Analysis
-
max time kernel
533s -
max time network
534s -
platform
windows11-21h2_x64 -
resource
win11-20250314-en -
resource tags
arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/03/2025, 01:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win11-20250314-en
General
-
Target
http://google.com
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
darkcomet
Guest1111
193.242.166.48:1605
DC_MUTEX-2QRLPN3
-
InstallPath
Windupdt\winupdate.exe
-
gencode
Rb5l52XcV9no
-
install
true
-
offline_keylogger
false
-
password
313131
-
persistence
true
-
reg_key
winupdater
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/2520-1981-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
Chimera family
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Njrat family
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Renames multiple (3245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/files/0x002100000002b5c4-9877.dat revengerat -
Downloads MZ/PE file 5 IoCs
flow pid Process 301 4872 msedge.exe 301 4872 msedge.exe 301 4872 msedge.exe 301 4872 msedge.exe 301 4872 msedge.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2648 netsh.exe -
Sets file to hidden 1 TTPs 26 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 5712 attrib.exe 4668 attrib.exe 4572 attrib.exe 3576 attrib.exe 4560 attrib.exe 3384 attrib.exe 5284 attrib.exe 5940 attrib.exe 3140 attrib.exe 6112 attrib.exe 772 attrib.exe 3340 attrib.exe 2956 attrib.exe 984 attrib.exe 2568 attrib.exe 3108 attrib.exe 868 attrib.exe 2344 attrib.exe 3688 attrib.exe 1708 attrib.exe 1332 attrib.exe 1136 attrib.exe 5864 attrib.exe 3648 attrib.exe 5252 attrib.exe 1496 attrib.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe RegSvcs.exe -
Executes dropped EXE 19 IoCs
pid Process 3788 FlashKiller.exe 2520 HawkEye.exe 1700 NJRat.exe 5360 RevengeRAT (1).exe 960 svchost.exe 1104 Blackkomet.exe 5248 winupdate.exe 5736 winupdate.exe 1416 winupdate.exe 124 winupdate.exe 5540 winupdate.exe 1568 winupdate.exe 448 winupdate.exe 2012 winupdate.exe 2560 winupdate.exe 3348 winupdate.exe 1164 winupdate.exe 3488 svchost.exe 232 winupdate.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe" RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Drops desktop.ini file(s) 26 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 301 raw.githubusercontent.com 408 0.tcp.ngrok.io 437 raw.githubusercontent.com 438 raw.githubusercontent.com 441 0.tcp.ngrok.io 299 raw.githubusercontent.com 300 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 250 bot.whatismyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 5360 set thread context of 5556 5360 RevengeRAT (1).exe 172 PID 5556 set thread context of 3540 5556 RegSvcs.exe 173 PID 960 set thread context of 2124 960 svchost.exe 324 PID 2124 set thread context of 3184 2124 RegSvcs.exe 325 PID 3488 set thread context of 5640 3488 svchost.exe 423 PID 5640 set thread context of 5564 5640 RegSvcs.exe 424 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare71x71Logo.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WeatherMedTile.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-64.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-24_altform-unplated_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-200.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-lightunplated_contrast-white.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_fillsign_logo.svg HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg HawkEye.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\CameraLargeTile.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadSmallTile.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-30.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-36.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateSquare310x310Logo.scale-400.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\customizations\mergeSettings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\AppPowerPoint32x32.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintStoreLogo.scale-100.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.targetsize-32.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SnipSketchSmallTile.scale-100.png HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewComment.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-400.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-60_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GamingApp_2021.427.138.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupFooter.base.js HawkEye.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\Images\AppWord32x32.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-200.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-125.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubWideTile.scale-200.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-unplated_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-150.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-72.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\AppIcon.scale-100.png HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Paint_10.2104.17.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml HawkEye.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.2012.21.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorMedTile.scale-125_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.scale-200.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96_contrast-white.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-64_altform-lightunplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-96_altform-unplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl HawkEye.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\warn\warnControlledUsage.js HawkEye.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-36_altform-lightunplated.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png HawkEye.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\RunningLate.scale-80.png HawkEye.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_1836180021\_platform_specific\win_x64\widevinecdm.dll msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_236410010\LICENSE msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\pt-PT\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\fr-CA\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-shared-components\ko\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\ja\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\wallet\wallet-checkout\checkoutdata.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_945816473\shopping.html msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\hub-signature.txt msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\wallet-webui-992.268aa821c3090dce03cb.chunk.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_674753942\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\bnpl_driver.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\crypto.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\fr\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\it\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-mobile-hub\fr-CA\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-shared-components\zh-Hant\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_236410010\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-shared-components\fr-CA\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\wallet-icon.svg msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\bnpl\bnpl.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-tokenized-card\ja\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\Notification\notification.html msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\wallet.html msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_945816473\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\ko\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\fr\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\wallet-webui-708.de49febeeb0e9c77883f.chunk.