Analysis
-
max time kernel
199s -
max time network
226s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/01/2025, 14:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win11-20241007-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
warzonerat
168.61.222.215:5400
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x00030000000006a1-467.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Njrat family
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
resource yara_rule behavioral1/memory/1064-545-0x00000000058D0000-0x00000000058F8000-memory.dmp rezer0 -
Warzone RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2796-553-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat behavioral1/memory/2796-555-0x0000000000400000-0x0000000000553000-memory.dmp warzonerat -
Downloads MZ/PE file 7 IoCs
flow pid Process 30 924 msedge.exe 30 924 msedge.exe 30 924 msedge.exe 30 924 msedge.exe 30 924 msedge.exe 30 924 msedge.exe 30 924 msedge.exe -
Manipulates Digital Signatures 1 TTPs 12 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Fagot.a.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4760 netsh.exe -
Sets file to hidden 1 TTPs 6 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4624 attrib.exe 5012 attrib.exe 1152 attrib.exe 3580 attrib.exe 3112 attrib.exe 3460 attrib.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA NJRat.exe -
Executes dropped EXE 13 IoCs
pid Process 3020 Blackkomet.exe 2776 winupdate.exe 4776 winupdate.exe 4668 CrimsonRAT.exe 3112 dlrarhsiva.exe 1064 WarzoneRAT.exe 4628 WarzoneRAT.exe 2024 NJRat.exe 2412 WarzoneRAT (1).exe 3968 Bezilom.exe 2444 Bezilom.exe 1176 Bezilom (1).exe 1500 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartUp = "C:\\Windows\\Maria.doc .exe" Bezilom.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 30 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:SmartScreen:$DATA Fagot.a.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\dllhost32.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\systray.exe Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA Fagot.a.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA Blackkomet.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\userinit32.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:SmartScreen:$DATA Fagot.a.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:SmartScreen:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA Fagot.a.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1064 set thread context of 2796 1064 WarzoneRAT.exe 131 PID 4628 set thread context of 4956 4628 WarzoneRAT.exe 135 PID 2412 set thread context of 2480 2412 WarzoneRAT (1).exe 149 -
resource yara_rule behavioral1/files/0x0006000000025ad2-904.dat upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Maria.doc .exe Bezilom.exe File opened for modification C:\Windows\Maria.doc .exe Bezilom.exe File created C:\Windows\NOTEPAD.EXE Fagot.a.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Bezilom (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarzoneRAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarzoneRAT (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bezilom (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WarzoneRAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bezilom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blackkomet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bezilom.