Resubmissions
10-01-2024 09:48
240110-lsxdbadaer 1013-12-2023 10:19
231213-mcswmacfc4 1013-12-2023 01:01
231213-bdbsysfcf5 10Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2023 01:01
Static task
static1
Behavioral task
behavioral1
Sample
05193c12562beb5de5f05ae6816c976f.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
05193c12562beb5de5f05ae6816c976f.exe
Resource
win10v2004-20231127-en
General
-
Target
05193c12562beb5de5f05ae6816c976f.exe
-
Size
190KB
-
MD5
05193c12562beb5de5f05ae6816c976f
-
SHA1
2c804f81e6949e2de30359d6085a7eef7b2457e6
-
SHA256
ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d
-
SHA512
9241667e0476e386cbe89f67ae3eb09f4e023283297d567c39956f15497fdf74d1751832116137f11a2e8cb4d073fd3068ecfcc284db6e26263db7059cca60d0
-
SSDEEP
3072:t07gIqLEHi+cOtsLpAjPsXp0qCAfs5qtrpJrkG5RScg7:cgIqLKi+cCjPwlCL5qBM
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.hhuy
-
offline_id
gG3wF8nDWRqLztkHPAxMzpvNVlmLBMgQKmKiCNt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5zKXJl7cwi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0834ASdw
Extracted
risepro
193.233.132.51
Extracted
lumma
http://soupinterestoe.fun/api
http://dayfarrichjwclik.fun/api
http://neighborhoodfeelsa.fun/api
http://ratefacilityframw.fun/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05193c12562beb5de5f05ae6816c976f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc3f894f-2f6a-48e4-a880-09a2aa448632\\39CA.exe\" --AutoStart" 39CA.exe 5900 schtasks.exe 5896 schtasks.exe -
Detect Lumma Stealer payload V4 4 IoCs
resource yara_rule behavioral2/memory/4912-545-0x0000000000960000-0x0000000000A60000-memory.dmp family_lumma_v4 behavioral2/memory/4912-546-0x0000000000B30000-0x0000000000BAC000-memory.dmp family_lumma_v4 behavioral2/memory/4912-547-0x0000000000400000-0x0000000000892000-memory.dmp family_lumma_v4 behavioral2/memory/4912-616-0x0000000000400000-0x0000000000892000-memory.dmp family_lumma_v4 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral2/memory/5112-30-0x0000000002600000-0x000000000271B000-memory.dmp family_djvu behavioral2/memory/4640-29-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-31-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-32-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4640-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4484-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4484-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4484-53-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation 39CA.exe -
Deletes itself 1 IoCs
pid Process 3076 Process not Found -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2HZ4149.exe -
Executes dropped EXE 9 IoCs
pid Process 5112 39CA.exe 4640 39CA.exe 4920 39CA.exe 4484 39CA.exe 3352 4F95.exe 4092 Iq1AE80.exe 1120 1OS23mY7.exe 6656 2HZ4149.exe 4912 7wy9dn57.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3160 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2HZ4149.exe Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2HZ4149.exe Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2HZ4149.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\dc3f894f-2f6a-48e4-a880-09a2aa448632\\39CA.exe\" --AutoStart" 39CA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4F95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Iq1AE80.exe Set value (str) \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 2HZ4149.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 93 api.2ip.ua 165 ipinfo.io 166 ipinfo.io 92 api.2ip.ua -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000a000000023237-72.dat autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 2HZ4149.exe File opened for modification C:\Windows\System32\GroupPolicy 2HZ4149.