Analysis
-
max time kernel
269s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 17:26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://filetransfer.io/data-package/FJGQEiJW#link
Resource
win10v2004-20231215-en
General
-
Target
https://filetransfer.io/data-package/FJGQEiJW#link
Malware Config
Extracted
discordrat
-
discord_token
MTIxNzA3NzI2Njc5OTEzMjc5NA.G6xQaE.4zXFoh6BPZlAIhLi46DSS2BaJjbxuU5eXQ1tP8
-
server_id
1190067527355744316
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Downloads MZ/PE file
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs
Processes:
flow ioc 312 discord.com 322 discord.com 82 discord.com 309 discord.com 314 discord.com 321 discord.com 85 discord.com 308 discord.com 316 discord.com 318 discord.com 320 discord.com 84 discord.com 86 discord.com 319 discord.com 324 discord.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeSCHTASKS.exepid process 1044 SCHTASKS.exe 2504 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exesvchost.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{3945813C-3A6E-4C0C-9E82-A21FD4EE53D0} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{76DCF41D-C865-4CEC-820D-E9112F18CA42} svchost.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings msedge.exe -
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 6064 NOTEPAD.EXE 5284 NOTEPAD.EXE 512 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 4920 msedge.exe 4920 msedge.exe 5056 msedge.exe 5056 msedge.exe 3376 identity_helper.exe 3376 identity_helper.exe 4420 msedge.exe 4420 msedge.exe 5724 msedge.exe 5724 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 4436 msedge.exe 4436 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs
Processes:
msedge.exepid process 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exebuild.exebuild.exedescription pid process Token: SeManageVolumePrivilege 5704 svchost.exe Token: SeDebugPrivilege 5348 build.exe Token: SeDebugPrivilege 5292 build.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
Processes:
msedge.exepid process 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5056 wrote to memory of 3752 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 3752 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 2480 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 4920 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 4920 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe PID 5056 wrote to memory of 1436 5056 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filetransfer.io/data-package/FJGQEiJW#link1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa73e346f8,0x7ffa73e34708,0x7ffa73e347182⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:22⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:82⤵PID:1436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:12⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6184 /prefetch:82⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6192 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:12⤵PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2152 /prefetch:82⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:82⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:12⤵PID:5536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:12⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:12⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵PID:6004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:12⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7276 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,18135763560839658831,4651401925791755390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4624
