Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
25/04/2024, 18:41
240425-xbtfwade97 1023/02/2024, 00:25
240223-aqsrkahd35 1022/02/2024, 20:52
240222-znqxmafa7x 1022/02/2024, 17:28
240222-v17zfsdd86 1022/02/2024, 17:13
240222-vrss6sdc92 1022/02/2024, 17:01
240222-vjm8qadc33 1022/02/2024, 15:57
240222-ted9ksce55 10Analysis
-
max time kernel
96s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
6958ACC382E71103A0B83D20BBBB37D2.exe
Resource
win10v2004-20240221-en
General
-
Target
6958ACC382E71103A0B83D20BBBB37D2.exe
-
Size
232KB
-
MD5
6958acc382e71103a0b83d20bbbb37d2
-
SHA1
65bf64dfcabf7bc83e47ffc4360cda022d4dab34
-
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
-
SHA512
ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae
-
SSDEEP
3072:FdfbYSFlTBL/A9OYh6++4hY7gfv9yPQxAVUmZAzsqvj1letKv/jbNRKCnrQbW:PbYSFH/AYYh9vERVUmSAQj1la9
Malware Config
Extracted
smokeloader
tfd5
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74d70445-d187-41d4-b9c8-62687af4d0d8\\E698.exe\" --AutoStart" E698.exe 6668 schtasks.exe 6524 schtasks.exe -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral1/memory/2136-56-0x0000000002680000-0x000000000279B000-memory.dmp family_djvu behavioral1/memory/1092-57-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1092-59-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1092-60-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1092-68-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1092-80-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4484-86-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4484-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4484-89-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 10 IoCs
resource yara_rule behavioral1/memory/5424-395-0x0000000002E60000-0x000000000374B000-memory.dmp family_glupteba behavioral1/memory/5424-396-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/5424-586-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/5424-719-0x0000000002E60000-0x000000000374B000-memory.dmp family_glupteba behavioral1/memory/5424-721-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/7152-723-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/7152-818-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/7152-905-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/6336-1010-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/6336-1107-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5304 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation E698.exe Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation B8C1.exe -
Deletes itself 1 IoCs
pid Process 3356 Process not Found -
Executes dropped EXE 8 IoCs
pid Process 2136 E698.exe 1092 E698.exe 3608 E698.exe 4484 E698.exe 4768 1B17.exe 5424 AD37.exe 5884 B8C1.exe 4988 BB62.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3416 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\74d70445-d187-41d4-b9c8-62687af4d0d8\\E698.exe\" --AutoStart" E698.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 100 api.2ip.ua 101 api.2ip.ua -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2136 set thread context of 1092 2136 E698.exe 112 PID 3608 set thread context of 4484 3608 E698.exe 115 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4784 4484 WerFault.exe 115 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6958ACC382E71103A0B83D20BBBB37D2.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6668 schtasks.exe 6524 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1748 tasklist.exe 5624 tasklist.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133530949222631878" chrome.