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main Fagot.a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED3C5E28-6984-4B07-811D-8D5906ED3CEA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6D08168-E381-4C6E-9BE8-FE156969A446} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2B38398-BC32-437B-81C3-A2F6D8697568} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{a1497c99-01f0-587b-ae27-d30037584a3b} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91C7765F-ED57-49AD-8B01-DC24816A5294} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49473E34-D4CC-49C8-BF62-79A08D2134A5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2535fa2e-d302-5069-a6b9-79d89d032ac9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{84cc931f-cb8f-4923-9120-c79968ef745f}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50A7E9B0-70EF-11D1-B75A-00A0C90564FE}\1.0\FLAGS Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61D986EC-1EAC-46B6-90FF-402A008F15D1}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{426E255C-F1CE-4D02-A931-F9A254BF7F0F}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2B38398-BC32-437B-81C3-A2F6D8697568}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80CD1A63-37A5-43D3-80A3-CCD23E8FECEE}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D4B9C3E-CC05-493F-85E2-43D1006DF96A}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DA15C39-7E02-4EE8-8F60-FFF81275EE14} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F66D002A-A615-414B-BD81-CFFC93F27BA8} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D318FB7E-FF28-497E-A566-9DF09E6C503B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB01A1E3-A42B-11CF-8F20-00805F2CD064} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF538114-BD14-53B0-B1D1-841DCAA451AD}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4DFA78AC-43C1-4DE5-8179-3C3EC9010A31} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510708-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E59AC3E3-39BC-5F6F-9321-0D4A182D261B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510722-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A1B5760-FE45-4958-AA3F-819060B16DE9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB03-0000-0000-C000-000000000046}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A88E90A6-DD82-437A-B89C-DC2977EB7BA9}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63A05464-2898-4778-A03C-6F994907D63A}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510708-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB0F-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6271895B-E67F-4DEE-B68B-BF74ACE07753}\1.0\0\win64 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B722BCCA-4E68-101B-A2BC-00AA00404770} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EB-4981-101B-9CA8-9240CE2738AE}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\XEV.FailSafeApp Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A19E7FAF-CB6F-43BA-AC16-BDE9823D6DD1}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69D172EF-F2C4-44E1-89F7-C86231E706E9}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{452AC71A-B655-4967-A208-A4CC39DD7949}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20F22571-AA1C-4724-AD0A-BDE2D19D6163} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2A75196C-D9EB-4129-B803-931327F72D5C}\2.8\0\win32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9DF68E2D-7484-4851-9B87-F6DDA1B8B446} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55A8702E-3406-45e5-9F34-CEC92D2CFA13} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3051074E-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB05-0000-0000-C000-000000000046}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD6A1-0000-0000-C000-000000000046}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C1FFDE20-5861-4E76-AC39-D35EFDD9080F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A577640-501D-4927-BCD0-5EF57A7ED175} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9590FA7-2132-47FB-9A78-AF0BF19AF4E6}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{852C7D42-794F-43CD-A18F-CD40E83E67CD}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.6\HelpDir Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{131A6950-7F78-11D0-A979-00C04FD705A2} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE7C4271-210C-448D-9F54-76DAB7047B28} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305900BA-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD901-0000-0000-C000-000000000046}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C85BF5E-DC7C-4F61-839B-4107E1C9B68E}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E1E543F-1CF0-5CB3-B3FC-B559213C58E2} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305106C7-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\ddeexec\topic Fagot.a.exe -
