Analysis
-
max time kernel
374s -
max time network
374s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
18-06-2024 09:00
General
-
Target
http://defeatwax.ru
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (518) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
NTFS ADS 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://defeatwax.ru1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaf3846f8,0x7ffbaf384708,0x7ffbaf3847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6236 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6800 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3992 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Amus.exe"C:\Users\Admin\Downloads\Amus.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Amus.exe"C:\Users\Admin\Downloads\Amus.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7004 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,4484780924897702304,17624786534092062563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:82⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f8 0x2cc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-42D8AA8B.[[email protected]].ncovFilesize
2.7MB
MD59e6df1db8ccae420d9d8eb2e3ce40dde
SHA1ad69f8161cc5c82236c6c47baea3671dd1bab71d
SHA2562f9ebc4334a33781356d17f69f43e4fbef3d97c3115abf40de32d1bc26070946
SHA5129977e840c0c08a088d0d67fb611345259e5bd011ab89cda2337df58ffe63518b462cdbf96bee57668912c7a53e6f7b7d90740bbcb68dd62c5aa50515390076fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
38KB
MD5b3ab03044e8eccaf9f393c2951b729ea
SHA17b0cbb60b6d9088f4f00bb718204f25fa35b3167
SHA25651e19fc5a225abc9a67fd2c89ed6a955149a0cf1609b43f2ca421411fb87d938
SHA5121913ab566a60780ae7ee648cf323fdf5107f1640f8b6b6a207ed49c5d45fcad52a49641a0f2d71106369766afa95e132341d78349baf86311a1dffd20b954530
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
63KB
MD55d0e354e98734f75eee79829eb7b9039
SHA186ffc126d8b7473568a4bb04d49021959a892b3a
SHA2561cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e
SHA5124475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
69KB
MD5a9ee0092a50e4443e7cd01cefdc6d95e
SHA118614eadee202eae00c3f22267d18cf648446b93
SHA25678c268c35b00d23224cb9ad9ee70426c943d41d4635d558756ef83f985e7cc9b
SHA512d4db3c81cd081d582017bb678ecc7edac4641c840300b802c88d433a9f79fb709176bb8c11af35d55562ac0a82b25763477e3a6b2784456a5f4b8be625d165a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
19KB
MD5635efe262aec3acfb8be08b7baf97a3d
SHA1232b8fe0965aea5c65605b78c3ba286cefb2f43f
SHA2568a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06
SHA512d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
42KB
MD5b2cd531e7ed2f6fc156776e33c30fc7d
SHA1b133d3c7fbdfb6a65b831c26c94af5d093942746
SHA2567965c2bd230793da81cfc31fa0aa037824605ffe78c1de2ad678d47be7302705
SHA512603ef0f54b9be1ef766af8c9ede25dc5b643e503ce0cdac4b458631b020d5b5f366daeff456b730ab6f2c4e0df42ddde64a144145301ae4131290a7f7caa237e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
64KB
MD52923c306256864061a11e426841fc44a