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6076 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1312 6958ACC382E71103A0B83D20BBBB37D2.exe 1312 6958ACC382E71103A0B83D20BBBB37D2.exe 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3356 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1312 6958ACC382E71103A0B83D20BBBB37D2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 3356 Process not Found Token: SeCreatePagefilePrivilege 3356 Process not Found Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe Token: SeShutdownPrivilege 1332 chrome.exe Token: SeCreatePagefilePrivilege 1332 chrome.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 3356 Process not Found 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 1332 chrome.exe 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3356 wrote to memory of 4812 3356 Process not Found 90 PID 3356 wrote to memory of 4812 3356 Process not Found 90 PID 4812 wrote to memory of 4424 4812 cmd.exe 92 PID 4812 wrote to memory of 4424 4812 cmd.exe 92 PID 3356 wrote to memory of 1332 3356 Process not Found 93 PID 3356 wrote to memory of 1332 3356 Process not Found 93 PID 1332 wrote to memory of 3832 1332 chrome.exe 95 PID 1332 wrote to memory of 3832 1332 chrome.exe 95 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 5084 1332 chrome.exe 97 PID 1332 wrote to memory of 2988 1332 chrome.exe 101 PID 1332 wrote to memory of 2988 1332 chrome.exe 101 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 PID 1332 wrote to memory of 3972 1332 chrome.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ACE9.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcd07d9758,0x7ffcd07d9768,0x7ffcd07d97782⤵PID:3832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:22⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:4944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:3432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:2988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4716 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:2156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:4792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5188 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:1752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:3412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5556 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:1824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3164 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4748 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:4092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5048 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:3976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1720 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:82⤵PID:4644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6048 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:12⤵PID:3816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 --field-trial-handle=1936,i,5702953491111303587,8411567864540341091,131072 /prefetch:22⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\E698.exeC:\Users\Admin\AppData\Local\Temp\E698.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\E698.exeC:\Users\Admin\AppData\Local\Temp\E698.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1092 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\74d70445-d187-41d4-b9c8-62687af4d0d8" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3416
-
-
C:\Users\Admin\AppData\Local\Temp\E698.exe"C:\Users\Admin\AppData\Local\Temp\E698.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\E698.exe"C:\Users\Admin\AppData\Local\Temp\E698.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 5685⤵
- Program crash
PID:4784
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4484 -ip 44841⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\1B17.exeC:\Users\Admin\AppData\Local\Temp\1B17.exe1⤵
- Executes dropped EXE
PID:4768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1F00.bat" "1⤵PID:4904