NTFS ADS 20 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 194012.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 419357.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 49157.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 776695.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 277305.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Bezilom (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 155862.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 461667.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 458014.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 288917.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA WarzoneRAT.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA WarzoneRAT.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2256 schtasks.exe 3104 schtasks.exe 2896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 924 msedge.exe 924 msedge.exe 2212 msedge.exe 2212 msedge.exe 3608 msedge.exe 3608 msedge.exe 4664 identity_helper.exe 4664 identity_helper.exe 4712 msedge.exe 4712 msedge.exe 1124 msedge.exe 1124 msedge.exe 4512 msedge.exe 4512 msedge.exe 3180 msedge.exe 3180 msedge.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 1064 WarzoneRAT.exe 4628 WarzoneRAT.exe 4628 WarzoneRAT.exe 4628 WarzoneRAT.exe 4608 msedge.exe 4608 msedge.exe 4608 msedge.exe 4608 msedge.exe 4280 msedge.exe 4280 msedge.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe 2024 NJRat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3020 Blackkomet.exe Token: SeSecurityPrivilege 3020 Blackkomet.exe Token: SeTakeOwnershipPrivilege 3020 Blackkomet.exe Token: SeLoadDriverPrivilege 3020 Blackkomet.exe Token: SeSystemProfilePrivilege 3020 Blackkomet.exe Token: SeSystemtimePrivilege 3020 Blackkomet.exe Token: SeProfSingleProcessPrivilege 3020 Blackkomet.exe Token: SeIncBasePriorityPrivilege 3020 Blackkomet.exe Token: SeCreatePagefilePrivilege 3020 Blackkomet.exe Token: SeBackupPrivilege 3020 Blackkomet.exe Token: SeRestorePrivilege 3020 Blackkomet.exe Token: SeShutdownPrivilege 3020 Blackkomet.exe Token: SeDebugPrivilege 3020 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 3020 Blackkomet.exe Token: SeChangeNotifyPrivilege 3020 Blackkomet.exe Token: SeRemoteShutdownPrivilege 3020 Blackkomet.exe Token: SeUndockPrivilege 3020 Blackkomet.exe Token: SeManageVolumePrivilege 3020 Blackkomet.exe Token: SeImpersonatePrivilege 3020 Blackkomet.exe Token: SeCreateGlobalPrivilege 3020 Blackkomet.exe Token: 33 3020 Blackkomet.exe Token: 34 3020 Blackkomet.exe Token: 35 3020 Blackkomet.exe Token: 36 3020 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 2776 winupdate.exe Token: SeSecurityPrivilege 2776 winupdate.exe Token: SeTakeOwnershipPrivilege 2776 winupdate.exe Token: SeLoadDriverPrivilege 2776 winupdate.exe Token: SeSystemProfilePrivilege 2776 winupdate.exe Token: SeSystemtimePrivilege 2776 winupdate.exe Token: SeProfSingleProcessPrivilege 2776 winupdate.exe Token: SeIncBasePriorityPrivilege 2776 winupdate.exe Token: SeCreatePagefilePrivilege 2776 winupdate.exe Token: SeBackupPrivilege 2776 winupdate.exe Token: SeRestorePrivilege 2776 winupdate.exe Token: SeShutdownPrivilege 2776 winupdate.exe Token: SeDebugPrivilege 2776 winupdate.exe Token: SeSystemEnvironmentPrivilege 2776 winupdate.exe Token: SeChangeNotifyPrivilege 2776 winupdate.exe Token: SeRemoteShutdownPrivilege 2776 winupdate.exe Token: SeUndockPrivilege 2776 winupdate.exe Token: SeManageVolumePrivilege 2776 winupdate.exe Token: SeImpersonatePrivilege 2776 winupdate.exe Token: SeCreateGlobalPrivilege 2776 winupdate.exe Token: 33 2776 winupdate.exe Token: 34 2776 