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 2HZ4149.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 2HZ4149.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4880 set thread context of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 5112 set thread context of 4640 5112 39CA.exe 113 PID 4920 set thread context of 4484 4920 39CA.exe 117 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2972 4484 WerFault.exe 117 5368 6656 WerFault.exe 165 840 4912 WerFault.exe 185 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05193c12562beb5de5f05ae6816c976f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05193c12562beb5de5f05ae6816c976f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 05193c12562beb5de5f05ae6816c976f.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2HZ4149.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2HZ4149.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5900 schtasks.exe 5896 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 05193c12562beb5de5f05ae6816c976f.exe 2844 05193c12562beb5de5f05ae6816c976f.exe 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2844 05193c12562beb5de5f05ae6816c976f.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 1120 1OS23mY7.exe 3076 Process not Found 3076 Process not Found 1120 1OS23mY7.exe 1120 1OS23mY7.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1120 1OS23mY7.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1120 1OS23mY7.exe 1120 1OS23mY7.exe 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 1120 1OS23mY7.exe 1120 1OS23mY7.exe 1120 1OS23mY7.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1120 1OS23mY7.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1660 msedge.exe 1120 1OS23mY7.exe 1120 1OS23mY7.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3076 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4880 wrote to memory of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 4880 wrote to memory of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 4880 wrote to memory of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 4880 wrote to memory of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 4880 wrote to memory of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 4880 wrote to memory of 2844 4880 05193c12562beb5de5f05ae6816c976f.exe 89 PID 3076 wrote to memory of 4292 3076 Process not Found 104 PID 3076 wrote to memory of 4292 3076 Process not Found 104 PID 4292 wrote to memory of 1936 4292 cmd.exe 106 PID 4292 wrote to memory of 1936 4292 cmd.exe 106 PID 3076 wrote to memory of 4256 3076 Process not Found 107 PID 3076 wrote to memory of 4256 3076 Process not Found 107 PID 4256 wrote to memory of 3528 4256 cmd.exe 109 PID 4256 wrote to memory of 3528 4256 cmd.exe 109 PID 3076 wrote to memory of 5112 3076 Process not Found 112 PID 3076 wrote to memory of 5112 3076 Process not Found 112 PID 3076 wrote to memory of 5112 3076 Process not Found 112 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 5112 wrote to memory of 4640 5112 39CA.exe 113 PID 4640 wrote to memory of 3160 4640 39CA.exe 114 PID 4640 wrote to memory of 3160 4640 39CA.exe 114 PID 4640 wrote to memory of 3160 4640 39CA.exe 114 PID 4640 wrote to memory of 4920 4640 39CA.exe 115 PID 4640 wrote to memory of 4920 4640 39CA.exe 115 PID 4640 wrote to memory of 4920 4640 39CA.exe 115 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 4920 wrote to memory of 4484 4920 39CA.exe 117 PID 3076 wrote to memory of 3352 3076 Process not Found 120 PID 3076 wrote to memory of 3352 3076 Process not Found 120 PID 3076 wrote to memory of 3352 3076 Process not Found 120 