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ffcbed946f8,0x7ffcbed94708,0x7ffcbed947182⤵PID:100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:5264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:5280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:12⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:3920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:5500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:12⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6424 /prefetch:82⤵PID:6260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6448 /prefetch:82⤵PID:6248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:6832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:6560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:12⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=1744 /prefetch:82⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵PID:6924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:2788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:6768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11154271542793038236,16536531868625792996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:12⤵PID:3092
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5316
-
C:\Users\Admin\AppData\Local\Temp\AD37.exeC:\Users\Admin\AppData\Local\Temp\AD37.exe1⤵
- Executes dropped EXE
PID:5424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\AD37.exe"C:\Users\Admin\AppData\Local\Temp\AD37.exe"2⤵PID:7152
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:6604
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:5304
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:5888
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:5816
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:6336
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5592
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:6668
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:3920
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:6596
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:6236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5820
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:6556
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:6524
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B8C1.exeC:\Users\Admin\AppData\Local\Temp\B8C1.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit2⤵PID:5820
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:5624
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:1976
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:5496
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1748
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 18083⤵PID:4384
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Here + Td + Passwords + Movements + Cambodia 1808\Upgrades.pif3⤵PID:4360
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Meaning 1808\Z3⤵PID:5360
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1808\Upgrades.pif1808\Upgrades.pif 1808\Z3⤵PID:5948
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:6076
-
-
-
C:\Users\Admin\AppData\Local\Temp\BB62.exeC:\Users\Admin\AppData\Local\Temp\BB62.exe1⤵
- Executes dropped EXE
PID:4988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD504e1c0fb7c50efaf86ba32ac99af0cd4
SHA1844aeeaba2b3c0a23a3f3580ee9eafde8eee9aa0
SHA25659cd12f0b76ce31550e9068fed1da5c917f8b4361ef4f3c62c9522473162705a
SHA5123394f7025fe90250bc8ae1caeba12ec23019a31c1762e5ab757cd874ff33160b1596be9bb079b5641b7476c306c8ebd520fab5f00a0dca06372c67387f21ce40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD549843ce327a27318abb429bcc99856e0
SHA11bdef0df314da759111a167c67864d908cf44224
SHA25664571a844c89b47be34131227a91f195db9b8d8faa098bc3a086158aeeb776a4
SHA512f4e6ef6ac94fd33f32dc041e06091d5a72c3ed99537c49c63c744e9f09d5565683dd26887541c53120e16e72a8d6fa8f17285c3d3dd842222d637e44ea182772