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:512
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x328 0x3cc1⤵PID:5460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5a6b7c6fh9c1fh4339haef4h9fef4c9c184c1⤵PID:5956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa73e346f8,0x7ffa73e34708,0x7ffa73e347182⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3474068967559742615,13667150345316661527,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3474068967559742615,13667150345316661527,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5724
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1304
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3516
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Executor.zip\READ_ME.txt1⤵
- Opens file in notepad (likely ransom note)
PID:6064
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor\READ_ME.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5284
-
C:\Users\Admin\Downloads\Executor\Main\build.exe"C:\Users\Admin\Downloads\Executor\Main\build.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5348 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77build.exe" /tr "'C:\Users\Admin\Downloads\Executor\Main\build.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\buildsigs.bat" "1⤵PID:5256
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Executor\READ_ME.txt1⤵
- Opens file in notepad (likely ransom note)
PID:512
-
C:\Users\Admin\Downloads\Executor\Main\build.exe"C:\Users\Admin\Downloads\Executor\Main\build.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5292 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77build.exe" /tr "'C:\Users\Admin\Downloads\Executor\Main\build.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:2504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Executor\Main\buildsigs.bat" "1⤵PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
Filesize
152B
MD5ea917833eeb6e710dc1c3a454bfa1bed
SHA1e772e425f75edf220917fb840b6f63cf2fca7613
SHA2568450cc6a6c9ae06d4772fef6972693d5177a6ef0547a5bf7ed153794fce7b504
SHA512dc2b45cc16541be780296504e02c07b4041cba62c850d1a27af17c2bd7f6e9bece0972e0459139fc36952e0855d309ae2e1c6c612e3f5b7b1f3ee0404d60453b
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD588a552e6be1ac3978c49143983276b3a
SHA1dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423
SHA256927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5
SHA512125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a
-
Filesize
32KB
MD5e51d5a73c3611bb52db26942a6cd26fd
SHA18a750003a6fd6321eca6624012d638eb71edb5f3
SHA2568a35d9b6767a86e337309319ca907cb0837e4b836f82143c58a02ccc94a11e7a
SHA512597043744a4afab83b63ed43db92bbe813e6003844d5f8beb4d4e7f52cc4e40e3af08621da4eca9407d4ec5db114f03964c4d35bf3b94dac8225bbf007659670
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.1MB
MD560021246cef1f0978983114d1fd51250
SHA1b4cd22c3fa223376820c53fab738473732a0682e
SHA2565cf8acb556090e2c26d420340e174d7948ca191e0334ddb1258da8844d4a2f3f
SHA512ba1395b1814e266915c44e7b72f6f4d3a9528eb60948a1d9a6b501d129dcee6d8fe22125e569a618c25bd89b9128e088b3ba6c0ebcad3804a128f38f0e614b66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD55e3fad128d11816d203b902f06345cad