winupdate.exe Token: 35 2776 winupdate.exe Token: 36 2776 winupdate.exe Token: SeIncreaseQuotaPrivilege 4776 winupdate.exe Token: SeSecurityPrivilege 4776 winupdate.exe Token: SeTakeOwnershipPrivilege 4776 winupdate.exe Token: SeLoadDriverPrivilege 4776 winupdate.exe Token: SeSystemProfilePrivilege 4776 winupdate.exe Token: SeSystemtimePrivilege 4776 winupdate.exe Token: SeProfSingleProcessPrivilege 4776 winupdate.exe Token: SeIncBasePriorityPrivilege 4776 winupdate.exe Token: SeCreatePagefilePrivilege 4776 winupdate.exe Token: SeBackupPrivilege 4776 winupdate.exe Token: SeRestorePrivilege 4776 winupdate.exe Token: SeShutdownPrivilege 4776 winupdate.exe Token: SeDebugPrivilege 4776 winupdate.exe Token: SeSystemEnvironmentPrivilege 4776 winupdate.exe Token: SeChangeNotifyPrivilege 4776 winupdate.exe Token: SeRemoteShutdownPrivilege 4776 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe 2212 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2212 msedge.exe 2428 MiniSearchHost.exe 3968 Bezilom.exe 2444 Bezilom.exe 1176 Bezilom (1).exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 4064 2212 msedge.exe 78 PID 2212 wrote to memory of 4064 2212 msedge.exe 78 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 2592 2212 msedge.exe 79 PID 2212 wrote to memory of 924 2212 msedge.exe 80 PID 2212 wrote to memory of 924 2212 msedge.exe 80 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 PID 2212 wrote to memory of 4116 2212 msedge.exe 81 -
Views/modifies file attributes 1 TTPs 6 IoCs
pid Process 3460 attrib.exe 4624 attrib.exe 5012 attrib.exe 1152 attrib.exe 3580 attrib.exe 3112 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fc763cb8,0x7ff9fc763cc8,0x7ff9fc763cd82⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5980 /prefetch:82⤵PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4712
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4624
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5012
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3580
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1152
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3112
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3460
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:12⤵PID:4980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:82⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:4668 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:3112
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:12⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 /prefetch:82⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1064 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBE.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2256
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3044
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:2528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:4712
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4628 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2541.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4956
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6716 /prefetch:82⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4888 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2960 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4760
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:82⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3344
-
-
C:\Users\Admin\Downloads\WarzoneRAT (1).exe"C:\Users\Admin\Downloads\WarzoneRAT (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9F0.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2896
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7152 /prefetch:82⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:82⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2844
-
-
C:\Users\Admin\Downloads\Bezilom.exe"C:\Users\Admin\Downloads\Bezilom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3968
-
-