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5df4586c984c182c8ea5b54b574441d05
SHA1453f5061fa0b6de6a6fde5b19ac51fb51e393c8a
SHA25688ea238b947d5fa7014ade9bfc3080da2731c434482bdb27f741dfdd6e928461
SHA51273de2481b73b10c59960af361b1c0a6e172f6c2f8bf37330766fd6ecee3fcaa57941712d2e48110711478efbcd527fda22b9ef094c3eb71904577c8b03c099ee
-
Filesize
195KB
MD5873734b55d4c7d35a177c8318b0caec7
SHA1469b913b09ea5b55e60098c95120cc9b935ddb28
SHA2564ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d
SHA51224f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308
-
Filesize
432B
MD5f6db9b5791d5275cc61d232fcc83eb36
SHA1d91bc9d675169c8ad659535521e28bf0034e57f1
SHA256c08fe33e89235e7aa1f8ee3bcb263828b106416acc11e477173342a895172c97
SHA512a17912d55187ca779a1440217d2544b9c537fff094aa33d40fde8abb05b2520b4b532eab86b9cd1c988ef7c9b14165cd44093a030c1cd4c81a1199ff48553b5d
-
Filesize
2KB
MD5ee1cd083315f257cab3399084d965cb1
SHA156b599450bd6b8b21ad0c6ad4b0df805f09ce3e9
SHA2569cee23e884359e8be218308fff027fb32095bffc091f7053826d6b7ed0ec4ac0
SHA5126ef932b1d585a0e486223af5602537844be32927c89d7d978310b97624c0716966cacdf57a7a997c06414ccd0366d14a5522ff141deee4c6121c7cde8fff544a
-
Filesize
539B
MD52bfc8052ca940260c70b106ea1a7fb99
SHA13b8884da78bf8a5c3752f68024430842b7a26ea4
SHA25699e13bc11c4bd6b75ed7aa662b88bfe64c4617983fe1f7f4b9924532ac0e930d
SHA5120c23802ca19705a0fe027893ec338c5914e5fb069db7b916ed908e54ac55bf926dd1550df2c8876114b29343dcf1303fa6e767db669d9aa77ef96c191ccb4d0f
-
Filesize
371B
MD52a8b81a7280da6ce9987792def4da66a
SHA16fd14eb53c36cc25cb3f14fab395a5bcc7c44b6d
SHA2564aca65e9e044123e35ad9119d4dec9a967ef555cfdbd3cdbd3a987c4d54e39ee
SHA512e40411dfebc9f148a7e67bdf0adb76d94684f4ab564ffbdad8404a19267c67890d85fde7f7a5a7e577906ecc8ebc843dafefcf8e9f0ec98644582a2e5f285c55
-
Filesize
539B
MD5887a3be0bc379eb908a0ff2f2e58d0c6
SHA129c1455a130bd5794cc6e333cee9e7f2c1a0db11
SHA256344b656e1908534b824fe5d545a16a4be0f8f60356fe28bf06e8e81bebc334bc
SHA5126eb77b735f348dee5d2c6e1cf942743165df2357cd725ca620249f2ee83c2faac8e91452d51893e55e512288eabd52b926e7c03b8ed5ddee895549f24ea6bd76
-
Filesize
6KB
MD55e18ebca364d4aae3d06fac3c97b7083
SHA1373244d5b7029d0fc147acde6015ad8d670a6793
SHA2561fd7521dc917eb8c67d48d2b598483d30b85cdc0af61d5e8ad6af57d2dfe735e
SHA512fa9ad39df9f616933f83815d810327379a8f3aef38bb35c18e9ea338355b2d413b637fc4d25e5952bc471133cee212253836b32114b967298fd95574663f2f4b
-
Filesize
6KB
MD5659b60b703e3e97b0405495cdba2c1d9
SHA16cbc95bd7f44ae175029efb476e62dd77100fbc1
SHA256ae74449234420607db8861a40704fce88902bab4aa391a6a7b1bce0515dc1bcd
SHA512e7d4edb915dd857fbd26068009e2a3ce7f520073034d4acb7cf1081009598e4b5e97866f789107b65314eeb4ee7bff9df29f1621ab8bd90da01948445a8fb1c8
-
Filesize
15KB
MD583e92676dd1a8e4131080ca9b876d4b4
SHA10a4b603fefbce9ea1ec812d2e22ef85e69bf5eaa
SHA2568137285376ee766eca2018e039d931f607510cd52cc18d96f51cf429b8d8e57c
SHA5129e9d1dc1f4724f778e5b770d34de12e619969e43a76aa302c97e8d3750e757d563f534e41b255590a8785d64e166e1af89ff4c3203149e3677971cc38528ebd1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7f64109c8e893c4107b24658a65a15878bb9abac\index.txt
Filesize114B
MD59308cf80d1188ea31e5155605d3c4557
SHA1861fd9f45a48113cae967ed656c90f5e94e2e506
SHA2562e4bc3248512a2ebaf641805a7b3f966659f0f4978fe02d3b04671d315ecd615
SHA512de7b0678c4fb2d635c8c82e4ac4d2bd124b389f06fab2cdf0931aeaf0da8ea1e116814b933619d49746f74fddbe7f85750445418afac69a5f3b6d2feadfab5ea
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\7f64109c8e893c4107b24658a65a15878bb9abac\index.txt~RFe5890a2.TMP
Filesize121B
MD5dee85b25d86971c62c3a8c0ed2849cab
SHA17967575b2a7ebee00c2a047b99ba07fc685d4a4b
SHA25603140cb0391460b310d8929757bc1f1c9989d82019d2599821d5f0b3caea1255
SHA5127c593d90c1165ac18e017df5543b38b6c23d9edce5da58b40ee727b6cbcf244c89ed2ffe9777abd65b1fa9288c25ae18e0f7145db837163d7d902f193830e52f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD57f7fe372ae23b9dab5d92e657a3e5a0e