SHA12fc783d64619f45ce5dd0d7510da95602454c734
SHA25650939d7288c8f4cae156e9877e2e30543c2d9c41a8cb2059a8eca793a86034f9
SHA512a62b27ea3aad6882768f033eb180a27c5917e7af9010497e73524d991164c348d22051be11dd05f965a10987b56c49c707176546cfa1eb2bcf196e1bf6812907
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD58909ea0cf79fd9f5242e9f6cab0ec9c7
SHA1a614a6f00155b3b6a0221baf5a37b09baf3744be
SHA2564d4832378ca0151bafbf992da0d01b08cba676c0c953bf59ebd7cc07a35a3c49
SHA51221793e333fcb7222352de35151f0bf589a4d4f3b03c86c1f9f90e0189141c91449b3e6af837ae73a5971d428d8b05d237e00827126f8014d4b6800017d4b42f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5c9d34872069163f954ccd7922e32ca52
SHA100fb9cc310d78e53805e0213933cb327de0ddb7c
SHA2569350fe9f861109dcce13b7dcdd5a4993eb7767947bd7306b91b9c9430ed45db4
SHA512b47d09367551c9cb4ae42a96b476696f1679add3595e8244305f0eebee572185fea9bbb6ccac0f3c905832c69a751eaa8359f692e9dc4c2cb406a23a92417ab4
-
Filesize
3KB
MD52027461466e48b31791d286860ac5c22
SHA1e064ebbb754f3d9ee14e609ac234a27e5a1b98e8
SHA25634533389c6ec0ba9ebd7e028d9acbd9e7c831a0d55ed269c1b9948cbad252144
SHA512715b283173899127014e4c80482a4d279972b669154e421c1b16b953f152c4cf4b779f5f4846aa2d6f2ac6d797063400d9a871b0b22aa71d58be8491b1b721dc
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5aa513641021ec51b3c83d25ee8a911df
SHA10e36b73604d2e3e481e42532553c34aad781e66b
SHA256d8e7c551764fbafc0f4acced92396183a711a89e836209e3d5e06890f6497f88
SHA512292e84f7bf3117a8df57bae69201ec4431498595d47c9797665bc7b8e136e62d169609b02ef518bf02f9a566aec29c7c7ecd845aa2f37311a3b7ae9df04ed77d
-
Filesize
4KB
MD5720cb6779499f38bf0fce52ca9d12782
SHA12d4b96b49b4b12bf0c2759d0100033beae01ada5
SHA256063d098523dc910fc29f453dd4c0ac0eaa34aebab5874ecde9dd777e45c8df83
SHA512023ad38fafd8b74fb5e9b45bbc25b096bc0dd69b7fb0348a1d108c4111bf7d83003a02791b968407e78b028387bcd0d55097d9174f7d7d7a602ea26cc9c6ba4c
-
Filesize
7KB
MD5acb20d96a5eee861dd72ac274b12c06f
SHA1fc5457ca656c36b8017d064d17530c8e00ac6d1a
SHA25617e64ceaf1981338faadf44c096194e5ba723b4d2bdcab42df3a60604ccf2049
SHA512b319a2da4fa06ea2a766ad2338bf0aec4d6214fbfcf187b0433d72c3bd098202572aa2257761e5881d570b635eed34f36b1730afd98fa8d34b4617a4407f9b59
-
Filesize
7KB
MD5cc873550a415ffc843bc1b9e7073a345
SHA1e2c29ee8586a376a1c3f61a0356af7631eb61d63
SHA256cd91ee3f9019f9659dc6fd7043a95127c12debb65a01abc8421abd4e30b0c148
SHA512eb1d97927c9ae0a9918ae474fda9cd554af969b950c37636f7ac9e3071dd76d9e541ffa3972814bf9fea0d1ecab564be6b5477c26509fcb4a6b4b8947131d269
-
Filesize
6KB
MD59eb684daa234d3580e1fbf45d65b4dbc
SHA14631afb11b4e3aad6f2b5d50515a2b176c88319f
SHA2565c45ee891a72fda1554bc33e1b8dbb4c9b51a1d0bee23a9725f2b7b510c6f50f
SHA5122c438e45ed7058fe384aaec60217ce1ebeda928d93be81105b4b265cdf447257afa23a319a9e0b43888bb11a08478fe6e5bf31dd2a034c8053a8388616a19b62
-
Filesize
7KB
MD5e85c8bb6bf95939aa892d6046025b89a
SHA10c307305e01cedc6197e60e13bd83e8ec6f0aad7
SHA256efc6aa758d5791669a55dfb794cff0a8771e388a6ba0679154738ff5db8c6b0a
SHA512b8ed4a8505d8a7aaba347c35a2c8fce067d4f0547ba32a2837ffc76fb79ec8a5d41653b4ee462b45460095ae2806694c59fc0846371efc3e0fe64b35121cda40
-
Filesize
5KB
MD514728efb093f0ca811eda59198094b0f
SHA1151025f729edd3166b6751691e9e8852559c0c0c
SHA2569b48ea3d1b17625cb361e2e2189d29e43cf1d9b38358028abc8af34efd5450c7
