc0cd8422ceb0892ceefbffbcbccad97af3bd8e813808c45bb391c340a4902d2
SHA512cb16d19a2bc40c9463415b96057d4c0ba51294e350e9acf96d28c9df2b19e5f244bfff5f6eecf501a1a7a6190e373ca7eedbb9548cae762668ddbd0868e1980f
-
Filesize
504KB
MD5967cec8a3a639ceed08e9018c1ac3ffe
SHA1fad7e0a79ef7b5a0d59201468f3cc207c9f809cc
SHA256ef54aad74251c872bc9a696373fce59f11c6a0b84ac1f1885317f0a0d963b75a
SHA5127a27018544874e69e415c914c2c55fb9012e56edfafff74b203e5abb77c685d4d3c468db8386199949237f7940551cc280639405144ea28ef9d60c16d50b80f3
-
Filesize
333KB
MD582cc37d43891ac36ec92652f207df547
SHA1b6324c003257851b2c169c2a4910d36de58b03f2
SHA256a71cb14875a3290904db852aa6fd14098705d82bc7cbc402e01aaeb415b09cde
SHA512f798c4a237e60c0a8323c9974627ed5c70929c91d3747f0916db973d9081d259608232476b7a5f0cb4611bbcbbd9a041e71221dc95eae421af0e06f5298de54d
-
Filesize
476KB
MD5366e7210ba3f85c4154110a8008791f3
SHA1837f73de0ce93dc01a4ee36868dedda26ff5a9af
SHA2561ede48099dd1dc48fac0b92f5cc15208d953f6c2f87fad35858d508ada125c6a
SHA5128b4d31500be401d9f2e0df7757f28a010e02f77fe559a523f55af4b7c5d7c111f861f4e92ab7e5bad510e684cc5947d354d674004ec58cadcbefd12b00de2fd5
-
Filesize
417KB
MD504ff1e93752556f04979a9aee3370556
SHA16bb3dccbb7761c84b2671d3fc7ab08fa90a9628a
SHA256ccc86b624814960c33863aaf54324dd3b75c02c023e9bd579054fac81d5d9853
SHA5124453acf6bb191fae3635bffc985d73914f53716b10cdccabc564f16b23aa40dc54142fb2a5fd63e6ab5b3f4d5d70b27b670bfd28ba271b3cf8d2714a148199bc
-
Filesize
219KB
MD57b226696d6ade9a018bd174abab7b4ac
SHA10e4d69f70f4aa56a305afb07dcd59a0c3a71ac73
SHA25639074d220f53ca9096f559ee7ac802c27d060615406217c228ca04dbb1ea8e63
SHA51200980a8bf12031d9e81f18e7ea684fba599b2b78d306b5938c496c594eac3ee121605e6893ee03a2f4f248b94446989be54bcce53be55e666f054122fc6b40bc
-
Filesize
408KB
MD5365077271d110ccc54476cb9f42245bd
SHA127985cded8f8396cb37cbbced051d33efc9c2e32
SHA2567690f0cb21b285dfb17ab2db1a0318a96ea1fd4f3fa7e134774c8bbdb35f2022
SHA512a412ef5876c82e640c93036e70c5ffd001f220cf2709906978b1fa86f96cb3ce8369b4febe981c0673bea4a5cf82928a9e6ef396c7d91aacfc8b0bf01dd658aa
-
Filesize
309KB
MD57f2fd4e44967bc9a45a8b9a672d2b97d
SHA1ebabb758440f6913ed998618df7c032dc76bc4a5
SHA2561401507285fb7bc4e79b0bf85ada93860f91cfce55bff16247d9a3df0fbb4a56
SHA5125fead157fce9bcd544b02992562f58f36bf43f6fd0a174dfa710df28efe9e196be5fc1c4845357f898d8e195e196f639bea6682af084eaf1ee935615d4ebddce
-
Filesize
462KB
MD5ca83ea35f7754990b1ad0b81b861778b
SHA11b0a8c1983cf1210914f4e00826ce87ae1314550
SHA25697fafbaa0576782593ab6e8fd800b41c1ed10f9e4d05346683d882724b144aed
SHA5125a14101862b0c29ada130f84a5078ca94aa6bbb74e792b15879a9b2aed660524be7aaa5063b7204ff2b573ecb3115ca29573d14faa829498da0ccb88aff3dc9b
-
Filesize
300KB
MD5907275399c8aa22e53a532188dbf808c
SHA192c5e58de66cab99bb4383ec509954f342d17167
SHA2566d507a07aa05af1c6383c68b17a2a3134be0ec2627be89c14eac7b8dda965f2d
SHA5126d511f8a3873412d659810119bb69057272b00a7db0263599e6db902ca6c8e3afc8ba461b8d735275391ec4a6f934de1ec1afbae8c60542e7c750093fbcc0e99
-
Filesize
545KB
MD5e0f3efec69e6879c8a250e285f28d268
SHA1904b420a88a9d1b13ccd492ab6a515d9ca069f07
SHA256906c5b8a0e1f8a8deebfba62b43be5e02778ec0a07f95afb9fe358da2ba99975
SHA5127617c18632ca83ab77dea1aa315dea917cf060d4c6fa6f7e5ccb0b3a8e9b17d6af6d0249b2bdd6054f2ae4a1c2add4e15815a7ffe4c6dd6080c4bc29cb69c555
-
Filesize
763KB
MD55141279391c7c28776da496dfb71ab3a
SHA18ae654907adb66c51644a1eb71bdbc006723d601
SHA256fd0e0062deaa097893d806ce2bd7c272bc9e0b251741c0dbad1d57a09b68b553
SHA51292da427528024932e890d3ed8cf7b444cabfdea5d37e21f83899d9fe4f2f42bb98cebad6ab43c9d7b0ea1a91452869465cf15c605a5549ab5ae0760bb70a2eb2
-
Filesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
Filesize
1008KB