SHA1978be32a4de1f168272b3f94dca39fb4c30697d0
SHA2569c3878b720157a80829bc4f3bb32cc8ca85bd017385fc0354e5bbd2f23fd868b
SHA512fc2db4e326e3d3e3aa9f103b343d8c56f78b543fbbd13cb8d0756fd3e21bc4a6007538fbd7985931140dc98b03964ce29800d4fad5d5d11072ffff92388eeff3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589083.TMP
Filesize48B
MD5aa046ff3068f17ebb2f285d2fa8f260f
SHA19cc47b72d792f130e949d18f102ed838f2b3441e
SHA256026d9bc7bb5293ab03c0b2f3c7cfb584a3fe190e5996603d1fd067fe3f6f68fc
SHA512f1c8088b69b3306c6845f97f2afadf191319f5cc815b2bcbebf69ed20d9d3503cfd3e1d2f38cdecee3421593404be6e52232161f9f12369daa22e9e948298477
-
Filesize
257KB
MD551514ab4d4752413845b75c1899bc7d9
SHA11d995bedfa21963dab63be436e14309c611e4437
SHA2563b9ad91cbd0caf892a8bc07ba3a5340e55d054329103e33bd2d73b52d3b50cd6
SHA5123149d52feabb31bd230028bb2f4560d1bfcf56eb5295bc677fb618681c9c89a576722b72628c4fc0e5ec187015ca397cadea75c1a2d10111be4ef8ba70514dbd
-
Filesize
257KB
MD544b32862abd91255470861b3167d0efe
SHA11a4e3be352b9b7a60d715ef397ea55ffcea5c3af
SHA256824040d39f58856542d02d8593eb699864151e3723fbd90c091434716b1e6c50
SHA512a04845d42325be97cd59f1b2d5eb05098167ceb46b94416002d143c03f8499f1d75979781a94419d36bcf056b4e66d3b8277c768393d6041bce51f5dd365d3f4
-
Filesize
101KB
MD53b39f22db641f1d78e5bd2885ed1a2e7
SHA14ae692f5e44ced6a131f06f62550385a1b17a83a
SHA2564ae931a89c289b6a33f7e530428ecf25475c984596c7432d9360f5e46e93d2b4
SHA512918a9b0b182b7474047a59a88948b73d08ab4ee70753d9439114e4bfb5bcb24fd13f3513eb0e0dc6740daf450e2612e90e8ab9679d809ba2c7218d1b17902496
-
Filesize
107KB
MD5100ebfbb692d4c8c0526171a5fe16c11
SHA1968a56f591ea4f0f63cee93ecb691facbe56f9e4
SHA256929c1a1c5a551c7197d5b1aa0be3bae864d88ca770b102bae13b05f6a3e3563c
SHA5125f6b5edf025f61a843875fd07492b7e6f7bfa431033d60a8478911165d35a754315db75c667c59f281e74d8bb76a7353cb5aff006f1150c91b389885518a3f30
-
Filesize
98KB
MD5455f4823cd3369825a2743aa5984d597
SHA19fe46860cd54b851f02f85698a5a38b54119b4e9
SHA256711375f74fa3edeea2dcb5a88ca63d55421a0c638dacf924cab1c91bfa152974
SHA512b62068488cfe82e5c07e00dcca64b9f4724568dc436a1d85f5d6fafc7c2ed78622123811924106c135d514a7c4ee4bd5891db221954ef2765ff639553ea1e3b4
-
Filesize
152B
MD5ce1273b7d5888e76f37ce0c65671804c
SHA1e11b606e9109b3ec15b42cf5ac1a6b9345973818
SHA256eb1ba494db2fa795a4c59a63441bd4306bdb362998f555cadfe6abec5fd18b8c
SHA512899d6735ff5e29a3a9ee7af471a9167967174e022b8b76745ce39d2235f1b59f3aa277cc52af446c16144cce1f6c24f86b039e2ca678a9adac224e4232e23086
-
Filesize
38KB
MD51e450129c968afdf540b2202d2d999dd
SHA14574b6440b074d4ab92dd8b85cb62e8e51733a30
SHA25650c5e54cfefb45f1537c13155d2a8f69f2ae386b45c39967370d994b3eef2343
SHA5125e51fd4009ec821b63d8b529fbb4216b2985cf8c26cf8bcd51d2d5caab922701cbd969e8f59ee6923ce0a345417de4bc7f58195aea863f392b6ac35fe7ee04a3
-
Filesize
26KB
MD5191cd87d59bcfbb734fca7bb92bbc245
SHA130514c4b000361fe9319ebbb84d5cf93b9b0a82f
SHA256cf07e157a37761abad2d2ccf9385f5023fca4dad5a3594c6832274a1b5823c9b
SHA512a72b2bfe8e6ba1fb307f4d89c1a38070261d315d36f12726c22b77fa90171fb28d6f62b112dcaad521aa09e89990ff810c363fa79e2e75b48329ddded879dc4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_thepiratebay.org_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
6KB
MD58c35d05fcd7e8623d1129fe11f6a5ce5
SHA1d85499eb9771a4bd152bd1f388ac593523fc814d
SHA25641e5dd003b4cdd97ee5b8e898ea4984a69effcf5f78c211813dbdc0351d2ac96
SHA512b0e6fffcd25b150e07f270d584a6c8ad10e4e11919229b3d790bf3839b2b97f4a5ec8225d8d48256fcdaa2c3a4f6d36a79bab33df242f35618ff6125ab78ccf2
-
Filesize
8KB
MD5385b7a99c0b087da3aadc41dd6ac5091
SHA1f038822b0b6a79515cef4e0cae9c1e94ea86daba
SHA25669ab76d8cc1a6b3f8fb7ed9acea251ab22c0e311c27f27fee1ccbe9ef581bb2d
SHA51201777f352e2e8c81128d807d90ee6d98aa848c72a067e9b5c759fb186d67e5cd541f04291cadcf0dca92dd47cd8ea851c0a8c23e94497aa5ede771ab2c2c56b4
-
Filesize
7KB
MD5ec7132896d67887a6e6685e061a511b4