PID 3352 wrote to memory of 4092 3352 4F95.exe 121 PID 3352 wrote to memory of 4092 3352 4F95.exe 121 PID 3352 wrote to memory of 4092 3352 4F95.exe 121 PID 4092 wrote to memory of 1120 4092 Iq1AE80.exe 122 PID 4092 wrote to memory of 1120 4092 Iq1AE80.exe 122 PID 4092 wrote to memory of 1120 4092 Iq1AE80.exe 122 PID 1120 wrote to memory of 1432 1120 1OS23mY7.exe 123 PID 1120 wrote to memory of 1432 1120 1OS23mY7.exe 123 PID 1120 wrote to memory of 1660 1120 1OS23mY7.exe 124 PID 1120 wrote to memory of 1660 1120 1OS23mY7.exe 124 PID 1432 wrote to memory of 1644 1432 msedge.exe 125 PID 1432 wrote to memory of 1644 1432 msedge.exe 125 PID 1660 wrote to memory of 2228 1660 msedge.exe 126 PID 1660 wrote to memory of 2228 1660 msedge.exe 126 PID 1120 wrote to memory of 1416 1120 1OS23mY7.exe 127 PID 1120 wrote to memory of 1416 1120 1OS23mY7.exe 127 PID 1120 wrote to memory of 2520 1120 1OS23mY7.exe 128 PID 1120 wrote to memory of 2520 1120 1OS23mY7.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2HZ4149.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2HZ4149.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05193c12562beb5de5f05ae6816c976f.exe"C:\Users\Admin\AppData\Local\Temp\05193c12562beb5de5f05ae6816c976f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\05193c12562beb5de5f05ae6816c976f.exe"C:\Users\Admin\AppData\Local\Temp\05193c12562beb5de5f05ae6816c976f.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E57E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E82E.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:3528
-
-
C:\Users\Admin\AppData\Local\Temp\39CA.exeC:\Users\Admin\AppData\Local\Temp\39CA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\39CA.exeC:\Users\Admin\AppData\Local\Temp\39CA.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\dc3f894f-2f6a-48e4-a880-09a2aa448632" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\39CA.exe"C:\Users\Admin\AppData\Local\Temp\39CA.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\39CA.exe"C:\Users\Admin\AppData\Local\Temp\39CA.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 5845⤵
- Program crash
PID:2972
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4484 -ip 44841⤵PID:2224
-
C:\Users\Admin\AppData\Local\Temp\4F95.exeC:\Users\Admin\AppData\Local\Temp\4F95.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iq1AE80.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Iq1AE80.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OS23mY7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OS23mY7.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10107322562801714201,14599220876246530226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:25⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10107322562801714201,14599220876246530226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:35⤵PID:5176
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x140,0x16c,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:15⤵PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:15⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:15⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:85⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2964 /prefetch:35⤵PID:5436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2920 /prefetch:25⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:15⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:15⤵PID:6240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:15⤵PID:6344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:15⤵PID:6456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:15⤵PID:6688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:15⤵PID:5684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:15⤵PID:6732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:15⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:15⤵PID:6864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:15⤵PID:6832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:15⤵PID:7764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:15⤵PID:7756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7476 /prefetch:85⤵PID:8012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7476 /prefetch:85⤵PID:8028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:15⤵PID:7360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:15⤵PID:7368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:15⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:15⤵PID:7592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6636 /prefetch:85⤵PID:7532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,10316292918420270150,8721974567023381015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:15⤵PID:3068
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:1416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14488226668661442050,5106539235026977238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:25⤵PID:5480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14488226668661442050,5106539235026977238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵PID:5640
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login4⤵PID:2520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7038929391279602837,2525681848609841630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:35⤵PID:5660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login4⤵PID:4448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,6180090127942520350,2111262542101851512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵PID:6192
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform4⤵PID:1092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,14640718944225094107,10065397489450601386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:35⤵PID:6812
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login4⤵PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:3708
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin4⤵PID:5452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:5620
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵PID:6164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x180,0x184,0x188,0x15c,0x18c,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:6204
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:6848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47185⤵PID:7028
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2HZ4149.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2HZ4149.exe3⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:6656 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- DcRat
- Creates scheduled task(s)
PID:5900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- DcRat
- Creates scheduled task(s)
PID:5896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6656 -s 17644⤵
- Program crash
PID:5368
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wy9dn57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wy9dn57.exe2⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 10963⤵
- Program crash
PID:840
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd89eb46f8,0x7ffd89eb4708,0x7ffd89eb47181⤵PID:988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:7028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6656 -ip 66561⤵PID:7600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4912 -ip 49121⤵PID:8176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5185189987eee41269123ed15b9c50414