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_1836180021\_platform_specific\win_x64\widevinecdm.dll.sig msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\sv\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\pt-PT\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\en-GB\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-tokenized-card\fr-CA\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\wallet\wallet-eligibile-aad-users.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_1696777571\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_945816473\shoppingfre.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\ko\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-mobile-hub\zh-Hant\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\wallet\README.md msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\wallet\wallet-notification-config.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\da\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\de\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\it\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\zh-Hans\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-tokenized-card\id\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\wallet\wallet-checkout-eligible-sites-pre-stable.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\zh-Hant\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\Tokenized-Card\tokenized-card.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_1696777571\typosquatting_list.pb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\pt-BR\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\en-GB\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\de\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-mobile-hub\ru\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-ec\fr\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification-shared\fi\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-tokenized-card\de\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\runtime.bundle.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\hu\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-notification\sv\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\fi\strings.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\wallet-webui-925.baa79171a74ad52b0a67.chunk.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-hub\da\strings.json msedge.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2564 3788 WerFault.exe 133 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winupdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 400 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31169920" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1445592170" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873395255367220" msedge.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{F2B8F056-D500-4B4A-9216-84DF6BA63174} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
NTFS ADS 12 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier msedge.exe File created C:\svchost\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe File opened for modification C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Carewmr.vbs:Zone.Identifier msedge.exe File created C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES WScript.exe File opened for modification C:\Users\Admin\Downloads\RevengeRAT (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA RegSvcs.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe 1700 NJRat.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
pid Process 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 400 taskkill.exe Token: SeDebugPrivilege 2520 HawkEye.exe Token: SeDebugPrivilege 1700 NJRat.exe Token: SeDebugPrivilege 5360 RevengeRAT (1).exe Token: SeDebugPrivilege 5556 RegSvcs.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: SeDebugPrivilege 960 svchost.exe Token: SeDebugPrivilege 2124 RegSvcs.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: 33 1700 NJRat.exe Token: SeIncBasePriorityPrivilege 1700 NJRat.exe Token: SeIncreaseQuotaPrivilege 1104 Blackkomet.exe Token: SeSecurityPrivilege 1104 Blackkomet.exe Token: SeTakeOwnershipPrivilege 1104 Blackkomet.exe Token: SeLoadDriverPrivilege 1104 Blackkomet.exe Token: SeSystemProfilePrivilege 1104 Blackkomet.exe Token: SeSystemtimePrivilege 1104 Blackkomet.exe Token: SeProfSingleProcessPrivilege 1104 Blackkomet.exe Token: SeIncBasePriorityPrivilege 1104 Blackkomet.exe Token: SeCreatePagefilePrivilege 1104 Blackkomet.exe Token: SeBackupPrivilege 1104 Blackkomet.exe Token: SeRestorePrivilege 1104 Blackkomet.exe Token: SeShutdownPrivilege 1104 Blackkomet.exe Token: SeDebugPrivilege 1104 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 1104 Blackkomet.exe Token: SeChangeNotifyPrivilege 1104 Blackkomet.exe Token: SeRemoteShutdownPrivilege 1104 Blackkomet.exe Token: SeUndockPrivilege 1104 Blackkomet.exe Token: SeManageVolumePrivilege 1104 Blackkomet.exe Token: SeImpersonatePrivilege 1104 Blackkomet.exe Token: SeCreateGlobalPrivilege 1104 Blackkomet.exe Token: 33 1104 Blackkomet.exe Token: 34 1104 Blackkomet.exe Token: 35 1104 Blackkomet.exe Token: 36 1104 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 5248 winupdate.exe Token: SeSecurityPrivilege 5248 winupdate.exe Token: SeTakeOwnershipPrivilege 5248 winupdate.exe Token: SeLoadDriverPrivilege 5248 winupdate.exe Token: SeSystemProfilePrivilege 5248 winupdate.exe Token: SeSystemtimePrivilege 5248 winupdate.exe Token: SeProfSingleProcessPrivilege 5248 winupdate.exe Token: SeIncBasePriorityPrivilege 5248 winupdate.exe Token: SeCreatePagefilePrivilege 5248 winupdate.exe Token: SeBackupPrivilege 5248 winupdate.exe Token: SeRestorePrivilege 5248 winupdate.exe Token: SeShutdownPrivilege 5248 winupdate.exe Token: SeDebugPrivilege 5248 winupdate.exe Token: SeSystemEnvironmentPrivilege 5248 winupdate.exe Token: SeChangeNotifyPrivilege 5248 winupdate.exe Token: SeRemoteShutdownPrivilege 5248 winupdate.exe Token: SeUndockPrivilege 5248 winupdate.exe Token: SeManageVolumePrivilege 5248 winupdate.exe Token: SeImpersonatePrivilege 5248 winupdate.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe 3536 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 3636 3536 msedge.exe 82 PID 3536 wrote to memory of 3636 3536 msedge.exe 82 PID 3536 wrote to memory of 4872 3536 msedge.exe 83 PID 3536 wrote to memory of 4872 3536 msedge.exe 83 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4848 3536 msedge.exe 85 PID 3536 wrote to memory of 4848 3536 msedge.exe 85 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4840 3536 msedge.exe 84 PID 3536 wrote to memory of 4848 3536 msedge.exe 85 PID 3536 wrote to memory of 4848 3536 msedge.exe 85 PID 3536 wrote to memory of 4848 3536 msedge.exe 85 -
Views/modifies file attributes 1 TTPs 26 IoCs
pid Process 5252 attrib.exe 772 attrib.exe 868 attrib.exe 3108 attrib.exe 5864 attrib.exe 3688 attrib.exe 1708 attrib.exe 2568 attrib.exe 1136 attrib.exe 5712 attrib.exe 3648 attrib.exe 5284 attrib.exe 5940 attrib.exe 6112 attrib.exe 2344 attrib.exe 2956 attrib.exe 984 attrib.exe 1332 attrib.exe 4560 attrib.exe 4572 attrib.exe 3576 attrib.exe 1496 attrib.exe 3140 attrib.exe 3340 attrib.exe 4668 attrib.exe 3384 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x26c,0x7ffabcf3f208,0x7ffabcf3f214,0x7ffabcf3f2202⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:112⤵
- Downloads MZ/PE file
PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2140,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=2532 /prefetch:132⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2488,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=2480 /prefetch:22⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3432,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3444,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4844,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:12⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3736,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=3732 /prefetch:142⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3684,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:142⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:142⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5760,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:142⤵PID:1104
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11123⤵PID:1748
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5768,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:142⤵PID:5904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5768,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:142⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:142⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6320,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:12⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6764,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:142⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6904,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:12⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=5780,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:12⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=7080,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7104 /prefetch:12⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6968,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:12⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6744,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7228 /prefetch:142⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7312 /prefetch:142⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6400,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7352 /prefetch:142⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:142⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6860,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:142⤵PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7328,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:12⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7392,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7844 /prefetch:142⤵
- NTFS ADS
PID:2088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\L0Lz.bat" "2⤵PID:5436
-
C:\Windows\system32\net.exenet session3⤵PID:5620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:3368
-
-
-
C:\Windows\system32\net.exenet stop "SDRSVC"3⤵PID:3424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC"4⤵PID:5524
-
-
-
C:\Windows\system32\net.exenet stop "WinDefend"3⤵PID:5188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"4⤵PID:1124
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im "MSASCui.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8280,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8268 /prefetch:142⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=760,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8312 /prefetch:12⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8340,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8412,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8252 /prefetch:142⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8496,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:142⤵PID:5872
-
-
C:\Users\Admin\Downloads\FlashKiller.exe"C:\Users\Admin\Downloads\FlashKiller.exe"2⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 2563⤵
- Program crash
PID:2564
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=7660,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7740 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7308,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:142⤵
- NTFS ADS
PID:1856
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Carewmr.vbs"2⤵
- NTFS ADS
PID:1244 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.avp.ru/3⤵PID:5256
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6704,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8148 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=7768,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8284 /prefetch:12⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6816,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:12⤵PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7332,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7824 /prefetch:102⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8300,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7924 /prefetch:142⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=3308,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3220,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4616
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"2⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\YOUR_FILES_ARE_ENCRYPTED.HTML"3⤵
- Modifies Internet Explorer settings
PID:4312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/AppData/Roaming/Mozilla/Firefox/Profiles/pm60e3dc.default-release/YOUR_FILES_ARE_ENCRYPTED.HTML"4⤵PID:5732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch -- file:///C:/Users/Admin/AppData/Roaming/Mozilla/Firefox/Profiles/pm60e3dc.default-release/YOUR_FILES_ARE_ENCRYPTED.HTML5⤵PID:3900
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3232,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7856 /prefetch:142⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=8048,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=1496 /prefetch:12⤵PID:6004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4816,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8228 /prefetch:142⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=7292,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7916 /prefetch:12⤵PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7812,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6436 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8704,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:142⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8700,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8716 /prefetch:142⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8320,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:142⤵PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=7336,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6852 /prefetch:12⤵PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3000,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:142⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3288,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=7904 /prefetch:142⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=8936,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8400 /prefetch:12⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7376,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=9016 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=5092,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=3004 /prefetch:12⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7904,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:792
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2648
-
-
-
C:\Users\Admin\Downloads\RevengeRAT (1).exe"C:\Users\Admin\Downloads\RevengeRAT (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5360 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3540
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gcwoxb0z.cmdline"4⤵PID:2540
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES151C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD17798BEFB9A4BB9944CB5845AD7B9B1.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ssm0swyk.cmdline"4⤵PID:3352