SHA1a0a615ad87357c2a78375a785e9cce96d69b7e57
SHA2560caf7ef2bc9b99d612ff914e4cf405616131008db31c0d806b99286d27d68152
SHA5127744047b984162daa430db1f8d6807905af707589e68898cd30ffe65b04035a27f3f3ea3b9e7bb178d68558ee2acdddb2002d3f333a80877175ea22af3b2bd78
-
Filesize
8KB
MD589802ad04cff2b3087521ec6b496bdb1
SHA17b7c4ab2818a571bda9f056b09e2060c736c407c
SHA256aa9bf1e400ef54fa843d14a78010a0a4d772fc5e716eda00e8513b7894440dad
SHA512f40f8423cd0bb65345342443ffb19686373658ba2e77ae8cd0ffc200d38befbb8f00647785525b94ceab8abc7d6bf94c998d677d3e283f7387faf261a087330a
-
Filesize
6KB
MD52e91d7b26bd14bb9aad425768ac7e9ce
SHA177c8ef1bf2665f2320061138182abaacaede2db0
SHA2563a75940bc8f9d1c6a80db627bf2b9d60818256a84fefbf421fa745825c51f392
SHA512decd2f296cedc19a4dcbe6ff7c2310183752315bc3e5d05a321d2f431e6736bc5ca379cc5be357e8b76aecf830d744be9e554a1fda68778c46ee4e967a112508
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD585526d5c065c58d6f3540c6e044b41e1
SHA1bfaa2c8cbcab5ec260f438a5d9f863ea6653c5e0
SHA2562dc6e1fb15bf147742fa9a6572ef6058a45582d4ca7896775eb320c696d3b037
SHA5122edf91b50cb0a8afb4106b171610fb17c909ce7ff4820ea20cd6f48553fb3a848e311eaa592e6975a2eb8580b2ee3d6735bd9f83a20de55d8663c7899da5b931
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592a71.TMP
Filesize48B
MD5bbf0d0a575bf858d8d9db59b081143e1
SHA19e3be8a120fe838b16879bd0522642f8f7c949fc
SHA25653701f82a03f62824c9fd81cd852a7a6455815626968bc5c9427a20c5e4a85f6
SHA5123696b9e451f9571f7399b5300dee9a0c41c3fd8402e3fb78651905d299342aac94085b7d570273c053fca2c298e32ebe366cf7173e250cfda75e32bd635cee0d
-
Filesize
538B
MD54e54b1ce604395ca3646e1522f2b442b
SHA16e72284141062740a6b1f89509112e633523933d
SHA256d37357d515cb47309157147e6b8bb9cbe1ccf123c6f0d96d99267a3c8972426d
SHA5125abfad562de6565ec68a4af5a4c53fb528b29c64fa05f0e3ff46693df33f7cb2c6d19bbabb298d8068eade6925f225656e4a3ffae67d927549a386af5ccbe7be
-
Filesize
873B
MD570574371a1db62d5e7f925c92d310ec6
SHA1a10f17d4aba30995eb3d78523f6d034d8aa7ab34
SHA256789579bc7e2dc305e13ce8f843c957ae8d585ac6d2cda00c653c1a73113e2c35
SHA5129a975fa50b2a1cf80f8d782aa0c43d924f4fc3bdfb416e6eedb0dafd88abfedc9e1393b5008e6b682b624da80c35ca1157d4fc75a75322a9da8b18447d7f8c52
-
Filesize
370B
MD5fb21a6b70531c0f33c2c86d0cd62fd53
SHA1aef0423a063ef9b1019a35f10a9c804bccb83a3d
SHA2566e601873a76278e40ab0d2a19d2bdf22495e272d171ed7ee06fcc6cdeca12349
SHA512d3941823a30fc4c5e82ca7192453a17dc12e8a6c7840b73200084c303327c2fa2529e1b9384fa4b2a0bdf556523ce853a8440e335c120522db387cae9a4b5589
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5eab184b06f43a209b095d39644b36f37
SHA1a6edfac943c2de5fce297942be7ad203d5b1df56
SHA256f99bb9894f1be4eadeafb7ac47e075b5c1ce7a834be03149adfd1f2ab172e67f
SHA512e3f151fb3c4842abbbb52741cf5b2ec50e974837d584dabc7d91cbca02bcfdadc07995d4519ecd496fc60ddfd4f3735fc44ae9a75016151c8315ec41dd0bdfcb
-
Filesize
11KB
MD51ce5fe29d9083dd94789335a0815e38f
SHA18292ff692cc75c14d4613bd5e968bc41f00f7419
SHA256be10a92b6d76abb86d9862a47fd94012626b04d73bd7d4ec9e12cf51250f6949
SHA5128114fff2585274fc8fb414b72254248312078fb0eccdd2529a37b7d947abe13c1c5b77a37486273de19e381d8f3a6be12f5e24c87548851db662443f2218b8f0
-
Filesize
512KB
MD58ac7252482f3d4598ab58532cffba5f6
SHA1cccf1eb2cbc0f0608904e4be3f6a8fade7a2d4a5
SHA25680e16958b4b80b23ef61dc76a389757c57cc903859e974c6f0c7ebc7c3e8fb99
SHA5122da2a9590276ca7e94188e2091456daac34416a24533340f97f3b2e55d9f1df4622beee92b442debc4c999d1dbdc011a45e76995f4551bcff931a28d1fae5849
-
Filesize
5.6MB
MD5479342d62078aaf31881972c7574f6f2
SHA1382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA5120e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
216KB
MD54e9db9155039f5a6a04e16a6a6bfe3b0
SHA1b293c7fe05d7e92ce7d9cc6f36940eba14f5d460
SHA256bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d
SHA5128692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a
-
Filesize
64KB
MD5f99c27f6ce82ba40a3d8b3a681483602