C:\Users\Admin\Downloads\Bezilom.exe"C:\Users\Admin\Downloads\Bezilom.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Users\Admin\Downloads\Bezilom (1).exe"C:\Users\Admin\Downloads\Bezilom (1).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1176
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"2⤵
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 /prefetch:82⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3656 /prefetch:22⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2496 /prefetch:22⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17296985305116700219,9124604236104212248,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:396
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3844
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2428
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa39ca055 /state1:0x41c64e6d1⤵PID:764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Modify Registry
5Subvert Trust Controls
2SIP and Trust Provider Hijacking
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
507B
MD5a0c3e1aca0335d2d3a6c16038a5e1feb
SHA1865132ecfd8bc3781419e10a57ef33686d80f83f
SHA25668e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072
SHA5126b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
Filesize
21KB
MD56ff1a4dbde24234c02a746915c7d8b8d
SHA13a97be8e446af5cac8b5eaccd2f238d5173b3cb3
SHA2562faaca6a253d69be3efb96620ba30e53ecb3de12d5285b83ecdba8cbc36e7311
SHA512f117b822aeb0a434a0750c44cbf4cdf627bfebc0d59e266993a4fcb17a7a0519659e13b3bcf8706eed7d80d0ce33b0ce5915afe5872c37c010a401dd6bb1187b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5d2093921c8711428c5f2be9efc8d509a
SHA186c5ab0018fa102fc0c9ba9eb2f9d0d30166d31c
SHA256bc5cf20a8cfd75e6309c8a43377e28300a9c9d295b080d16c043ff5b5a994d15
SHA512cfbca833a2803397f7b3b1e449be2d3ae23b48c7a6a22104a719b6e672008d43660c6cbac355dcabba2bc669df23c25debda6b8fc99faea4c96bcd3c43b622fe
-
Filesize
579B
MD5a9b93c44a3b933cd2fe95ce7be131065
SHA18bfa9cb88cff73e74a996c758995a90837016683
SHA2561d23635deba81bd23f79977e539967cd95e4bfc3f0a7d3798bea0c732a8b3fa7
SHA512f5690976b9514962edb6be03b425f43c835ec83ee846e94260774c794dd2d29d98615618d8b98d633f2e165ed091f8a1a67104ad03e09fcd770ab9f1d238f2a9
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD59878e026ce1a20bbf325465ca3e1cef6
SHA125afc49a5fcf7dce7bba4104acb7caff947cfaf3
SHA256121456748e4813b42c44ab71dc4d53b9212a0b1fbc4250e5e2eb801cdbb19b10
SHA5128d552c39748c750d2f64e27397db71b6bc0a2a617cf19362355d7e5bb184ba2cb4cd9e01116eef68d599b2ddecbae417b52a71410446125ddb789bea499f585d
-
Filesize
5KB
MD5176d738f94034a75c54209e2a38a36ec
SHA15f15ba7fa94c26281212d97d0c8cdcbd7879e3cd
SHA2561190758abc92e56cc8cb0a49085bd04c8fea1e4f2877c59279dc7fc984c2fd08
SHA51268e95ee0096ce5de6039054416dea6341f63dfd9e8faff5dded67cd0a016f9221922ff503d844b2b3b225864ff07c3015b7be1f02c08be248d1482e2aa05398c
-
Filesize
6KB
MD5bc3a03bbf49153af29282725f76faf45
SHA11f6106aed03b451b71783d405db7c6ded4c896f6
SHA2567a3b5a72bf88e9ae5dde2512720640288950ce372528e9e0f83d32c3e0d9b87e
SHA5120143a58c3aecf26e884c2ad570680fe33c0a9280c501b85d112324b987508cf630ecd2328303a230a7f4b93041304588ae4bc6ebe157b95fef190ad20ad68e4d
-
Filesize
1KB
MD57d388853d381a122dfa7ee9400391094
SHA1296f92066f8caf15abeb495687932eefc96ed37b
SHA25680f6ac7004895cd2c3056e033cd349c9300e7821930f7fd1a1888395811ae520
SHA5122456f4925331010692def4cb83be491aa1a07d1ba66b3416889910f1ee0b9d46a3bb9f68cd44fbc8989e084d7bb68a912ea4851ff66aab9d8d0c8cfe3dada485
-
Filesize
1KB
MD55597b033f4d6ea8627624b42a8462382
SHA11bb4ba29a0c813e8fc3ea8fe99c574a48363bcfe
SHA2561dc5304516395ddb92450b16e26dcf3a9436feb1d009ef7d78496c010a46950a
SHA5125aee83640d3826b67b63ef7708db1d1dda95065e93f83a71c40d1b831dd83bfacf45cbf34d3a8d7cbd3a7b68082cfb04e499700ff016b8dd532e6c064153690a
-
Filesize
1KB
MD5d4ae953514a6a714cd38166dab07b59f
SHA113cd35e92b8cc570a7f79c6f8d70271b3b4089e8
SHA256f5d7399ea33dc7e6cd577bcc2a0c94b52e64118c067ebe4430bafc7cb5ec1663