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1599.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A70258B82F41D3B362EFF43FEBC7B.TMP"5⤵PID:3672
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x6mtwxtr.cmdline"4⤵PID:760
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1606.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF25447E5E94C44AB2F99D368D6D155.TMP"5⤵PID:5100
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xz7-dde1.cmdline"4⤵PID:764
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3F2311CC5D7649CD88AD1020342FB7E.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pe-2azzr.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5876 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES173F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A7FE83270F4D4BA358FE4D231FDA33.TMP"5⤵PID:2004
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\reweuf8b.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc68C1DC75F7E446B4B833DEB69A7E17A1.TMP"5⤵PID:5728
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g0uo8rnq.cmdline"4⤵PID:1520
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1897.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44D8006830294F95ABD6FFAFFEDB7C3.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:4216
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vq-iobj8.cmdline"4⤵PID:5636
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vx6fevy5.cmdline"4⤵PID:3056
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5195761A404A432BADD69A853C098C9.TMP"5⤵PID:5836
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j29fplqr.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BF9EE38FE649FCB0CD8634E98B51.TMP"5⤵PID:1660
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qgwjqq2u.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A8B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE89842BD4CF248779C99F1B421ACB047.TMP"5⤵PID:1512
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wwsvoblc.cmdline"4⤵PID:4148
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8EDFC40D1514406285DE111CC73748CF.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iqmtjzuo.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5200F7911F95452B8191D9184A1EF47.TMP"5⤵PID:700
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wkd_j-p5.cmdline"4⤵PID:2640
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE65600B6BF41B487978EF7CCD32C2C.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:6016
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d5yrrrdk.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6420D21E810E4A5696CF1BC8936834C7.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3432
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tamzlslk.cmdline"4⤵PID:3108
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E25.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE663C1C5884B46812B9889CAFBB147.TMP"5⤵PID:1548
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rpned4nv.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE3A54876CCD4D81AE7F26315DBEF45A.TMP"5⤵PID:3412
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l66fbmqo.cmdline"4⤵PID:2052
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc757E7B5B1BE4DC7A04A458FEBED084.TMP"5⤵PID:1444
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9bztw8ka.cmdline"4⤵PID:5936
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE17B86E3D97641F0B440798590524AE6.TMP"5⤵PID:2280
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r4ddl_dl.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2096.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD24ACD0996E4FB68B78AE2BE1EC2EEF.TMP"5⤵PID:1704
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ufb1wgst.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2151.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7D3FC0F6C748D9BD14D3B9886EB6.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:6096
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ya1whphm.cmdline"4⤵PID:2936
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A69022D253141738DE18AE48D45FCA.TMP"5⤵PID:5680
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xxiebqji.cmdline"4⤵PID:3600
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t4jxfhaz.cmdline"4⤵PID:4216
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES22E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6DB4CA33754EB5A8671A9855B2D185.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bwhhttf_.cmdline"4⤵PID:2644
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2364.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0486EF5D7214133A3F04893F4A04337.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5836
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvz2kfak.cmdline"4⤵PID:1496
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE573AE1E93924829BAA08DAA7D9D2FE1.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1660
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k_vmor_i.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES249D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBA58E5B03E724EEFB947F6366871F4EF.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:6012
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k68looi6.cmdline"4⤵PID:4420
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5_fk5n4f.cmdline"4⤵PID:5708
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF6BC3173A3F49DD8C5D365A9257A9BC.TMP"5⤵PID:4172
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsi9l6np.cmdline"4⤵PID:5616
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2672.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3CF425B4B1844B0BADB91BA242DB6F.TMP"5⤵PID:4860
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nyxfdxzh.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES275C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE50621952EC84FED8AEEC5EA374124B.TMP"5⤵PID:3436
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9v3o6bkt.cmdline"4⤵PID:5412
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEAD09A6C80B34F4CAFD2DD39C9BEA8E1.TMP"5⤵PID:412
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\scg80jj3.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:3584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2875.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42966A51C1CC48ADBF63B968A333D562.TMP"5⤵PID:3860
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gbesls-r.cmdline"4⤵PID:3412
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2921.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69005AED398B4C6AB786B02DF081878E.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1136
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ntn1pp2a.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES29AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5A17E28384894C02B747F299823C7DB3.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3312
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gm2ffnnb.cmdline"4⤵PID:2392
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A3A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60226852153A4456AC65FF416ABEC75.TMP"5⤵PID:2012
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\era_vghv.cmdline"4⤵PID:4316
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2AD7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A13F5DA5F76452DBAEF52D7FF26451B.TMP"5⤵PID:3812
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tjrwd109.cmdline"4⤵PID:6096
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B7609AA83A342D1AF91D05615281699.TMP"5⤵PID:4392
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v9hszn2b.cmdline"4⤵PID:1148
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C4E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBBD8865CB44FA39A44A348B307FC.TMP"5⤵PID:5876
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\py6na0no.cmdline"4⤵PID:2728