SHA1342e47898949af0f730117b0b13e302116743a8f
SHA256e3bf730ed9213e0b8d3e42c81e6a63579b2a48e9a34d24122ccc91ff7988656e
SHA512fa1384a452aff07eee2aae22233491590ba2007a7972f246d57e0533302592b861785cee3f390e74d5e1e37a9772d44b956391cdce38c515b0b66d29dd321c9e
-
Filesize
577KB
MD5a6c58504594ab91fc0ca6102abd10e80
SHA103edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6
SHA256b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7
SHA51207d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea
-
Filesize
151KB
MD5d7563558933a24bd74f0254272cf7830
SHA16982d08318ff2204d3714ce12d68a99b4f726fe7
SHA2561b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e
SHA512fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5
-
Filesize
207KB
MD5334f84837c9bcece9220e2c979503f68
SHA1bdbdc63f1b85f72f8cf487dec6aaeb98e352c283
SHA25610dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7
SHA51237c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb
-
Filesize
123KB
MD5e32d058720e98d0fab73018ce1753b55
SHA1f6b431cf3f225c3563591fbec4af922f6bff05d9
SHA2561cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b
SHA5128f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11
-
Filesize
10KB
MD519bc1bbe515dee767f02d503fa9d2cff
SHA1acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9
SHA25651ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367
SHA512fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
2.8MB
MD5330aae36d68355784bae2eed0594fff6
SHA1fa20777e0b968eb2cf82e253fabfeea9eb9094e5
SHA25691a4546bf735a0480a77c3cbbce3d19a24211ffad783c2dfd5725df84a4ce3ee
SHA512129f42c77f898b4c1e4d2842bf104091e2494e0fcc4f7e854d4c36550434224d747cbdc40e879176ad5bad8e783921c8329a8db0b0bb91f3a14b3b892575b0dc
-
Filesize
1.8MB
MD5a6134d543c0fd4b8130d8d67797c2d13
SHA1257022e58feafa0292f791200695615cbcab6fec
SHA2563a204be571842bd9411cac6084965f834933631bcf5de5aa41ae568fde81faed
SHA512597cf322a16cd1a45c4adfbc466cef1b1b11397acc8989518d66741092a3e8635ab9d4da6f2fe700913794e310f324b614172abb7d4f09f05c2532f36a516a60
-
Filesize
4.0MB
MD514c94c064e19e7f27fb2f540b3488f78
SHA119dddef106245f41bca6f0a60a98dbdd479f6e42
SHA2569b152367f59b72a872d3bd65252fd0a9b810da375659a61c5f69b67108a76582
SHA512a3a96a4ee3c903a67f5e76f613192d3e3e0162fbb119a9445d4f1447a24ebac5444d56cdb4c4d66fad2c504075b3c3b1855e97d6806f439d87c424a58989802a
-
Filesize
11KB
MD53d3ae7c2eddea19c3146543b95cdda7e
SHA1ea36133e7bfc1b57cd8e78a6daf24f59526ceba0
SHA2561f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2
SHA5122ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775
-
Filesize
665KB
MD5cb6633c17f8d2dd5f66e10265a84d378
SHA1a966573bf307e615e4020b1534c7516583142be2
SHA2561788b0f294ac1104d4a2306ee8615f53f04a6cb2ce199879b214b62a341c3ab8
SHA5121aa97f3acd0546dfd50aea2445df8bbfdcb0e676796926607af2348d31def34fb34796d6ca1de08ca2fa376acbd3699cfabce42278674d989cf560cfc959be68
-
Filesize
128KB
MD57a781a9608e9517259596c7168e25332
SHA1b906995a75b28803c3b7cadb097b7ab25b225b1c
SHA25658f2b881fb0410532ff80bb763586847b0cf9909084d35b1f4a864b372568d62
SHA5125cb100f6898f432d4b77fdcafdb78c79f688fe3febe3370b5f211cf13c64f43874fd30c3eb05f7990a3c521f2f7891a653037f0d33957ed0f5a654d2d1f892cc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize7KB
MD5df6d865b0079d18e62db13d494eaa6b9
SHA1a087b0a25f92ac9b0e83ab67b1650d6b0a337efc
SHA2563a2a8479a533868610598ea98b998af17614def5b732ab851cdd773b5c53e38f
SHA512f1bef902f92676afb11db708c250f6d7584528221ad72726524d91ceeb6e4ca5154f8125920946a7b982f23b866470010963307074f80566ec0309bec596eb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms
Filesize7KB
MD5a1e142b5a77919ef3ae70b9f2ec21e0e
SHA1bc8cd40b94e6d9642d453fabe8bdf09c22bd1dc9
SHA2560977e872acb48492eea0114fdf5304cf67fe754fe2092ef85f71b624871564ea
SHA5125eae19432333b61998f81562d817255a0c27554eada0f0abd023ebb874e7e810bf5b3c925ca70c21c11b0a1e0b4f1ec804f4dd046c84b82f3c97c0fd6ec06bf6