SHA17be01cf63c925d8765f4b43736324bcadf9c26f0
SHA256e60d66ed1dd7b983edb740f05ddcf88fd2830d62a946fff30de355e624fa6069
SHA512ed9c943b28a43a96210946e9dce66a7b9fe170c9daa741d63db99bdbbf69727ed6e2e24b6373e2ffb78504e563d871c44d4bbff24b60c23b860a7105628b99a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5910a6ab49d1d2ed14da5c4ee1d2fdd9f
SHA134301308663070986b12fec9c9971c74a6b4f19d
SHA256eec90c1425d535969f2d654b9d8ad9e104cd4e252ae883b248dccc4361aab7b4
SHA512b215bb9722f49070aa1225fc9e32fc268bbaf5d607245225bd3285bc49be82571cc8f94433c688c771cf9f4d6fe9497578dfd94f5f235faad6519aa772fe4c1d
-
Filesize
152B
MD5d94c59e136e2bc795637c1c05e315e35
SHA10ec32d5c51c34e9215b5390e7aa4add173310f01
SHA256ad71bfe2069efebb4ca211ae6ec21473fc1b43dd3269b8523c5b67da6edcb41f
SHA51257a5c50bd9e87b20200ecbd18ed2bd7712a46fcb9f5ce3d3aecdb768bcfa52d5025f9fd40523015414aeac3e8c94c9ab1caa6ae006dc4e9e7ab58c92607ffd6c
-
Filesize
152B
MD5890585f0e978711e84e103f4e737e1b8
SHA112b9a7b4a1a016c8a0d4458f389135ed23574e27
SHA256c83ee823a77974192ee702a6b550e28046fe4f60798e471e7b5b75c1f623c092
SHA512246b774837bfb5c3f158024986fb040419974c7a8c1e6f6875e713760385084b32cfa294a5195598e7968632d1e2e4f553545f6d084cb4e5204a868aabdc0297
-
Filesize
20KB
MD5923a543cc619ea568f91b723d9fb1ef0
SHA16f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555
-
Filesize
21KB
MD57d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA168f598c84936c9720c5ffd6685294f5c94000dff
SHA2566c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f
-
Filesize
190KB
MD5d55250dc737ef207ba326220fff903d1
SHA1cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA51213adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39
-
Filesize
33KB
MD5909324d9c20060e3e73a7b5ff1f19dd8
SHA1feea7790740db1e87419c8f5920859ea0234b76b
SHA256dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9
-
Filesize
200KB
MD5b3ba9decc3bb52ed5cca8158e05928a9
SHA119d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA2568bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA51286a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5361c364be55ae2f1f060b51329eee0ee
SHA150ba265374b2af5c96589dc6f618e08ed938050d
SHA2567e0d99f00ebf4b975c60f0b6629e6f95ba7ec77270248fc412b4c7c6c41ca153
SHA512ff0930ce65e55f66d7af34f73379c0a2fdf4921cdc24d9085db0b696e2455e624c2a7449e09b4bde744635995a1f59e178c7977bf5d59a2e1ea65a174a2b1e88
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD5334b7963c55292412936e4ee72f54d6a
SHA1e0de0baefc0c5fa931f2b30963dc58f5a61b1fe9
SHA2568a3c274e6f0bce8c38c5f8415bd6bf33fcfa978010e67461cdba0ce81e39cc92
SHA512d37973a9146440092e769a0cfbd7d1982e92e3af650bd38aab29da33d983de9f10510c063ee2f9e38fbbb27195898c51592cb546363a260b8cd5c2a89d20e907
-
Filesize
8KB
MD534359f8a310f36deb8657be21c942458
SHA108b4dea262ce47d29c1339bb67fc615b5de31e76
SHA256a576d8b27ad9f316e51441caa4917b9183d04c18e310055733955bada25a986b
SHA512cbbf4e76b15076ed9cd9db98c2b16760836540983883ab7089cf5941fd895477828c0bfbd0f2703c5536e1d949cab7d7762982e34ed6af239059ca80d40090b2
-
Filesize
8KB
MD5010997ffc738489331b18d46facb2332
SHA1b78564e3114d7dc3464a356e060e84505d4471e5
SHA256abfa2cfef8553887492f087065c553d9b24d8490b96f2de4d009236373e4e330
SHA5122ec3b06fddfa2f01b345d5a1d5a993242846bf1c92d2dc7f2496a247986f4431675b47db076386c9432192692c7c45145d1cc3f8430906a00f466a42a0d2c561
-
Filesize
5KB
MD55fc93638a944cecb1dbc2b5ddbbc8f46
SHA1deb8940380a4c26dda6894c44c3cd37fb47f5b22
SHA2564f3a336c4c4a8e282757c81faa6b6f5e9bf0431e9a6007e88683ddf9206c86ce
SHA5129443f76b4c0091be668a13f6e3db749ef5aa9be245b51fdd516fa47f256c20dc6a87c3648ba9c9cafc07c7baa03f315618defc79b5f0889c625414236aae599b