MD5f6802018860beab0e371d5bffa2c0329
SHA1d3c2f68843921e8fb9f1e26b083a89c3a4275f3a
SHA25690da474215a3c3ff24b08c098795d50891329685c1148831034f17f687ebd6bb
SHA51295132b9a0227e15d89502d1ffaddb909063f7650c8f70f710bcbc94c9f84249e1698efca85d3360e7f5bcad636fad131c4c88256b7bcf5c07ead703e478d53f0
-
Filesize
627KB
MD577b44a15785ed4445b2a564b5ea5c80a
SHA14aec53400cfc4ea9e0465adf5cd058a29af268bd
SHA256cc8c130993fd054c0883383c534de5345c72e3b14a99286ff31f8b704ae22ccb
SHA512ffda0603170c22e22699df5dc4b7c01d6232594ec56632043d685c497a3fd8354e6b9f69ca9dd3be1ebb679b2d4d089fa2a8211336a0a93eaba012563eb1e1da
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
34KB
MD51b8ce772a230a5da8cbdccd8914080a5
SHA140d4faf1308d1af6ef9f3856a4f743046fd0ead5
SHA256fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f
SHA512d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603
-
Filesize
46KB
MD580c69a1d87f0c82d6c4268e5a8213b78
SHA1bae059da91d48eaac4f1bb45ca6feee2c89a2c06
SHA256307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87
SHA512542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d
-
Filesize
71KB
MD50f0f1c4e1d043f212b00473a81c012a3
SHA1ff9ff3c257dceefc74551e4e2bacde0faaef5aec
SHA256fda255664cbf627cb6a9cd327daf4e3eb06f4f0707ed2615e86e2e99b422ad0b
SHA512fcfa42f417e319bddf721f298587d1b26e6974e5d7589dfe6ddd2b013bc554a53db3725741fbc4941f34079ed8cb96f05934f3c2b933cda6a7e19cda315591a7
-
Filesize
57KB
MD5b4c41a4a46e1d08206c109ce547480c7
SHA19588387007a49ec2304160f27376aedca5bc854d
SHA2569925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA51230debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33
-
Filesize
104KB
MD5e9501519a447b13dcca19e09140c9e84
SHA1472b1aa072454d065dfe415a05036ffd8804c181
SHA2566b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c
SHA512ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63
-
Filesize
33KB
MD50629bdb5ff24ce5e88a2ddcede608aee
SHA147323370992b80dafb6f210b0d0229665b063afb
SHA256f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8
SHA5123faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952
-
Filesize
84KB
MD5bfca96ed7647b31dd2919bedebb856b8
SHA17d802d5788784f8b6bfbb8be491c1f06600737ac
SHA256032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e
SHA5123a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551
-
Filesize
25KB
MD5849b4203c5f9092db9022732d8247c97
SHA1ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353
SHA25645bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807
SHA512cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39
-
Filesize
30KB
MD597a40f53a81c39469cc7c8dd00f51b5d
SHA16c3916fe42e7977d8a6b53bfbc5a579abcf22a83
SHA25611879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f
SHA51202af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af
-
Filesize
24KB
MD50614691624f99748ef1d971419bdb80d
SHA139c52450ed7e31e935b5b0e49d03330f2057747d
SHA256ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d
SHA512184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26
-
Filesize
41KB
MD504e7eb0b6861495233247ac5bb33a89a
SHA1c4d43474e0b378a00845cca044f68e224455612a
SHA2567efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383
SHA512d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97
-
Filesize
54KB
MD5d9eeeeacc3a586cf2dbf6df366f6029e
SHA14ff9fb2842a13e9371ce7894ec4fe331b6af9219
SHA25667649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29
SHA5120b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830
-
Filesize
60KB
MD5fd0f4aed22736098dc146936cbf0ad1d
SHA1e520def83b8efdbca9dd4b384a15880b036ee0cf
SHA25650404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892