SHA5122002b146c09b69316651f5b10a7f5ab38bac27e91c7edc2af82c1423a2c7c3ab58bd0933498b0aac8161a5fe6a31b52236827003d94ee291ee3a2141204f8e9a
-
Filesize
6KB
MD55c9ba1db1f22a5dd839468705dea7a42
SHA1dcdd8eedd1ea3dfd6dd301e0a8029acb0b49eaf0
SHA25606db614ac62e7b8fed9c1b1a584877bb6aa49026d965ba309ebf5d1acb0f52d6
SHA512831a79f2d192658ee2a9d83c078091ffcd9ac84d243ec2652d8dc4392a2aee8de7b98985e696d5c4977270ddcf7e235c7fcd9416d9e39e1e04065c0a23967c67
-
Filesize
7KB
MD5fd5ece4d926fc9689c7661691df23128
SHA10f30becd472c04b7530f1f9169c622b73bb9ed34
SHA256385444381ed86d8e7e6de72b2fd07b09eac9b28f8c5b049c6e76f4f5646e1b34
SHA512da173d71df00e61709ee3cdda12e0d474aec3947ae8b6a90d4fe4b3bd51c520df42645cc7ce526b873294720590f27c8dd32861b0d7e9f7a2965e8940d745042
-
Filesize
7KB
MD57cb4a4471296dba6abd1426ebd0781e0
SHA1242bb818e8b298ca86fd36f8246d49976dcc177e
SHA256940ec22350482a1548a1290b9f1c4759a5b9177681af67e861f3fe2cfb1f62ad
SHA51294e51893672400d8533f2322c176c3ec97ecf64c3acf78eff0836dd61474af15a68be5a3704d15ad333f49d1a0f729a024442d17baddf12ee2fa5461c64a2d0d
-
Filesize
8KB
MD596b7c15fc0e1ab49acfea9f91a3a8946
SHA1a238c79a52ed4dab89861aa1aab0e7bb01e32934
SHA256b36f67ef89f48d0d65d983aade15c2bfc92e6dc1301c26fdd20cc4b5ebcf4054
SHA5126118ee87221575b4885a92b0c0573f2eaa3d87960f7a345efa67c76e88dae172849d674d591cc358d9f148bacf000288d08b459a9bc0c7021ab3c6fb81d51b5a
-
Filesize
3KB
MD58ca92ec202701ebf2913cbbe0509e24f
SHA19a5efe3e12e2c46dcb2fad93fe98f9d18c3f02e6
SHA25634c5587c3e8b84b3337600695611e4d7fac04c503367169b66382ad21c6e4646
SHA512aa45b0d8973f5946e6a0541daa884e6b87b40e3fc1d9e628b61c0993c3a8f55abde82184ce88246a6a76f0b876cbb4c36db2dd8a0ed17837b918991dd8a2d270
-
Filesize
3KB
MD50dface117a0f41adae5adeb8e8f48479
SHA1e7bf26ccd4a9812501c5ca47f600a73753f4bbdb
SHA256799312d2b2fb91674dcb14d6f9ee2dd9fda9d4493982aaea2e7d4d19329cdf4c
SHA512771511dc62aab0b04a30bb0de076985cd85358663a4a635a7aec43fc720398939ea169bdd27a72de1103890bac5921e069d665811e48a3b1b906e694a4f9a1c1
-
Filesize
4KB
MD597142a6f879b8ce3300753a11f418eb4
SHA1af086d2e94588516edf88ff90a517331e2d528e8
SHA256e643b2df0e77e951e34bbb564738bae406c061ea20e00b9da9e6b2a887f44696
SHA5124171e64fc420e81e6488ae381d7afcef5553978616dfcbc688847303bbf2cf1702fc27fc6c7af46eaa94f34eaa7a5920d351e216aac53b1a3b40aad07e842751
-
Filesize
3KB
MD57528f0f8e8a0e2a06fa450732d1fed14
SHA1b088917435324a49b671589bd659b23e111d2a36
SHA25604beb28bb355227e5fd6638ce54ee9ae1d7b408682f4eee409b9c8ef45b4f916
SHA512751fdc748e04801471a5a2b154dd5f5ca09bb302b0c9cb82e8cae6d4907ec6496d177f8a24d4590118d2161947cfc2a99518e1c1d06125b39fd0d6d8d548b84e
-
Filesize
4KB
MD5bf574156c25191c7896dc4165b2decd0
SHA1f765d8d2235d1f780dc440a29576836774fd9e20
SHA25685aaa321a790fe36657cf6c287f89fdea48269415747663f0820101c88dc1152
SHA512abfef36c1ce02f058b4d018994ac62e3ab2f97dd0bb76e3c0861dcd7eece5124f78ce62e047e943bfcf7db379bb4627c25cb7ff382c6bc137a526bffe7ea7370
-
Filesize
1KB
MD52d41c672a4d09792f03f0bb130aead73
SHA1938f0172013e51678454b937415f21ef56bf8caf
SHA256d57ca0c3adc2d7907b86e62c9a78c1fc6c0fd74ca3f9c250af3354ad1dad570e
SHA512ffa3f2c25b9fd3eb740e32f9d124e8c9a6a41979fded5b09fa0a7065b80658fda0e3c303ad60beccd673b0a56f0094210b39c1a7c9dd597791ffde67ffc3734d
-
Filesize
1KB
MD5c1cc49897f2ba5b0bb242e1a530ec2e5
SHA1b2c0d6dff6d6d4b5b186575f625d3d333a9d395c
SHA25661a9ceffd026053309a9c2dd93a68091d8366e25199336833073bfeeb353a60d
SHA51226f1a2442fa68c0bdc084d32935dfe5b53f74b2e7ced69cd20d3aadf842930517182104aad521d4fa962540fecba1c9edb41fe9cfafb31f8d10b117e79da8738