-
Filesize
9KB
MD5bbc2b80c33bbe47ace2f787cbf2df841
SHA153dea037da7af8be02956fce47b6cfe05d108725
SHA2565aef108807a0e4bf097aa2febfea10f5d2b3c42d12f25259dcbea0125a861a37
SHA512e757b47c63e717fd9539e6083835b415a024f64ad207a1d78a4621c998d6cf91b09171a86dfe8bd51503126cf77f5d41e543106c671463c9a20adf92b27d386b
-
Filesize
8KB
MD5d15c0ea0d19bd1a5ed2f2e65c0745933
SHA1e693bf46ce7615d07c07f8ae0279199e201b35f0
SHA256bc9c448607ac78b979469f43c5fcf0d66e4ad34a3f2acb9ea6ef6bb12fb1499c
SHA512002bc3e605db98f1f7b6795078fdaa48324f1d145a088302757dd4564d59937c73ae646cde58572e86af01925945c7809521b6a3445a2accbbf3eb21c727884c
-
Filesize
24KB
MD5a553ed37741112dae933596a86226276
SHA174ab5b15036f657a40a159863fa901421e36d4fa
SHA256ec16b2f20ead3d276f672ae72533fcc24833c7bcfd08e82abf8c582e1bed5e87
SHA51225d263aeeda0384b709e1c4ec3f6dba5cfcb8577e026d66846c2045b543f6446439b946163b1ea8f7e53cc6ebf38c93172452bd43e2560b42b56c4d13625e107
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD51a5d4e6d85d25986368ea9b5241fd03c
SHA17948485447d5abdbdd13edbcc06d1bc9e80c1508
SHA2564f4ee5ad43d5ec43bdfddf60f6f9acf5713eb4ef46f9f4e091cf542d781e7758
SHA512ab89e0f2035fbd367b0c8f89442ac690fdf71878d6029c98d4f606aa487eec5d3657593877c673d96795606f7c4d0ed35756bc0da77769832795441e2d5ab4e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD594f074ce6c03e0b88e411ffd21f4a901
SHA15ba517568b15d455084f0020e04a83629aa8f320
SHA256329424f90dd00f544a71122c6916155cdec4d00a69b53c19660c2c0b5d6336ac
SHA512d0d2edb44576c90ef7bcb03a35644393090ea28faef3d3c36cdee374a2dfa8aaadad362062a9c6ddf0a47b3c0edbd72bcb8d1a25bafa918bca98f541c26dbe08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5ccf12c7104203c610295546a75778f49
SHA1bc9768171146690280a4ffb480f24939f8e12198
SHA256e72a7ce7679e5dd6b4731473b12fa954c6e74edf6538f6b64359a121942633fe
SHA512d4f3987c299f983f977b6335300db385f90be4cec207ce586bfe93f81c2e1e3573b6f353e254ad342d903169b08e40afb52c9671b16fb10ea6a9d36debd04d5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f9f96a28-0fe1-4012-a89a-8f6302b758c1\index-dir\the-real-index
Filesize6KB
MD5270be404a82d7e8c8c89ac1c720d2475
SHA1d6190e29324beba30d081b16e03ef96802a8673a
SHA256934d99eda588928f5d0374f1d4b278d5163b6619b7c8dcf108a6837a98a3de4c
SHA51251a4644279a8d2da4ed847ad8d610fc8c941084370990791ee2321d56314e0dca18e7a4dc9a1b68ce5710de407689aca33b0aeca7352990e050373e5a2acd217
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f9f96a28-0fe1-4012-a89a-8f6302b758c1\index-dir\the-real-index~RFe596577.TMP
Filesize48B
MD58111907712646e58abb81f5072eb0ea6
SHA1bc3fad96f0b96bd57a8073699324e97dbfe490e8
SHA2563450bcbbe60041ef586519aad0dda5c3d8ac6fb751e17c460c2ccb6143c78bf3
SHA512db6b32025e39959899fb2cf6c04e4cee57343913e5aff5b7cbbaa24ae88e7a54a88357ab25b03c18666c16aa5774a58689fefa3beb401d7f8f9c17120a03a85e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize83B
MD57798cab14799bbbe1db782563297b598
SHA1cf7328f567fbb5accd5f70e5124d1af51c056fe0
SHA256f9fe027a2536d0e63eb917776c6051d407ae100c5675d91755746132273fcb21
SHA512d81744931d8c64ad73683c44238c7cb2ab705c2e6c820d7e73e0af20d6dbe95b8866d8fbb27c92fc2e93fe04e05a409900e2ab277bcaa4181cb013fb4a6e231a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize79B
MD561be18799922e2a90ce785556ef51adc
SHA1e398c459f2cdd0dd4aa431311a32e91a762a84aa
SHA256cd72437e1883da83bc8960361cbcd7019cad285bc1ec001fddfd46b7a3dcc142
SHA51243707cb74ed42bd5a26a43d0b19f620b95c7bb6feff565baf82752292c202a01b84b3782944283ee3a2bb199f9fcdc38c47d4d349bca5919678bd21788d47cd5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5ac01db7d17360cc20ded13dea6f05f0a
SHA119cc5d5153481fa8b7579edd448626087ae20c30
SHA2565a445c672e2d733d8d92a98fc7e7ba25f21e758100de25a18004258badae8403