SHA512c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a
-
Filesize
21KB
MD53377ae26c2987cfee095dff160f2c86c
SHA10ca6aa60618950e6d91a7dea530a65a1cdf16625
SHA2569534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b
SHA5128e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee
-
Filesize
1.4MB
MD52a138e2ee499d3ba2fc4afaef93b7caa
SHA1508c733341845e94fce7c24b901fc683108df2a8
SHA256130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c
SHA5121f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b
-
Filesize
1.1MB
MD586cfc84f8407ab1be6cc64a9702882ef
SHA186f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA25611b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c
-
Filesize
24KB
MD5decbba3add4c2246928ab385fb16a21e
SHA15f019eff11de3122ffa67a06d52d446a3448b75e
SHA2564b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012
-
Filesize
203KB
MD56cd33578bc5629930329ca3303f0fae1
SHA1f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA2564150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e
-
Filesize
20KB
MD55587c32d9bf7f76e1a9565df8b1b649f
SHA152ae204a65c15a09ecc73e7031e3ac5c3dcb71b2
SHA2567075185db068e3c8f1b7db75e5aa5c500fc76ed8270c6abc6f49681d7119a782
SHA512f21d0530389138457d6fdcdb3487a3c8b030338c569b2742f9e691e43af1d9e779c98426bad81b152f343b324a9375fe1322ef74030b1c8f8ba606d19e562e97
-
Filesize
86KB
MD5fe0e32bfe3764ed5321454e1a01c81ec
SHA17690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d
-
Filesize
64KB
MD534e49bb1dfddf6037f0001d9aefe7d61
SHA1a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA2564055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856
-
Filesize
1.6MB
MD5db09c9bbec6134db1766d369c339a0a1
SHA1c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45
-
Filesize
24KB
MD5c39459806c712b3b3242f8376218c1e1
SHA185d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA2567cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d
-
Filesize
608KB
MD5895f001ae969364432372329caf08b6a
SHA14567fc6672501648b277fe83e6b468a7a2155ddf
SHA256f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7
SHA51205b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261
-
Filesize
293KB
MD506a5e52caf03426218f0c08fc02cc6b8
SHA1ae232c63620546716fbb97452d73948ebfd06b35
SHA256118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a
SHA512546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718
-
Filesize
41KB
MD51fa0ad3deb7f851a231c1a973b121b93
SHA165ae7bb5fec98da8665c70290c40082c8358b688
SHA2560054d20391ebcd1ed30ef2d5aaa1efbbc5aceb7d8f716c16de0ac0d9d2680121
SHA51264b6cf9d90daca0fb5e2d0eb91c853edaa2fb90edea064b96032ce968ee46961464772e353bf503e05b05471330c5afc8ffc72273e6ebdb6b1ad22fbce331fbf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD52df49e8e11448f089e879ae7b4f30577
SHA101216d23fce2cf14865e52a9951b4862a3aaef74
SHA2562750685d210f1f3de4eba397a780568f9c939e2f933039027978298eecaa6a5e
SHA512300509d02aa0ee67ebe4257eeb752105b79b1d41df996ad1e1e53a0cf156d02b847f277aa12a6f1999e8b3168d9826b595d9eb7eeddec3b7ea684a657546be0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5f23c33eb347265e0c491cbbaa04d217f
SHA1afbd9f7fc777632cd7b06025546c5070a18c5e63
SHA2560aa9cd1d44966c48d3d1d70aeeab51d38800f714cbffaf15f5bbcbb1993d0bed
SHA5123c0745e3e94161e8c8eecd3d9b2cb75940607ba8c69d6c7cf9611e83113b1349e77dfee1efe698f9bca80918091540dfacd5acdde9b7f1680461e785808be33b
-
Filesize
10.9MB
MD59ef872cbbbbc5bb4b1ee521ef0203930
SHA1a0be1aff9a8feec9f847e6d1ef2a1f41eb5c062d
SHA25641d0d7f4aeb95e0ef2b69f00b443b82f9cfab03dd47ca80cbb61ac8ae9b714ea
SHA5124e250cd530e00b302082579fca6ae2a2d44058e5a288fc5fe809a040866702da84305060ced7f6fa89210e1e5811391142e4a4fe1917c71d60583378f4446dc1