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CBB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D65312DFB4F480086FD61BFBDD81180.TMP"5⤵PID:4324
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tlr_mkpp.cmdline"4⤵PID:2940
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25694B0260154F8A975DC576AC6BBA9.TMP"5⤵PID:3648
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jwdus2kj.cmdline"4⤵PID:5836
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DB5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32CE48C9D4A84021A19587D044492A5C.TMP"5⤵PID:5924
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wsu5fj0f.cmdline"4⤵PID:1660
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB23CB4862FA4E659DE285F714895D61.TMP"5⤵PID:4824
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\an8hmtuk.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EBF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A1D756BAC364F459DC5DEC3B7792E.TMP"5⤵PID:4272
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x1ry46ci.cmdline"4⤵PID:5092
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD87AEF6D78114DDAABCCBCDDB33134.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5656
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5axozmam.cmdline"4⤵PID:5652
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3016.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6225D886CCE4AFD92AE15E9491E5ED4.TMP"5⤵PID:5776
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tuzm8axq.cmdline"4⤵PID:3732
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6DDF40C2B5CC455C8BA8F08371ED6240.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\szmwftxs.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES318D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CCCA4FDCBEB4C2789C0A73F845F4513.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:1432
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1tg8kz9o.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES322A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48B8CCB5D0A44AE2BA223D94D69E49C5.TMP"5⤵PID:6068
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"6⤵PID:3184
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4620
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gzt1vbgx.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70051E3F53CF48368D5AC4AB75A63B96.TMP"7⤵PID:3132
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tuykwt5m.cmdline"6⤵PID:652
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE26F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BA10A2E25BA4CB79690EB9CC9554174.TMP"7⤵PID:4668
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\03pdqywa.cmdline"6⤵PID:2412
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3B95D348249B4CD99DA213824D102D5.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\41avdwog.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE397.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCDE6983B3B74CAA8B7D7951BB4C7A2.TMP"7⤵PID:872
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfvttz0r.cmdline"6⤵PID:1052
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE443.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc844B1F367F344A8FACD1AFB87B2F499.TMP"7⤵PID:5252
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ym4i6y08.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4D0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C54C10A209A40F9ACF4E07DB89834D2.TMP"7⤵PID:4324
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r5juhn8q.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:6012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE55D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9737FF023464CB2B1321F739684C284.TMP"7⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pbwv96bx.cmdline"6⤵PID:1448
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C3C16086DD849A58ECF113861DF68B.TMP"7⤵PID:5284
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\83_n6jr1.cmdline"6⤵
- System Location Discovery: System Language Discovery
PID:5376 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE647.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12AAAB80EE47CD84BA488AD603D7F.TMP"7⤵PID:400
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxm6pftl.cmdline"6⤵PID:1604
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC7CC1C826FF04C8CACEDE396C01C6D2.TMP"7⤵PID:6008
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=6668,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:12⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8624,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8956 /prefetch:142⤵
- NTFS ADS
PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=6460,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=8920 /prefetch:12⤵PID:2088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8416,i,15997462366505808591,4034896779365467120,262144 --variations-seed-version --mojo-platform-channel-handle=6648 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1500
-
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5252
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3576
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5248 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1496
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3140
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:6112
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:772
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:868
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3340
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:124 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3688
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2344
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2956
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1708
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:984
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1332
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:448 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2568
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:3108
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1136
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h11⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4560
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4668
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h12⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5712
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5864
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h13⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4572
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"13⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3648
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h14⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3384
-
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:232 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5940
-
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h15⤵
- Sets file to hidden
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5284
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3788 -ip 37881⤵PID:2520
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3488 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
PID:5640 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:5564
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b2689ca96e72130e5bff6974047dfd5d
SHA142c57b8876a1c5a4dff1a5e2c15e75ebff514198
SHA25653bcae7c18455a414e5d6848a53cff139ed471acea29ec314829a92e938c2599
SHA512b05e698bd01311e3018aa5362483b1c600b72fb248d742a7f8ddbf6516eb337c6eda2ac01bfcfd4166dd6e43aaa79ff2f996ba5e70aee5e9efd98bf0b59b2aeb
-
Filesize
4KB
MD528d98fecf9351c6a31c9c37a738f7c15
SHA1c449dee100d5219a28019537472edc6a42a87db2
SHA25639445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0
SHA512f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971
-
Filesize
280B