-
Filesize
3KB
MD542bb702c7998848426d7d8f0cf7434ec
SHA133a4039e448a9f755c516b2574d2806282e4a465
SHA256b39c009c9fe089980c41ba34e9b2e68aa11a92ab75ada34550eefd580b5d3769
SHA512bf2925e550248048386c7bc52e44e934d7cfdd450e56afc2e8b8a981f528c340f1dcb5d8f0a84ca5dc79f035db99e60b14a730e5b331459580b3777ca94ff564
-
Filesize
704B
MD5144455aa378989965eda70cdd712214b
SHA1baf19dd268b746c806cc056c7538e625da345918
SHA256a4889e0c5593b52037a3a111eecac7d4c05146091c83b2c607c17a83ffbef8c9
SHA512deec2eff19c1aaaae33404d93c1850ab32f8bd51a46e7579e9ff48f08950d4f96d0505d059f7026031b6c4cc43daa20d7bb422e7c84d7ed62e7047334262c405
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e6d6d957-09cb-4e27-b25c-66b399728554.tmp
Filesize24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
12KB
MD5794dad93f9f69c769327e20e87b3ad7a
SHA188e92f9dc8885f1c341b9db44cf363573827e928
SHA256a53576319b54227da931dc6bfa373627a344847ce7aaec29cd1122e937041e73
SHA512ae287ecd6fa366b7aef938b3e61ec0b1c5ca3f3be7532cd8f2c7a23a1c73619791ed28b66acdb5422263bd530abb6ebbca5e95cafb4232ccce97ec697764ade4
-
Filesize
12KB
MD5f814e6d69c02fdf3d8cda5d7e3cc2ce1
SHA19c68b069a80104245080371b55c9e77ea2733aca
SHA256ef53ab007dcccea7ea3193d3a953a89cbf29e0b5564d67b19b69628d9d29d69d
SHA51294bb7cf150d965c17609f361e6b14d75acdf8008f54bc1915a731031de8d538ddac1686d91c7b142026a1604663a2ef8ba97729062b1672dc10eb230bed9b669
-
Filesize
12KB
MD5651168e5cdfc6222b9778df5a83676b9
SHA131b1cf91d17469d9c7b6262a1808c7194b38cbb1
SHA2567c84e740700f9cc25d5a64fb574a19880eb669b8da0d077cf1a9056629a65d87
SHA5124fc0314dd4da83cf2e98fbcc6b7e4aaf36c7a6381103228fa31758a6bf99827c878eea69cc94133caae26f1592cbbdd1b65944af4011f9f80d202f1d763ee586
-
Filesize
12KB
MD54ad5093cf2dbd10cef485fa644c744fa
SHA1617dbdc20fbcb45034dce209aa868f9c98e274cf
SHA256781e8f47ba438e6f06a827a142b4abe58a26d062c4802da0c2c6afcaa16ad590
SHA5127f22f8865582f04e66c4e60f03fa7bc4e388948fc1e4e8fe774bbfc59fb0e542a3185eaafacce7d609ee5da0a1f15fa7d0044e620ffd265bd71afb1c3c8ac91e
-
Filesize
10KB
MD555889a44ff7bf5957c12546ed61c9a47
SHA1667a6f08ab976b7df08d262e60c5406d431184d4
SHA256382f5042bf3c87e3fefaf1441eb1082d30febe49392ea228004cd817b0a07a28
SHA5123c87ff9d332aca1a4b9f4bc14e4a13b5f4b759526f4887cd4acdf1b5fea1ff242bb60a08b959fa01cb0d51115844c502e1297f034f14cc308af205778becaf44
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize15KB
MD5c3dd5df3c03dacad924b35656319dcc9
SHA10c2f598133703f6c2052096a08afaa9e7af3a216
SHA25668cab5a89c61f80b4b92f82703df6ddc2f52d41213610d6c9dd275508c9b5b85
SHA5125f42f4d72f4e8143b08dc823e59f81fb9993d5accab7b5ff3a7b9893a509a9b2a7be54f6ee9209b36831f2f35643206a172c137e033a81ac1cfa0f3a35ace008
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize12KB
MD5c72bf7b26819362f26471e5d0f3af896
SHA1c212bb14f4a34d3c497de43323c5595eff78aadc
SHA256f2a62100159bbbdfb7bfe7495d6da1d6f0446be6a3f8a4e41e817d8ac6882e2f
SHA512daa6cf670500371e66699ad57e85c18c0b2b939d2be62e17fe842d36e4e810d254f2563c84a45951271d4ba35e9db7faeb72524414f0a37542c0f04ddd4067b6
-
Filesize
3.8MB
MD54dca35c78bd0ed3ce99a8d4057753216
SHA1893d57acce90a7153e453cd93e6f09cef6dc9e00
SHA256da5d802a17c44605e1c32f3d505709a917ab8f2f3628466dec51d6cef31d3c36
SHA5125d1f64bb73470096561b816a475d3438ea0513b8c1ab7f87c4494d1a76edc8aced0c7fa34589dbc16b9f58aac2b96e4525ae681139828e4e52cbeebabfcd6a61
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e