SHA5127de643c9f1d352af9d4ffef3fc47a0f2deedec47f7f94b26b4355fc290a646c0e615a9c9706ff769f0923e2998d56afe90933af57d0aeb9d27c94eb52497dd07
-
Filesize
1KB
MD5ad9b6569e781ecc0c9d2e8857cbd8a91
SHA19dff0ea7b94be20ceb6ad797e12b7dbcd1788dd4
SHA256bcfb79b8e5076ade1b9fd00bd1284d1c62e0d39d265b9cebea21a982c131c013
SHA5122afab4ffcadff12452972a367891487a22ef6e4c57745aa24fb2f4c7972d7d29454889828cb960fc33068582254ef9dbcb08a6d42599f26cfc696b6e8713f837
-
Filesize
1KB
MD58d3f66d31b54073f284116276274924c
SHA196dd35ee241836987f5e0187d69ff651251c85e1
SHA25692cfd90da06c0c413fa1cc6685655726d8bd7d0c1af4c3637dfbd58811a1c1ce
SHA5125c9cd9415659547d6709c6fe51ef65a1b81b74e39de6aa239c68f70ca91038bfe0b2631c971a0ab4c8f5be069c6d8dc76d6d41dc5287fc16b8ffd30da252205e
-
Filesize
1KB
MD5085b1af867ff501c64065fff6f379ff3
SHA1d14ee8b72fa911fdc5782dbcb3668574398d786a
SHA2564f54e62975905cc99f0418a25c765a11586864c6ae2c1d17ed61c26511608df4
SHA51231f815c15f73922734364df499cfba14ea049b478a4a5aad84f933ea1c66c55286bc4a9e275408a3ccb64d4871f140e8439fff60cd43243580a0d85d133e0fbb
-
Filesize
1KB
MD52638282f64f11d2cf699026a0b771a0b
SHA12a04871203d841516cf2eabd440b195581298d83
SHA2567ded556f12ff0c5f6a564c2ed869c739b6859f55b2da1dd8fd903838d7b68b1b
SHA512d1abe4e01b3f88138051e17721057def2863cda1ef5be9372b301c9550ebb0fa87e2850991b266b4eacb185f21f2ee741db972e84b45cb3765ecc8286da46e99
-
Filesize
1KB
MD56a6a7bd1646fda6a61d75535672e5363
SHA1702865f2749256b3eff5e9902877075ca0b83f41
SHA25633f0aa16e51244f9aeedad86979bd1e577f2ad1345402f82c71b9220a41298b1
SHA5123e86d336e4212d77993bf835c00cb063f7e92262eaea92fe6e6803a3a4c7d6e9f336a8ee8c9b57e9edbb7d9831edba4dc918c3f524371cca8070a007877c97d6
-
Filesize
1KB
MD5fa7a981fa96f49bc8fa4fd451af6e5ab
SHA10f3d5c7b3b93056639cbbe1a9da9dc564606a92b
SHA25611a54c80c7c067b020e3cfda0c6ffaf3a547780821cd8d42fe96a44465e574cd
SHA512ff67f7a6c2ea15ffa15d9fabf6c046022112962934fcf3c8b49ac8c4a5fa709f7fcf0ed4eabef78c360ad4d0617d3ca1f080d307432a817cf9288b39ec6602ce
-
Filesize
1KB
MD5767eb35ac073a115282323d5a6516369
SHA174400cbc90db4a6ef5082650bcc67346764e0c78
SHA256f1dcd598200e25592c8aa20c9cf071c5203b3f4f30f98dc337a9e46041b85df2
SHA5121582f2025306db872e93fa2503e92cd9f08f4c106aa5391981c239de866f79f5332e8e3a86da99113e3862bbd6860239182521bbb247707dfe409f64f17be898
-
Filesize
1KB
MD55d4dcf1b97d3e77038fc33e5b760b382
SHA1ec7c2541528fc626d21d0e3e0a3d7e4b73abd9f4
SHA256a7a6386cf3407cb733c67599ed8fdb66e3d59dca83c1135c14ae6e3f50e0d150
SHA512b3b73b0c3b14b1c7cf83a559d16c559a975f15b9e2f70c3a3b35c4dd503017dc8980a98979c1556fb2a8c5bb1c0a109d36843632ac0c7964296722ecf7b3054c
-
Filesize
874B
MD5405ac2042e30cdda1570ba13a7843945
SHA1082a4b7e13feda182fd321d2d8ef690a1b5b099e
SHA256fca4b948a4745abfbe53124796308d179da432d083b50b2669e9e77c9a0535ce
SHA512cfbf03d0638b907a18f91ebda0d95752d104b50529aafb6f4d64a29fc617918a5f9ed8a6ce79e2b8296ecdbdebc7bdde77b1dea8a5a8b6ea3102cb66841f328d
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
44KB
MD54618b456b8907fea84c3f496a6758305
SHA1de06ade85155fb20e999df22e0f3f69db2932b31
SHA256110ed8d363959316f33d9008c9bf75b58ae6925d847470088a57a039c01125da
SHA512bb0fad336de60f5348cb435b5c09a66f3707a3d6d1804f59f6fc45f30f61132f12bdf98bd84694117529eddb00681cd940b1fa6e8dda9d923361724754b4db3a
-
Filesize
264KB
MD5ba5de2ba05bbcbba2ca3dacd6e6d9f01
SHA1a35dec063f5118f1217556f42d36265716198ed4
SHA256549c7740c0bde63650204f967ab91f77b9ed65aad56d6bfd5f1d2c8f279b7ce8
SHA512c39fc9d3f8661699e4fa599460e602675d59a5baf0bb1da7317114a9a58f8aa87dc9e955c7ca2c12c76f62930727dcf605776f4eddb30f7bcd5bfb40d87433f9
-
Filesize
4.0MB
MD5fb80d0453d755cb06374e823a4b2cc99
SHA14ff8fefcc945569d07b9a49a99cc951cbe9a8de9
SHA2561a3f9ffb39ed4f9d82741168ef380bc3b86c68cb1fdf2a2861a65f2f7d186925
SHA512caa0aa3f1601dcdc5a1998a334d7fb0ac3f54e866137059c82b0dcdee90dc37516d327e41bec5538282d9ddea1dadaea4e573c212927f262230e3cd481a79f6b
-
Filesize
20KB
MD52a029687e73114ebcb4fad10c0114e8a
SHA1f09cbbed46b9f8c731568bdcee13024e89bda397
SHA256fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b
SHA512211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d