MD5509e630f2aea0919b6158790ecedff06
SHA1ba9a6adff6f624a938f6ac99ece90fdeadcb47e7
SHA256067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b
SHA5121cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264
-
Filesize
21KB
MD51c1b8f9906f02ae6394ec69aecdebe59
SHA119d6d98dd767c7ea8c359e6389d1b9b1a2c69c2d
SHA256ca5d8b801b30b0c983e427703bd006d35bd081c22024f01c9728044a269bf79e
SHA512127dc8f6a0af6787d9bda66218448923b34461977d6fa0df2adddfd8493261889188ad616b7375f536edd8a8ab7e0274179b25e40bf147ba72cca41b972708e9
-
Filesize
334B
MD595e8c4378da446fbb8def1dc17f0fa7c
SHA1317d50a905ab7637db2ced76af6af6a78371eba1
SHA256ef3fc1c1e16d43620a6efda7787993c17d44bbb0a30290bc893033439823ba21
SHA512c3ba4270bb9bda34d95be11de7c90fcd97c0fe8097ce967e61eda4fc6c8e21792cb0261a552985b872b0e8e17e7f92ab9f7b9e8ee2b955d2b392830c53fdb7bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize9KB
MD54099ff0dc2048575ca8af31049776dd9
SHA180a2528542e1abb57d36d66b554eb8b0f0130dae
SHA25648c248c62bfdaf5bea5dae147f56cedfce104e0f4aaf4d356b339e89cca2b294
SHA512e6126d61b8a8c39ba314be1041bce2fbbcafc71c6f54733ee46e7b50eb2870787cf5e6e1c33782b7b32ef21cdb6debfebb34510a489f18fec29861c46a1ace89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5850ab.TMP
Filesize4KB
MD5e510fa2c6fd77f36870d8fdbd63dd12f
SHA1b418650a28c28645fe0651f2a6c6761e73b35de0
SHA2561f22ab718979e82ecfa4099abc3f2d345681c12f7da42a1b737b5f7d61100206
SHA51241cee3193d0fbcb25f5bff8b830b705d7363793d89d84546bb5670492f1074c6794999821e43080000636f40233b94ad0ba611c3dce21226b1c2749c86053cf9
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
8KB
MD54a66aa76679a4d662f27e155ba6e197e
SHA1dc6859c353b9ca63b97c9961d4d06932e4069ad1
SHA256dbf072d5ff424cc759078158387ec40e347b0cf3778a83a8604155d429433d8c
SHA51244207534b3b9123256aba4ec9695811d13a723b3157715f9b984631efa9b3528cc7afaac10efcbbcc6e2f25bdfd3ebe0a2fdfdc0106a7d5d34de96e1295acd74
-
Filesize
8KB
MD523872f822fda61f67a1bf46d39c1c674
SHA12f131d11613c0c992789740a1130e3a1a6fe6736
SHA2568db61cd542ef90dc17fd174f69851d4b023f6385a23b2a3d4d4436f832c12aa5
SHA512196eca8a88dde8db8d5add699532eb7f0a337f351225808f351f75242fd9d522de1b4e6afe16a9816b290e886e1808fe5ab5cb3a99057b86c52b7901f04a9d40
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
211B
MD5fce4a48e2d0a8b11e50e100bd6b53c13
SHA15b207acdfb84a88b99229e34559dc14fe35501d1
SHA256bdaa3202176afd47766a8336d68d96c78799af7081d525c55378d58b847813ac
SHA512b8a9d20e8185741b3017eb9d746818a90412cb8bfcc3db7d943875474ddda037a32af2ce8e97074e7ca65d5a41e6b02e2d810951b8bf0f4352656066d4a0cb64
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
18KB
MD5c6fe078c0c6b1955f8a85a47f5bd3fbb
SHA11319ea742caef5995615ddd0c90db01600778b70
SHA25603b063a2cdb1ebdc462dcbb63946a5bd28799ed1ea3c4a4524f660a51848c1e9
SHA512de87d5e2f51947345538734d703fa97ba389c93074bfd2aefa923aa179bcb29fe0385963fd5c7323e2eaa6470f16a32a81556e36aec528b873e1d988abcb0942
-
Filesize
21KB
MD5611ad3d3fdc557fe553f8445f317b45d
SHA13d6e6722b36a7c9001e891eb7a449e78932bcbc9
SHA2568a11b71b8a3d6ad4c43c2340ca00720a8bd3d294b256cf5d86e0f6de8dd51f6a
SHA512bc2163613c062e45488442eb3b0874ee3fcdf15fd8597e413ad3a7df38bd9518e6e56ec3c1f1e7749d9aacfeef80f6ee8362521a76bce644707e23360578f21e
-
Filesize
17KB
MD55e3e0764a8a28b561021465bdf23997e
SHA1f0f26d58fbe5ff30a9f2b065ba6b25686552d8f9
SHA25613bccf73f58aa0a5676d991c1c50b82d1c8b1c5bd8aa3b686692428d2dc06bb1
SHA51221a46f819db71562b3aee49555e8cc87382f3b7ddbcee8ef6bf7d107681be4ceac76b7e27e1154d2658282a26766ba5a69c8af3f55b1fb1dacbe8d4688981973
-
Filesize
20KB
MD5f7b707da3a1706669aa763f7858e189f
SHA163bda9b82963bd942fdbc7ff8cee44466ae5ae5e
SHA256b0414a2b834b3029ef6509a19bc87bffc5c395b85f2c8959ace4b83ad8482def
SHA5126b602d3690f6f155c277672e6d3762d09ca0715a293d1daf75ce0246feb72a1c3ebd416f773e95c2553e73438c08f103cf81564f492a3f7bb4ac9972473a0b8b
-
Filesize
21KB
MD5391e671c5e6073598adcbeab1c8d90b2
SHA1741a2ad7618a6384212ae728c457f86390a6b7a7
SHA256bf766eff287b90ed5e4e3b3e445e017b664b8424b1cade310a968a96b0e51c26
SHA5123cfaa0b617dfea7a7eed4efca95cdc150970cc79f185ac6d64cea5f9969a8816da1302fe66525d05cd52647f5cadffe998408d7d5f63d6bb153eaa403bb4aec7
-
Filesize
21KB
MD5a232c156fd2ce42f20a49135b4887d04
SHA1d99d86d537d296518479654b43ee4246e9ccfc6b
SHA2569aaecf2a08018e59874a647c859e9acba2e7923fd3438516ebf488a0b92883bb
SHA512dd50e1f64998a1c91ebc23706ba4ef4f7ccf48bbd00a7d15e58a5e5a77b990f9107a991671404980ab48a0ce3322b26b3fa160b79ed16ec9f3605e213732a734
-
Filesize
37KB
MD534652fc63a61dbf9517a317b003aac7a
SHA1d88dd3fb092713bad1b5deb6027549caec4cc1fc
SHA256f708a76566065d85cf2752aead23207b02bb8cb64fdacde3b34b12e78e19ebc2
SHA51229d59846acac44343836a466aeda7564b08201e47a07183e2e9792aa38b3cb91918c2461d93243757ac2a2dc66bf4b0f3fdead11256f5e8223ec1eef071fb932
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\54f363de-b293-4d45-86e3-62724088c663\index-dir\the-real-index
Filesize72B
MD55c6a11b17647cef42b9a65b90a00bdce
SHA16362a910d5b604be18540cb4837725a751e6a45a
SHA256cb50638fa5568ef7ed369ccf9ce6ec26dc5ed943d1af2b042c888e920d8efd60
SHA512ea06292a6c13f29fce1db7c08d7f54ff39f054f42f088e1a1092fa8e1d83e2c0a29d0f11822809c2cd344fd45a31d28431d2b0253fdf69fd2924cf8191820344
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\54f363de-b293-4d45-86e3-62724088c663\index-dir\the-real-index~RFe581930.TMP
Filesize48B
MD517af27b39c4d45e3c0ea8a7f944d8dd0
SHA119131a5dbe84425a101066bb37efd1abd674a28a
SHA256043fcad7e913f74cddc91d7b2b4d24a145162004ebfbda101fb198c2d8f73e40
SHA512ebafe6a89d2e2cb6700aa57eab6397ba47d235aeee006878b48447f268614d799ebe602187a8f27bf8cd6e155e74f00103a606329b5b7edbe4c43fa352871454
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\7b3d8453-9a68-43c0-a152-567f9ecefa74\index-dir\the-real-index
Filesize72B
MD5e9f10b790a343c87a79af643c8f19cff
SHA1d5ac78a288f734afe6a3dfbc1dc7c07e89de521f
SHA256404b02b8155ca5574e71f4463b2f924a6ce65857f94339ecdb5972b9b3b90684
SHA51287cc76ffc315d609a02acc2aff137738f620d1387ef475c78d4c7d4348c31921348fb8f84d07fe53b9d8f3d56270b729dec5387441deba6f84e91b503576a4ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9b15c52b-06bb-4033-b874-cbecbf92a6fc\index-dir\the-real-index
Filesize72B
MD521897700fce384eebc24b2c7a46d66a1
SHA1632c61477fc7fe356b694be5c85562f79409a56d
SHA2566486f1befadbbea9eba94b8fac1da0a5e9d7bce7357417463abf2daccd04681f
SHA5123091182ad9e71b53a76589c3107bec6ae7c53c6d03f823194d11ab7e6312f54d40143a9f7a57a7e15282e015645dc8dab389cae7cb4e19bb68808c1c497c1c85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9b15c52b-06bb-4033-b874-cbecbf92a6fc\index-dir\the-real-index
Filesize72B
MD5f4f0cfacf8bcc48cd2cdb7347d3f30d7
SHA1608b142f480cf05158348259b77cf1caca87dfd7
SHA2566ebbb8ba6a4868ddbdaa7690583ac613c7fa8740002378cd8ca961beb8ce7101
SHA51246a8e562ae5967661d2521982a06be100a79b62972a7d26f0b2801ee0a37218c4b873661fcc8361648a487a7ee6248ae441eda5ca93a66b48abe6f933689ced0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index
Filesize1KB
MD5d577c3704fbd7571c462e718d5bffc5a
SHA1c99a495c7e99b98e545fbe6e2a021959577c7b41
SHA2562a23dc20ab78ff8a097a68d7e0e089868bc56a1f7c373caee1b796b1e0fe8741
SHA5123375d9c5a60e5b039a4b5b15eac55170da38df9d564823f2637298380527a82a4bb5c230567bc121d037c9ed7084ead71c19d05b73fc8cfb0bdd60806a13caa3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index
Filesize2KB
MD533e7a44cd67b5ca0073c40e07fb0aac8
SHA11699ef0ae07a61326f3934dbfe9b53169133eeff
SHA256135ae09f0ca19bbaa7bb4c47037b48bf89a114ebf89ed9babc193e27e3a08c8a
SHA5120b39aba7d817d83b38dce94162797c8c3fe830dfbe94e5acd241e2f939153afaab3e228262ee09786b1bfb542e6d7fffeaa9aaac769e81f93b3c3ee08050129f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index~RFe5788b8.TMP
Filesize1KB
MD52d67fc0ebad480f64ff5f0b014e37a3b
SHA13a5a495eb1b77a0c687ec364ad49c760475debe1
SHA2568cfdcfbf8af0ae0a6cef61eec9ed3833d2920dedbd8dcd75c42da8d5197a9d3e
SHA5120e5609b8ca2f8c0102308459726ea02447498e10fb96ba137047dcc7abaf9de94f5bf5d3aa5952b603d744c49f14153699aa691bec6ef00ef35c222be970321f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize327B