SHA1d9bb657845d502acd69a15a66f9e667ce9b68351
SHA2565bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa
SHA512f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
88KB
MD577e89b1c954303a8aa65ae10e18c1b51
SHA1e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73
SHA256069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953
SHA5125780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000aFilesize
1.2MB
MD55dcfe3466181e542efe0cf922b40de1d
SHA1fcbb18ac226c9c475e69d1f11367eb7c7e6726d9
SHA25606e146efef87c63827881b3e12f29899d0d4dc1cd5858eeb9e85630629504b83
SHA512fefb47019b213438a8fff7cf170634d24a88629d8ab8a7986dddc37d00ab7f14de62af343e8ff1aeb7fb7ee616d79e250c9a875634d35e474b4f8663ab2267c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000dFilesize
32KB
MD5e529668d3aa5f8f348e27e6ef2b04212
SHA1bb9875cf7a3db027e78fa28e18c718b3554eff60
SHA256b42f812971f896d4d415df864066588e7f0a2b24d2e5c8078b333d9e7829d563
SHA512cde1008c536ba2cd3e9b8e5470eb2d40c39af3f41b2acc7947810fdb7b640190630865839f830e889eed458a684c1c788fa3ec478ee3aec41eb88fc2ecb8837d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
74KB
MD5c88f69b53606b96dff18c7924bf8bde3
SHA129fa7b32032ecb1564cb6627a9ec3148cea894b5
SHA2561f7c691bd43a49b47ed23e255c411638953439fa83e5133356aab6e59fe0fb29
SHA5120cc60147c4b0912a9105706e0112e12172679f43896a0ba66085224802bfc6d1b31d2fcfc744b41fd64e37f75183403dd20e0fe43066a60a452c59fd55b385e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001eFilesize
18KB
MD540dc97df92dc67786e9f8a09068d1c68
SHA1dc166a3ffad92ea5e9af02a9a3f84dab4a48be4a
SHA25692768858b2bf6eef7f06a19182cccb94627cac60877425a01449aaa8f601dfce
SHA51236874c2687cc9286909d9d6d2307b7db3f43485a3c2ae2c0572d70a88f56d0f0852f4fb338fc4c7d3cbaddfe5061260754e192849e9445166f09078958e37452
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003bFilesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1335940a5a13f354_0Filesize
19KB
MD5f4a860bf849a538d64bbd47fe9a35ba7
SHA12571c02c87648d5991c06806f665e602ceb798ba
SHA2565688333601634bac76f22d9dfcd7e5acfbfd29b65f60bbc42a4197772d0c1430
SHA512b13fcb56ec341cdfdca4ffef92a88f652798f49a9065a0fe4ffafab42f961d84825be4addfda19c71575a7c40de94a3a50e799f5cfd3d3c3b4688f374a05bb5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\30bd719eb980b966_0Filesize
3KB
MD5a298d608b97ad7b3e1ca6f9927a33d87
SHA153fa80ba4bc023e0abc6ba184292c2ce27f5c332
SHA25637e4da7814198c77a33cae54a3700a317175e004714394e26a9c4dab2e1fc3f6
SHA5125d16199ee73158fef380866cbf8418545576397c95bfc2977027366c5885b8e4e58a303b8dc3497fa3f1d4ce5b10c2cf43dccc75fb66ccc8b77af970fae16357
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3b3e0ce13da94924_0Filesize
1KB
MD57e305e8f375125da18af44cd6f3d517a
SHA1dfdbb2fb30f9926e334b4c9ca9a692a9e2837057
SHA256a7d3f2d98ec1d755e2a5f5547092849a20cb848f56bca7265bb078913bffca43
SHA512dd934f486a927dc50faeaed43b777f5e94fabdbfe0e18b81e2a0c62197357b07b707723201161625bf29b282f1691a512498bb8bf8889b17836af7c40e3c639a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44d49f9dff020a86_0Filesize
7KB
MD5941e4de3ee94c0fa0ff7e09f3c9e2e4d