-
Filesize
11KB
MD5821f978228584ec8c68f40d8fc4e7fcc
SHA143b53482221a106d94e97add888194e4d654efbd
SHA2561327fca3faf2be90d3a359afb49e2df5facd0502aecbc02d1c143de1710b40e2
SHA512b01901c7d39f96bcea0a54d23da074d97cb613a2fbd5554c08619795fb03a9df5d9f36cc20235f76f1ed86884807366fd40c1b6f84299e2cba947884c0cdaf8e
-
Filesize
10KB
MD56d0c2cb7dfe9ae725db07c551d911460
SHA1231579e38a15fcf4566697c4253cba87019a8efd
SHA256dd69f7c076782423d6a59fa97adeb79c9bfc9e733ba3418ba65c4800b21e0577
SHA512a4f5ce7c04da72f84493f45e5f4fd355bee59af5bd51c9354ce6efc514b584f37d43ba07040ac80ebe7e506cc189672a4e58d5a35181dc9a4a31b371b5794371
-
Filesize
11KB
MD5970920587eed8637bedd92506e768bb2
SHA15bb4931e329e8ccfee8cbe08aa412ab730b99ec8
SHA2569b943ded86cefce61927e74693f863f7647e17806fdbb310eb3b0b132119bc93
SHA512e0deb01ba9691b13bacab4e0faf4fecdaba1fe1ed207a10d391407d693a2b290d2ea1c32e633b3ac4fe5a2255d7730acf6c4478e78b80addc041d1d7fe8d4137
-
Filesize
10KB
MD5058ca21fd9b15b0181dbe5db51ddded2
SHA144c997acfb7449b96b81cf8b3a7932aab5544f7d
SHA2561c15a0d8260baadfdb30df97efe7e9174ea42ab2955d9345ac6fa79f39c24767
SHA512471ea42f7f93f7bd18291a99e0765eaa8b3b592d9043ec1bc03fffc43d5fc820f5e0a5b0eac23313ba9fcb5a5770259d3d0470c27d02f9fe38d5e7c134596df0
-
Filesize
10KB
MD5b98034c374fe67c534f88dc8ec4fdb86
SHA1d4e5998b6fc63f384484d2ee0bd00bb186630da7
SHA25658b7b82bc806cdf675c0488234165f5a438b567f01c8a2efe7e1fe01aca410f5
SHA512617a3a30744bd97390b4ee9deddc7039ea4870213202ae01b2159b948d5783a30cb2ec150fed2e790b0d84044e7f0993fcc7779a4d499c3fe2bb8390415ef467
-
Filesize
264KB
MD576bd1d3f6063a1eda948241f8cf7e46e
SHA1c2f1c4bee3cb2b00ebd22677a46ddfc2a8cdb34e
SHA256e272fd2b4240214b3bf6d292c02fbfe5d80afc3e27ac589d71ff2bc1b0e861d3
SHA512a7bb1fc9b842a20ebc474790ccf469c93d907d6cad02faf46f7846041a7685d76436dc7058fc3f84a551e5aaa32f7568af82af70ec7c970a48406f0fd4316b94
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5785073822344ae3813284ebc92bb596a
SHA196e2a933b38352ed2c8e6e34e94756b70c143214
SHA25636ef4cbbc494deacf81f364b546281223a39bea01a32b0c4b0e2324f984d6817
SHA51228b21e17fdf026a025503a2ae1014ea4e8ce5385e42396007a7a23aba3aecb591d225e2a90d47f6f9e02d34792d74b89547715d66899265dbf8372258ccf4498
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5327975ba2c226434c0009085b3702a06
SHA1b7b8b25656b3caefad9c5a657f101f06e2024bbd
SHA2566fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c
SHA512150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51
-
Filesize
1KB
MD5d053c70cc876acc47a96dd23d3396807
SHA1f5f1ac80e36cacc1de96bbfc51ef974822305414
SHA2560a07437d544186b2ec4399c98af8686605b47c8e222babb47760d8adfc921a9b
SHA512b71c6cb10a916c6237ff3f61b1253d5e83d474938b1d8582bd7f45dff0715193ec4bcf74d11e361e3f9f2255aa0c8a01f1c9074efa26bf6656c65d041df7f49c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize8KB
MD5e9842ba2dc01b14aff3916853df439af
SHA1ae4e131249c9f97df247584c58b72c8ed3eb50df
SHA25682144fc6b16a84f1ca6d0b5a20615aa88d284352c013aec98d5d4db38ac72313
SHA512aade85e2fa5037c048ad3f976535454f1c7f81f7d66d5f9fb81aef72249eeed590d5319e5944a0cbdce7618793fe33a8d0f59c38b715d48e9f8762ecb5f77f9e
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
5KB
MD5fe537a3346590c04d81d357e3c4be6e8
SHA1b1285f1d8618292e17e490857d1bdf0a79104837
SHA256bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
SHA51250a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
-
Filesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
26KB
MD5b6c78677b83c0a5b02f48648a9b8e86d
SHA10d90c40d2e9e8c58c1dafb528d6eab45e15fda81
SHA256706fce69fea67622b03fafb51ece076c1fdd38892318f8cce9f2ec80aabca822
SHA512302acca8c5dd310f86b65104f7accd290014e38d354e97e4ffafe1702b0a13b90e4823c274b51bcc9285419e69ff7111343ac0a64fd3c8b67c48d7bbd382337b
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
28KB
MD58e9d7feb3b955e6def8365fd83007080
SHA1df7522e270506b1a2c874700a9beeb9d3d233e23
SHA25694d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022
SHA5124157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6