MD5c30b187f435ef2150209c927d367fa03
SHA198076ca0e047a6bb83385ad44fcdd7ef57e568a7
SHA256fa4b5c7165ebfdb8be28e34953481101c5dcdb79ac4883d1ff2fc5a9836926ad
SHA512319a7bb0d56bfe10db90f438927d52863a6ba8bf2428724f94e889232f991ae8c0c149fd95d1a183f2a8a2cb39bf1891d42265f8cd2e6559f0f64dc23d24ce41
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize322B
MD5382c698d45df1753241101ef860f7098
SHA1a466072e6d05449b282fd9354d22ee330eb6ee50
SHA256e231f0f8a255dc39f9eb6b7821dbc2fb71cdea4446f59bfbd2f691e0a8e591ae
SHA512e7809839322e0943ffbc18e0005565b40382b12db3990ba7d2d8f1a9c94b5d9956c4c2a594a01f502f126f44260aa3c4fb25762640a35ba66b3227e659afb152
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD503faf5c043ecb5e2fe357a4ea64f67f8
SHA1f5f2d470660174667738dbced44ce0c6696d685e
SHA2566aaf2b51d15f52ea9c687e78829f316183e1d9a74c69cbf1f97d386fb7a212d8
SHA512370db4403a0029b6f4bdb4546f259aa35ac2926cd8756d6051cfe504b4ea6c35a1cadf0a54e83993d81858d0ca1f0b559e35bf563ef7101ce026edc912355d71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e196.TMP
Filesize48B
MD546a5f6f26911386fe077ce360377b854
SHA1942e98bd4dec87638ea93b1abb73812c0fa337af
SHA2567ebd38de4d282a54570a7579707659393b192cb258fa75453ad848d7106b18ef
SHA51276eb0f5d67e0cc4009c1a2c324c40b01b7b8b04b1771f3d9770af369de267d0e7fadd25fe006597880c12125c1b8519033ab806df10138a334307dc2267ddaaf
-
Filesize
22KB
MD5cca12bb2ad854b997dc1e9753028a8c6
SHA161e0bd8c190149f017f4c8408654a138f58c7a0f
SHA256593e1be49870834a98ae8f5adaac734ae6034cc6f9fea118f93064460f752b81
SHA5123e5b9c566b016831c9e8d1887edac03d6584f4b9b7e13a4b9e4ae01f2592a9afd1a41e1331599bda913597f7bd1ebb6f30e91c988e778dc51c6e2b8a7702ba67
-
Filesize
113KB
MD560beb7140ed66301648ef420cbaad02d
SHA17fac669b6758bb7b8e96e92a53569cf4360ab1aa
SHA25695276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985
SHA5126dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5
-
Filesize
467B
MD59084a7f06bf8d0ae203c65c9c46d63a1
SHA107cc50d3408f90edfd702250115f84b2a9fd5734
SHA25691c5d940a725f672bb74dde08c568f3284033fd7b583410b5ce24719c904936d
SHA512ad9a21c060a59a01f53c599bf617e6bf7148cc722fbeb3cd06e258980839087467ab7f52165fb4ec057129571917352d05b6b1e9ce7dcc5332f9b1c9feaa7f80
-
Filesize
900B
MD564ec08d839bf87ffb862f9fcd14569d3
SHA13eae07ff7a60504a58014afb9350b3c6df5bd24d
SHA256ce1284249a2329e63776ed8fac55e06bc2b2a342ff3ef7f25a889ec8bcbe51d1
SHA512b3e650d26cec8629b1559dff6ca07d4eeb391d4c5a7e04d404a5a43f4a35fa034bafb857b7cfd2f6c492e1d44420a54462c57ec53cbeb664baec5c15e0f820f4
-
Filesize
23KB
MD56fc44f94bbcbbfa558b408ac8fa1be50
SHA1940fd162c182b6ff3be21614635c15dc1d913397
SHA2567076e54cdf044c62d26cdb0a3346e3ce493478fd8119aa303823402ddf604f25
SHA512811769f64004dfdf35e9185eb88dbd906c9809402293ce16b5032374a265f925be477a773c1a6b6b4e2bdd9895db7d294bae196c97ed12793048b2de261d4375
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-checkout-eligible-sites.json
Filesize23KB
MD516d41ebc643fd34addf3704a3be1acdd
SHA1b7fadc8afa56fbf4026b8c176112632c63be58a0
SHA256b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c
SHA5128d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-notification-config.json
Filesize804B
MD54cdefd9eb040c2755db20aa8ea5ee8f7
SHA1f649fcd1c12c26fb90906c4c2ec0a9127af275f4
SHA256bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd
SHA5127e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-stable.json
Filesize81KB
MD52e7d07dadfdac9adcabe5600fe21e3be
SHA1d4601f65c6aa995132f4fce7b3854add5e7996a7
SHA25656090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a
SHA5125cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18345.18340.4\json\wallet\wallet-tokenization-config.json
Filesize34KB
MD5ae3bd0f89f8a8cdeb1ea6eea1636cbdd
SHA11801bc211e260ba8f8099727ea820ecf636c684a
SHA2560088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d
SHA51269aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa
-
Filesize
55KB
MD5139b9261a8b11f683a8e5afdb8ce76c2
SHA19c58235a0a97d8f6f4d09556eb6d8be960fe8e78
SHA256729b6ef5aba3a1a986eafcf268b9ece5939bb2306429930f29618a47a4f2eb66
SHA51230d2af9311cfd17993b62ba8e1da8e443dabfa08b0da43de204a59fcaeb445d141f18330f2ffc7cbe4086251cb9694d4f042535342d87cadec0512e627ac07c2
-
Filesize
56KB
MD55e039bc5de949ea5f99e24aa254f2fe1
SHA1526eb274fb586a7150658f577cf491207667fa15
SHA256154bc0ea2518504b38613fa1bedbb2cfd3c6241e29b9afe894dd19ac694d06d0
SHA512f7da93c9fd6e00338e31c96be8923c9c26f977206c41f16718dfe206e2c50e874fdf7bbb49f6afa64ac2a3b789131c756c21ddb1e3021cf35ff93101c14d8eba
-
Filesize
56KB
MD5db6d8b2343bf279b365d5781df8ef468
SHA18cd77b6dc7612ff878a6c035f2a7386a220c46bc
SHA256acac5895f922a7a6e81d20fe904a8a38d2b457ce67e44976a9ed59dac8f41630
SHA512a6f4fcfb346faeffbd574401d2f9ea92aa2d8cec62a5738db58ede863f4e44f13ec5ae940f66f4332950f050cbf76e2b6a908ce4ed5fe86ca1cce0665523e98e
-
Filesize
50KB
MD555c4938dc63ded136e360135c358e965
SHA105ec6fe5b122981f1edc4596a5be4be021705359
SHA256e39ac0b4fc5d33fb2ad52df0a0a6e32ac431fca6bf8cf00dddac4a3867d38353
SHA512199743038fbe9c591170d081f56099b0cc1ee361a7ef6194038545660c06380adee8c70df88ff075513126e84cdaa6993df94ff2aea6d67949312fc11d917e56
-
Filesize
56KB
MD581797f5b3dc3661f695ea62331aff755
SHA128537f2ae590c7c3d9ecd5560545b950d5c4275d
SHA256b9dd60322edd7e7dcef445765e3c09472dea5162ccc231b5033e069a54ea9344
SHA512ab03519b7458471f2dad3f84e27ac3dd83cd7ccf8ba38e10aa8596ccefc1d7447c6b40499095a6b8c068cf4486f11196b19ab2f0a11757417c723d3aea89c0ec
-
Filesize
56KB
MD5b900e807396a118274db5c18a9f70bf3
SHA11405b1b5e72a70469c1059bf9d4af83f0e70d29c
SHA256b2f8e44c4e0e3318e16261376b3095e42416e6b991e54434f5c52b257ce5a5ea
SHA5122bd6717458a87da1d07d657364241f36cbfe8fae0b1053387753a7560c2775dc224b60a452cf49b77537eaafff750c4133557aefab830169f08d3eadf8ddf932
-
Filesize
41KB
MD5a747b429581a6e85bccc0dd00974a8de
SHA11f4a0beefa9ab12038bff54fa2f0da4239ae12ce
SHA256656dc69d98a4e92f7c15bb7a02ac4003ef7a995421f328b16e474ae99c5785f2
SHA512aaacc64ccac396cfe15166801a17282d75bda6ee65018d3f5eef0b5b5a9b3859f63132caeff79321c7bf40d10db5cfd5a72b7c334ff24b859b7b1a54291affed
-
Filesize
56KB
MD52338235b39bf530f764ae169aa817216
SHA163442762bfea524b1094e33005841135fca549e4
SHA256e4dde213ad153b2d0cf813705675e50b862043ec346ab695f2f38db65f644e91
SHA512717dc88733281d322befc314caba15166578a5a3ac9551b2d251594e2e3704f0b67f00581a13dd7eb2264dfe3fd4f5337e5d8b92d56a0f1723e766aec5c9f736
-
Filesize
56KB
MD5fe23f4a76918b9fa5169729981815d3b
SHA1a79636833d1277b47526a9a7f4217d8e6094040a
SHA2569570df656d0c77b6fb12a1ba8f6f8f06c9a8a22f771ed29966a2d3eff505186e
SHA512fc9e087406c3dd25e963ab428cc75e45b16751ac2063b668e88137c7c385090e40e0d7bb58be093212253fcf9d5593a56086976bfd088771d1d442b8c5310d8a
-
Filesize
56KB
MD5c93a53badde10ac7da4a4c3384aca1b2
SHA17db0d73accc44168355448af6cef0c5a8dfa34dd
SHA256db30c1e8608107c3b7edb3bc119b4b42d5a7bb752af66a93f37d7085f99cf62a
SHA5127b07996a0582d506b6a2d246991e8d77366fb7d3cd512982ae24587d213c9aa9f487bcf30235b30cc2603376b6191b21119f76cf6e9bd27f6af42e0d10d16c87
-
Filesize
392B
MD5b2af7045edefe1280d66671d515e0e78
SHA1e8126fface7914cb18bf39aa82f0b95ac507bf8b
SHA2564cb935d1d15dfe77cda9a0fdbd69bf62626b6d40fef7699e77a1dc28031e570e
SHA512c71a56dba019fad3434e87064d4ee450cdd7bbf211a696b0ba6fbefdad983399002fce5e8271681dd7e6783ac2efaa22f20d974bd535b4af09bdb2792e659e61
-
Filesize
392B
MD5c75b8b00d8281f61918c406d9f4fe1dd
SHA19e5883c7f4c5240e953acca92e63d6f327f8cc1a
SHA256be2622f22220f34e672506934b95adec1667febdf91a7322c3bb3da199416421
SHA5120da25c66df3b61a1315622a9c810072d7eecde8cd25557b27e0779347fa482e9485f1adc4e3dd8e36bf2de2445f35c008c581231ad5c2d58d7668edb37853e72
-
Filesize
392B
MD52296f285175cb9036ea9fc20b4448789
SHA1cfa6482a6b663f7e05d7e74b549cf864c5ec66f6
SHA2569c95b2fd8d527507d3c8301289660f562ab67d23c1834ab7ee1a68f81984e9d8
SHA5123137bbce342792da61428297efdd651c22f45d3f7ffda1d02c2e2d9c050fb66e473469577aefab70a86d768609385832626d0a60fad2974088289563dee3f72c
-
Filesize
392B
MD57f6c47596a3fe126fd73566bed244a90
SHA1c779a355ad3026ca3c5a30f6ec19e110396403fe