SHA5121692f31d81ca317022d1d7829200e0c48e058062778d8733eedc8a44e418e6a570cca915dd7ac906ad658228652888aa7566e626bbdd297fedc982a5d410c963
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize120B
MD57e8d376c1831f4b40ac80c2b72be2c3c
SHA155c27f672a6ebef8e4e8313102f7e7c6e8ab30e4
SHA256dc82095ada7f130f7331a01ff2e69ba3a180004c6fee92c6460acc3428ffda6f
SHA5124efe61c636355e9921d6256df704273e62e6db81a5cdac6803741ae2d965fb714db5debfdee24c25215e71f453c3f8d16bf2d4c71ba15e1563de2d187d2e7e3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5904b9.TMP
Filesize48B
MD5b095d6165d34819863a9635e16cae32b
SHA126b888251556f6e3b8a6f188096ffebe4d0d7d17
SHA256750bbdf325afa45239bfb1b88ba7e78a7a60adeb660b530b768da39f2268fae4
SHA51266ae8455420d7769000dca7ffea8fa87960811232164c10d68b64d9ebcd172ece4d192285d34ed54ac0e0b04c52512570d7a5563ceccfb54c857145bbb27e1b8
-
Filesize
3KB
MD596c3bbf2af259a1e911f190b1ce7767b
SHA13746372d4c03c384ee32cf5cf6c5be182a0a0d03
SHA256d0a9a6e49ee9076f5298a660b135a4407eaca791c5013e6e727b31c79382f5eb
SHA5123474667d9bb013d7588af0a8ec87cd72017826066e1a48eadb5832ebf44e8a2573cfcdae703467043b9549aeee1d32b04527ea13432c36e39f652d95e0b16db0
-
Filesize
4KB
MD50bf589eefa069903fc64f694c293ddb4
SHA15648762ffdd9e5d9633aa7051bea4d610b7327ea
SHA2564b442208357c0dfda35fdd75207029088fa5f2bf930564a25571fed5f666784b
SHA512f23f448c922a70f6b799c84dd37416aa004a14cbb274c00f998a7159a7061d3f2fbd7a1f99fb5bcb482e4574faf4796d2d1afa2f860a6d16d74cd798df99195d
-
Filesize
4KB
MD548f34c7583f3e7639185bff93d447228
SHA104a1fcfcbbdcfe9d3e264a3716f5e9effb1c1d71
SHA25612ad2f976337e6ad5439a531b874506e331fe8d7e7f52b216a91928f4373a6b3
SHA512486db9a121e10971d86dd3833d775065a5ef3541163c64ac4522c53da56e1a27604de7424d208a0b16bd3a07deeb3304f61820aaf7464c19d576d5405afc87b0
-
Filesize
4KB
MD5a990596803612e03b2baf338dd32c24e
SHA1f5efb5ae5f2849ce2249714b52be0d9cb6bb4a86
SHA256b60282bb6be967789545063fe5aff1eb0931bf3c3e6fb28a387c6b38fff29878
SHA512e9c6ff7d4c2fe17253c9bb76fc952f25f0268410f3b881a2d0023800278a0ee0616aace989a223c35bccde8900265b2b8c69f6fb68e0f75842dff0744f1b4a9a
-
Filesize
4KB
MD54b26f7817b7d5ecb829a76e0e03df2dd
SHA1167f53f1eb537d5dd2c02b06b9cf1cca32923661
SHA256b9ff2b240c04bf9a898b87c562e3e956fba86babb0a21ea8e5319ad6fae30264
SHA512a92770de72c3d5e853246f9a9da9a5106c8d564458520418f12e86f545ef7a0515ecb57495f2bf3e813b39dc2552520400a5652f8ab74d0da1983f6627aa7ec9
-
Filesize
4KB
MD5a4aa14869fd99da7dc48d229992e74aa
SHA122da781de256c26a43d3e72f2af28fb57dbaf21c
SHA2563ae2642fbe3b741d924bef80cec802f5cc98bb55cfd4558a918c513eda0b42af
SHA512bf2d0642a6be6cc2e6e4351ac14e338c234ebf88f8562ec80bbb1bf42dda181d4b7287b6b0dfe9d71fb115e34d809ff79ef4effa26215da42b168807f50c9db1
-
Filesize
1KB
MD590e2ca9fdca50eaf09741c54aaa74f54
SHA1ae1ce9881e4ec43cc8a38ed3821ba7ec726242f1
SHA2564cd4ad764df5af9bec9e2abf58c63c05211ae4508cf6c9ede6106e8786cac164
SHA512ed447f6535228b1760e76e3a67b5d02b7a83e0f339b273726e2b55fbdc9fb6874463c0a44ffd1dbd932e8b5e4e7ed88bcf43e41b265bd57c2e2a8995f065d0db
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5ad347fe976ac894162a92e7b3ddfaaa8
SHA1a05a88a7a65298da6d4d30c6ac65bc7830b27486
SHA256a3500f0dc1f9a76c3caadb96245648395390413e9bc08231d7e0f0e5ef922fea
SHA5129d567aa0be48d3dacc72f72a3329224fabc334f3b03fc3387a5fb6234d01b3a810d5621333208d6ed3224b91a0c891ee5de75a280de183ab0257642814862f7b
-
Filesize
11KB
MD548cc39605bba0a7d4e106b46df31892b
SHA1002fc75db0c8385d091a9c0b356f624041e03c00
SHA2568ba451aa84a4d2e5ecac1dc2cf520ff6929970219f1f52cf63cc5713f052f3fa
SHA512618b1adbbddf7cf5e315109d294af68e9640c9ce1ec8b6d858f63d1c77600f2ed1ecc67e1346996ad64b9e7bb8606747d8edb8e7a16d46fd206a688e96aaf2c9
-
Filesize
2KB
MD534d116b283addc343f509c7e881b25d9