SHA186c6ccdc0adc72a5a2b868eeef07eac20dd33e19
SHA25650e3a8ae98706d7a6dc0d0a4bcd24678e1cfa5b48ffec392a5b0bb01f6e8f480
SHA512f214a72e055e85b62ccc98d60329e1ac34ba2dead11fb54dc004e3886f3701d51cb9f91fe149cdf6fab7c734f41af99d8bd1ad62adf28d4983c12e50e49f44f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\47f3e0be7720a1ee_0Filesize
9KB
MD5a4900d7159c697100e8f04f540401b46
SHA11602810c982ed7bde8da4adb5c2f7e094b264fb8
SHA2562bd059d4206a85ade90a21049f5e1ba2d8d6c8fc850ed1ee3ff85876d2c59723
SHA5120ddb425edd680d54744511eb56d0511906d8abc6da4ae24e2f8d1166eaa98dfe92dbc28294d094d0eecfe5332834d3c00bbc2db921d7d4056f24ac0a1f616252
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5a2fbab3ebdc368c_0Filesize
4KB
MD5e76f2ceec9a8f7e1f399dca24f6d9814
SHA16170d33bf3ff8991406605496c05ea8d177d6685
SHA2569485c9da73ec0ccdd38fbb8967fee35c8c179f82e651398373b21abe89b63fae
SHA512100012801f7166725db7556b8b5e4f575a5b2e09bc9360fbaae63fac2459aa89d356b3b3f24013ae8d22e80bdc72778629c5cf467f01ce91c6bcc53de100c22e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\642e92cf02934f40_0Filesize
3KB
MD58c81d7e196e03cfeaca66d675ed3a2ad
SHA1e74ea1b586f72598af8cb14eaacd68c08e5fb3b1
SHA2565417c8988e61d6133f21e3b5c71b465adab0c0e35651d34365b5b658411e8948
SHA512dfe810feadf405cc0844d4f88d0915cb755102ddb73fe11676578077f56dd0879214ff3b3e8a7002c2f3e9c1de42cd0439e22663b7bc76d400584663b97e5035
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74f33820d1338b1a_0Filesize
3KB
MD5a66d5e58c4f5dd91bec5ae49b54fe6ac
SHA19dfc1fbb03b34d00810cadc09e0c036c8e12c318
SHA25614f6dcfa48c8a1aafcbce69de83d6a1dc38687931b13f9174b4c3501f70a6806
SHA512b6f17c8a4aaac0ad9734610d4a2b0fb9d71189a0d72e8afc016ee51e42b573a762fed9a68b2cd3f882418968f3dc72ad163be736510bb9cb838be1d64ff69928
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8d00ee6fdc5db6f6_0Filesize
13KB
MD512d17e88c3ce6bd691f6ee3e5aa7db74
SHA1a9bcad334a15d8c93519b9190a55a6d85dd5a6f3
SHA2565d753c8547f9ddff0cd0d7fbf7cb2af4984c36e15296013fce5fee081e906c2d
SHA512f81bc0b1de96932340bb585ef75773a2a3c243a567bd45add453b390904c70aa937cb99baa82400b51edf1332666929d572ae068ac2a182eeb2693d495a1b2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\91e4ac03c4f64f79_0Filesize
2KB
MD5cb9d0af978125321efb08f255f620678
SHA16f093c205fecb0fe5833ccb252273528aa077b0d
SHA25696040b5771412cf424d797789bbcf85b79b34e471b0a3aad0bd8800f19ee5261
SHA512802f3018c9dacfe8aead40fcd46aa558fa034951041473a6db60edb8bd007e48b067b221041558c6273fb15ace8dd030b774670d3c7e630eedd81a006c53bd81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9ffa675049b8ab13_0Filesize
8KB
MD568932f0ee22d539c9272c1293e426692
SHA158197f6f5250d49cd70b4fdb86ffd5c284738ffe
SHA256ede7f8e634ef87d79891697a943a45575fab55cbe0896671027065a54060a0dd
SHA512565b9774c1f0e23e9e792fbc772c5f5e8713fb02e76e41d2ebf265ea85de52be0db6ce20fc49f36916ebebeb07d15f4560b7ed788c971e5a46d64b53886e26c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ce1059c478c2e6f2_0Filesize
2KB
MD56fc04b2f7b93f6d40981727a6dba223b
SHA112faef2fa208dd3d6c6fc9296d37776ac78b9fce