SHA256fca5c34cd687de2c1acf224b36a956d8656eee77b79a7eab4b11d6035af217bb
SHA51215e62a99c4967ed81a3afaf82303772a373d2823472ca2693edb53c04806e5954a6bc732880d82fbeb8b67d31292a42b2853a92bef001e0393474c11e470f8dd
-
Filesize
392B
MD58d28bbd2522ffe1d3604404978067a52
SHA11ef412f3c972517a447f37c5b0801ef8ec13157d
SHA2566faac8ccf8ce3b8907bfd02f26749c2c571e9ef7bcc4c205afd387402c8b1162
SHA51247ff00632fd1741b3dd3dcb21921e3e23c25e4d93a93ec997c4c49172f0febca63abbb554c2f9877f5be75128080ac3465d8c08b342d24698fc3d6629ecbb0d0
-
Filesize
392B
MD53b1e9b250551b074ce08b4bfd850c780
SHA192b7fd1bacb2b7ef25749a261ff5ca4cb7bef2a4
SHA2568e90fdfdca13af45c8b0f3061d40f93d577810b1b9def811a062f3734ecf0fe3
SHA5120b164ff13ec3da3846f7bb95f20e85d65183bf9599f6528b0e252a6d1ca3c08f091ef6f9aba0b2d71ea0fbbfe2e1a8f0c7574a37ba489385e70420ac660bbe57
-
Filesize
392B
MD564b9bf19322145cb7286948f3d543503
SHA1e833c0548b0c03ef853d230ae3484108c47881ed
SHA256dce44f7233d07f5acf908acb489ae2d425f9241619904687682439f353e0b09c
SHA512dac1c211125c2f7619e746a4971a83c07e60f24dd4e104345846763f0d51f9dc74011e39974ece2a1bfd85ac41aa2571ab82543e89da16c409640ad4fea261e8
-
Filesize
392B
MD59b65fda5557e839635e53e2ebcbda310
SHA1a983a77b5639941cf281d3ed05ace42f3eb21599
SHA256ecc6250626203bde9cc91558c864fd2c5da533abe93b4103602c348ceeede35c
SHA51215febdb2525710626e6569af93b0e752332cacf6f2fc5b61a421dda8e102183310e8e08333907ed29bb29c0ce192c014398c8c87b4c7190b53dddc9fd1b2997d
-
Filesize
392B
MD57e95287ec8c8a9197e0b7b8c0db77383
SHA14d0737ed668e905c291d94139b20bd229243bdf5
SHA256e6dc1c329756d4666f1dbe10ed463e2e26c62b9fea3214bc85eaa7faff546f15
SHA5122a4cda3d79b2f0276ed311e227a359be61818019811016bc51dcb6d8c45f140351cb543976599d14c1836e2f6befb548d91fd23d5888ddd16b642a4af35fd560
-
Filesize
392B
MD5417b9436dd931e93af0282263ba2cd44
SHA1cb54f64e8e079af53174d324d25fbc556a9fef5e
SHA256259c5f73d1ccf324548a083bea92a0560e4848787c36a60143faa8b3c4e87d92
SHA5127977a6a976d9ae1ab06cd5561b940eee532516465c51ee6b233d7d4ea1a8f2dedb5c8d730621a9fcdd187ee38571b0be88abb7d98a715e92ea3b9d12821b5b9e
-
Filesize
392B
MD575b80ea1601931880c0021a7e5b9ab97
SHA145fe1cd772f76ba49a8756df719670ca377a892d
SHA256ce173f9eba498695d7daec7400afcd5d69b665fe003d838298e471a18986017b
SHA5121a910e8b3fcf1e54409d1aedc8a9917b8258fadea74965336476175ac4e3f9de91e24f84c41c3b519a4940b79bce79683cc9ee836e6dfcb8334c45da64890583
-
Filesize
392B
MD5fd6c8b2ab82d16e734af448f54bf5e28
SHA173b28587d4083dd2f6aa005291c085ad1fd9c3fb
SHA25678f9ce54c11aa5bf1ade82a243336512b38941fb7b6804b3c3a79dadd6ccaf01
SHA512bcee70de145ee9e0e9d20aed4994550ee1b3a87bfd9b85e7f708efd1d363980ad73d82e650505677469a4f26ee67e0e1cf1f54bd2171887ff2563639c2c40ef0
-
Filesize
392B
MD5713246e2014eb1593a60290e5efd5462
SHA1a64693de71717100856165a28545d8ec7c1617f0
SHA256ed3b571663a24f95a6b53eb9ad73987d5bfecc0723a699414cb9f4c3fd192815
SHA512cd32b6f17b362acb6500f31955008ae0ac340be480036b159173e69d277fd02a434964432a10dd9e845c08e07a91695f316eb95d73be883755addc60ee7b5c89
-
Filesize
392B
MD59d3f3435e45a13ad36d210124c9b27a6
SHA11c020d614f3a24742f8322e53b2d8e6bb7d46d79
SHA2563039db7491e30aae8a70622d1045f2d62de2b05f03bef6be9e9babd5e5b4ad00
SHA512c0eceb1ea0debded6e68f969495c4cfaaf6e181fc3aeec580fe6ee9dcaefdcd2fdfa0c2968db92f5e7b5f7efd64aa0941744a64528981842769ba876e3add89e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json
Filesize6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.24.1\typosquatting_list.pb
Filesize638KB
MD5c58dc6e76e524d25a1a8cf23ba450518
SHA126179cb88c8f3c2db96aed106844c817d8b08d29
SHA256695140b50858ab3ff19e2519e0aff4b6a358d16e4cc110d5ca1bb6283b37be4c
SHA5124d74793a2b91a5c307e6f23521622611dae00dbc8717ff0e7b93451ebe40313ace05cca8e85fc3b2e23094b07219040cbf6ddd88918bae7895ef0352db1af71f
-
Filesize
668B
MD53906bddee0286f09007add3cffcaa5d5
SHA10e7ec4da19db060ab3c90b19070d39699561aae2
SHA2560deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA5120a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0
-
Filesize
676B
MD585c61c03055878407f9433e0cc278eb7
SHA115a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA5127099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756
-
Filesize
644B
MD5dac60af34e6b37e2ce48ac2551aee4e7
SHA1968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA2562edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA5121f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084
-
Filesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
Filesize
3KB
MD50eeb59abb53bb2aef4fa819f8437a643
SHA114e9b3223662b5d74aca26edffb4eea27e8c6f23
SHA2562f5d32b3f1990ed53857aba65bc428a3fa33d231c1c059b8a8b2ed09076ad607
SHA5126397bac318d90a008f54b62410dfd797234be83f8bff8b33392427442885d50f498c40ee0eee97f7272100de68ae917af95d3e75d1902f5fe6ae1b8a14c8b6e3
-
Filesize
86KB
MD596ff9d4cac8d3a8e73c33fc6bf72f198
SHA117d7edf6e496dec4695d686e7d0e422081cd5cbe
SHA25696db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
SHA51223659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46
-
Filesize
4KB
MD5331973644859575a72f7b08ba0447f2a
SHA1869a4f0c48ed46b8fe107c0368d5206bc8b2efb5
SHA256353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3
SHA512402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
6KB
MD574f8a282848b8a26ceafe1f438e358e0
SHA1007b350c49b71b47dfc8dff003980d5f8da32b3a
SHA256fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae
SHA5123f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
4.0MB
MD51d9045870dbd31e2e399a4e8ecd9302f
SHA17857c1ebfd1b37756d106027ed03121d8e7887cf
SHA2569b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
SHA5129419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
-
Filesize
53B
MD522b68a088a69906d96dc6d47246880d2
SHA106491f3fd9c4903ac64980f8d655b79082545f82
SHA25694be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88
SHA5128c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff
-
Filesize
118B
MD5791d8ef5b977b40022d73a00d269ae91
SHA1eee166ddaa96114f05caaee653e81b3fbed325ae
SHA2560642acd6bbb8906fa49601ab1af556afe9b072cdce3f2fdfdd8393b6749a9079
SHA512afaeb3f15dfbe6e3374cf61fde33a313f0b94a971fb6a1fc255b92bf921ce55762d180d2ab45fe19c8180105a913c70f6fde6cc9c312f52d6390a45d893df3e1
-
Filesize
1003B
MD5578c9dbc62724b9d481ec9484a347b37
SHA1a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d
SHA256005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0
SHA5122060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640
-
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\Notification\notification_fast.bundle.js.LICENSE.txt
Filesize551B
MD57bf61e84e614585030a26b0b148f4d79
SHA1c4ffbc5c6aa599e578d3f5524a59a99228eea400
SHA25638ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179
SHA512ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3
-
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt
Filesize1KB
MD58595bdd96ab7d24cc60eb749ce1b8b82
SHA13b612cc3d05e372c5ac91124f3756bbf099b378d
SHA256363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831
SHA512555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5
-
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3536_229276796\json\i18n-tokenized-card\fr-CA\strings.json
Filesize2KB
MD5cd247582beb274ca64f720aa588ffbc0
SHA14aaeef0905e67b490d4a9508ed5d4a406263ed9c
SHA256c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5
SHA512bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895
-
Filesize
121B
MD57122b7d5c202d095d0f4b235e8a73ca5
SHA10cca47528a8b4fb3e3d9511d42f06dc8443317c2
SHA25693b603f06d510b23b95b3cacd08c3f74c19dc1f36cd3848b56943f069c65e975
SHA512ad6fba6e0710cc26149dcf7f63143891aad4ebba0cc45670d8885fade19dc1a50b542a15b10a7604b6b1be4b8e50fcd5514f40c59b83cc68bd10a15ab2a93c1a
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
145B
MD5ba1024f290acf020c4a6130c00ed59e0
SHA101274f0befca8b6f4b5af1decc4ade0204761986
SHA256551b8c76c19c654049d2d8043a79b8edb3c03e1b695cabf76b4076ed4921ae28
SHA512e55b871dd3500f30d639089cc42a4edc3bd4d26d2c4fd151322a363fd8edec82d5345751953f9b581e40f22b6a8976faa0ea7ec9fd286f73f747120c87ea7157