SHA15d686d27efa4cd9645ab01ba21e667ec5e7dcbc4
SHA2560c7fde863d7c565d37df8a245ecae1aace51b7abda2bb17b3b33e8c6d89e1a1f
SHA512c6aaf191721404415e0f8bed192ca37595fe4bd7c7ce55f45e3da66d3e82411f1f6bd130f09de1976407a75caa73de23fa829d566095e66dad53f7dcc2764101
-
Filesize
2KB
MD583a529273e0d2123a34ae836c5a8428e
SHA1720aec3274f3673923b4f559fe9d80d3a6509e9a
SHA256e80d8891940a7e5e7c6f01acc1d4eb9582149328cc847582b2bfc4ea92f03560
SHA5125bc7916fc7635f358d4a36b39e62cb9471f8089940b30013eb8106119d7cb2e6526df73030347c2a0cefd0cf3d586e330b1f6bf1244c60bb2605d2333a2ebe01
-
Filesize
2KB
MD5af682e94aad8e050e50feb21d4593681
SHA1c494e22cd7f5703c8a29107014416288d86cb8c8
SHA256f8523cd6ccbc983a4772b5a4e2b7b315863a406a82b41cc42fff30a05ef9978c
SHA51266cefd8510e7cbbc43c5b1e28747d1e425dba224d054015413acda30752399fb421485fd844c5f6a43faf5c094a5623f6ffc8bd224c80db1d2450b3707080108
-
Filesize
2KB
MD5983e2f1cf7c1976736aec0a6ea22573e
SHA132cd2b14bdc2138019a15b4afc2a26f88beb4728
SHA2564f09b4d650d7308818bc674704bff760f67b6e361575a708cc0f6e3a76d816be
SHA5124451bcd13ebba3765816f3425ae32f114d26eaa063122db462567a0f92340868bdaa887bf7f7d75b0f8469f1f2ba991b65b78fe35229c2aa91ea11f944e607fc
-
Filesize
768KB
MD5d6709cc2adb09d6ff003d52ece25c894
SHA11f5b110ab3549efac240ff309bbcb934c26a072a
SHA256fb5c249e2a353691a022f786fabcdc80037824e1f018ddb01d2a5f68c62e2167
SHA5129501a3818f7e478f546438582a654592bc2c541cdb7d1b54dfb931672a6da74b5e0c3b6a9ee5080dd604762bdb7be3222c931223acc7c79c51b3b06ea72e002d
-
Filesize
689KB
MD5d0f837500be8f20090cd46b5e2dae713
SHA1327ea2f782d74d1ed12cc6bf15a8d8b871a1eeee
SHA256675e09570482f0a60faf3f40b6767a781f8bb5c04d1b2f9b014a85b5c9ee9678
SHA5124a2b7ce6aef71c62b1011dcb35c99da7163e67c67c1404d85fd3632ca5b428537d1fdbc4f0254085eb10b21f8b5cac85e9ef7028cf3ff7a7f65b34084a3ea517
-
Filesize
1.5MB
MD5135f48610836f8ff87eeb2d15fc14904
SHA1c9a0fac15dccb7045d11fe24330034b5e14ad5e3
SHA2560f08b517669f5ebaef56cff14515eac9f6b0db4ce2f1d13a262bd6a2018d9db9
SHA512f1f3214d5a437df4eb410844b80d727f25c513eeff9d7181136d2d03d654936d03885b310b5f6093c9b5661491a1eaf69da51123913fe9d7455160e44293d9cd
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
1.1MB
MD50027d666985236cbc938bb9ae00a8e85
SHA1ab5f9c70783fb90d7033de3feaf657d735af1f5e
SHA256975d85b42935d6b317d823861a5654da5e7a5ad04b160e42b10f8f3c277ea8e2
SHA5127c0c7b6898c118c099cfc2271821395526261511c96d11bab0e1254a078147f3b9ef49c8c31ba5eef2c82cb9e1e32f779966815166e3da0c37c4705d7dd07d2a
-
Filesize
898KB
MD5f0c1590658c1c8b045fb47832b66261c
SHA136240cdc8ce51dd4ca24618ebb6bb2a055342f9f
SHA256376cdd65497861b761f14b78b419fd5c66d2a7b017d52fb3e9ef530fd719f616
SHA5120e742618c9b98c668aea5b4140803f0c323b9cc541bf3befd500000b1d894423e8c5b5b4186a2e306bfd1ace43dae248b617770ee1704ec23002325690f5b586
-
Filesize
1.6MB
MD5f8e7488fd4ced59d6eb387447bc37430
SHA1560ed0a592273875ae66a93efd611f76a9da7ee7
SHA25630d11b5bd1ed2f376bb2c6dd47299a54702bf9cfdfc0d32e5f50c1adf83ae347
SHA5120e7445eb71a24e10c13a706189cc972d9d590bbd456f27b4008243161868fc6b0e86fd8fadf42f61502aa913f39e2a3fedb7de236b80a2bff05378b7ade6cdb2
-
Filesize
4KB
MD5a33e5ec6f5a9121e6cce18475da0604e
SHA1934220269721bfffe7db39bcdeade90278a179ae
SHA2562d7001897d513756fa037643b38e780be7d293e76c4b73b45809374abe66409a
SHA51241b9c63b2f9536dad98e3e684a7dfc5956b902f4658812d0a63086316482acb3d95e0b80c73e962c19155dd116b3d5b575eaf191ca8f8e920b634208d813ed35
-
Filesize
92KB
MD5250f6cee6a8be4a85cd0d78b8f9ac854
SHA148a5be711abe88c0efb7204f6c792e67a99d390a
SHA25621e090219937792f360789c94785cf969cf22fb9e2ae145dec419dc4beab1321
SHA5124685c2cbc34566879e5c494f1433996ce9541e048a87036876d0ec426a02a13af6ed606575306522def4dd19a3fcc34b95335f492b21960b28e8f12be82a35b7
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84