SHA256851860315f1b58142050057b912a645a231168eb20b85c67b049b3c950aef5fd
SHA5125f1b7b79b6edbb519e4afa69a49792829fa3d24002e937b004ba6aa42ff26d7746c743481cbeca026ab49aeefc6d6bbd7609ac00224f01144d57eb4daad88251
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d0bcc513e0682a40_0Filesize
1KB
MD5251f9851aa380705056491399cb402ff
SHA1578a20b309ba60d4b2213ae9c96c71690b37428c
SHA2560cde73327f1f6f64119ac0a6c80d6ef1a58e66a61174dba43c170a85b6d31faf
SHA512d0907deeaefb8ae0aab648b9eeaf95271fe09365a5a3d65ec30c7f5da96a8597b11ae8b0909f2518135ff03cc86857b8fc6cd00c3684c72d73a5e3ba76b289de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ee884f0b913b6f04_0Filesize
11KB
MD5ad467e0c27e1b9ffe7391523692b0486
SHA1b9268ba0fa21d8a772ed3f918d7d59cac328e114
SHA256c14b5b2fd341517d513336448a161803bf390c1990e5f30dfa399dfb4ed0f41a
SHA512040575d7cc2a3269ced4eaba4dfa5dcc50b6e4cb8694c80db3c6ab3bf95e85f9e43047cf8919e8dee6a44e11ccc08c9299bdbb61419b59023358a3b5c8b6b0b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD51d13f8629f8c6b91a727b7c318be25c2
SHA1658ce524e8c8732a81b1a2866bab9ca571feee82
SHA2563ea44e59713b3a03b7129b73442aa47f6587cd87e206af4bb52ad7cb633a2a8f
SHA5126af1e6eaf020932313f97fe523d68c79632fcb430857542bd248e05ae219e88ef597ecebc96d3bd0a20701d2e49592632292e8d984974c5de67ea10476eca4ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD541e16fd7d2d33334306deab60adf68e2
SHA18071661fc13e9124b0ae1c97e4fa4eed1c598387
SHA256671fd996e1222eebf840f585712f156b9b3273eda2b02ee98683e01ce12f4fcf
SHA512205f52d3fd640ec6ada3c79c856c681a98d92f7ac9aef10e8bebaab71284f3734c2ab3434d15a59d4066463aa586e986fd6883bfbca45a6b1b52d088566b4324
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5667c42739c6d455bc19148a7d79d133e
SHA11549a58d6eabc9824b0ec2023d9d9b5c6744d986
SHA2567571f06cb4f68b316990429621615732c07398c02db14db6adf0cbbef028e678
SHA512102d796857f23dd26d936ee4af1a6470c5fe89397a58728b9f94a99ea7c8b44b8e70c76fd460823b4437e9b9e6bbda74f8ebde239ee7a536a8ab9f4fe8f03ac8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5c6ecf.TMPFilesize
4KB
MD5cb9912a4bf19eb74f50bd43799426e1c
SHA18447c24555051eb7b6a99f4857d2380395e93626
SHA256e3e2e80c7e610e0b32e3f2f69401d2ca97b297ba69dc1ceb91ac2547e13a798b
SHA512c18ff97c69a8e4e782900a98a4c71f6d3e724d08f2a7e501a04769a1f2b87f665e5642eaf6506875e3ba82a9302a6309318e56c687a916f724c2d11dc469d207
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5f8cf81fde00c9e587d4d8c5d2959e3f6
SHA1f83f3ddcd4de59c3a40b250fd11076c1f0dab862
SHA2562467c96b82d2dc176d85dbb62d3513522613907532ca340481bcb74a7186668f
SHA512ac57dd5e45c63671eaf9bf034e9c4f2ab0b21f62f405c45d938f29b8d79f8d3c6f378bf1dcceae630a556672f0823d3ea2178643e23f42297240ece2b0510e8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5c2008cfa1dbd26f315672915ef806260
SHA14db2f0379902a2805bdda61712eb31db53f0e81a
SHA2563eceb91d5add2d5cd4d1701e32478a3aa774d4a280069a38bf4fd3feec44474c
SHA51265be541bbaaf76d00fe198f10ce8254b87ff39fc5988f93be59eb6a5f7b59d9cb50d1d43ac0a678aca5fb3feca79008b44084637787d4ef26f73b5f43f64d4a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD544cba3eb2d706f97f3396bcd6ee5cd6a
SHA13179178ffe64cee0f1d70ffb2fe9cfc558258a6e
SHA2561a457f3492d50f6f8a74cd28502652bb95170a65f936099ab274e5d549e31ece
SHA5121294f1e8f12c85788464a390da00a1457135f3520a4265ea9d75677624c34670c4ec193cb2cc14116abd97b30ec34dde2a47f525d975ba341bf7bb6ebf90bf2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54ed4ef982967bbaf83b7f633a2319077
SHA1aa375624d7b8164c80dde263c1670b901876a461
SHA256534bee6e33961c5cb2b8871304d01ab9b1a90027ae0c7ab644dc2ce30984a8ce
SHA512226d81f17a91ced0e50f03faace08ac1355d8d05bdb9b5410560641e6440c5ecac3342466da2e410e024e2b3f001cc02aaf5d54354edf6ad2c26da4ad8ed3238
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50d61dbe4865a68d97ebb3373cbbbfc9c
SHA1d581cf573af2c30583c93d2014b84bf0e77f3644
SHA25631ae456aa1e0498f6df8fa7fac8e0b0488067e96eaa490a8fc407a8000899d6b
SHA51296c1a74a1571b044c04e130d44ef57d64d8a945617fb34c1adbd6022d3d51fe4faff3fc79df5d7ebc1cc32d0b127ea730c97ec6b81f700bedaa1ad5c6da6849c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5ff5c8bdc5fbc7f3c92aee028f97e08c4
SHA103e998c33f5a0dee540077084851dd35d0e8e6c0
SHA256fbbfebbe72534ad6eadac36d5e3dd43586e12209196dddae4e47a651425de252
SHA512da969bae6ec660d9fb9d1770133794b173a69d3f64ee91959f2bd9b248ba533175ffbf27ca86c3c2cbe2b4f70051259b35e798c47910e88920814cca7360011f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD543e1ba2234642a279a6c482c25b14d8f
SHA1ac800dc36a0a945054e75a5bdb84117b9bd8954b
SHA2564ff3824da4d11e9f772378ec9dc519c0d5d0371d237ad05e50650bb5035f202c
SHA51231077db565865b5bc106cc047fe7e53ff565f7e5d99272612cfbe6587a1709d42484d83b0fa5fe7500b51cfd406ad3a640477b8da39a3a99de3b81054f64fbd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58d7aa7376feaf9fe96d6f27fb7b17882
SHA19bed947cea28d4afe782ba40d5ba71da6a84a26a
SHA256cfb03da52f8232e3126eda287af0e2d2953612513cdbb58ac85031f736bdd76a
SHA5123373d3d6319d2c6959520dfbf98e9afbd89fe55999eeca2a022c2ff9bbbac1b8889c640c47804c383e8b4b0e28bde7aa0749776530140ddcc945ed48df1f037e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54bf8e72f275d373300c1536d3b59f4ad
SHA167734a421737c788ac425ebae4affb7baac77621
SHA256107a917f997755772bcd469cef3022839dee5df8812cb9e570a5975e9ada12f5
SHA5126676f3e791b30d1042673611b7e947d30b0341b3b831df84a2cbcc452afc1452b044e59b887b98c3aa0e537850a098af65cbb42b01239d8c534bda83e132072c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD521b890ebbaa7dd34177dbc6e7690777f
SHA12014b732f6431eb33ee4929fe9d90afa29f703f9
SHA256ea7633dcef05c1e4ee9ba842b1ebe3b66118f438beb1f789538e846abf291923
SHA51207c46e61a9ebc692a16e94489a72d784c1e115d65e9842d8c47f83263aeb99a2680c7f2ef305c6a90bbaaa210c4101f85769851616daab52d2f4e2e076280eb6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5191f86f6fefdeb00dada53c11af8b97a
SHA1fd77643fab42b58a4cf43a83792001a841147943
SHA256f03466bf2b4e03a1c81dc73736280c91196ee46094422ebf0e127a70f874ef44
SHA512e3accdf18680f4044470e3f30eea35e00d29884fc5244a9251b13d8feb3a039466a4e5139e3c2eac0ec8bb3abfadfc11d63b834d7b3b2fb4e99e8994e9841396
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e2b9d16b4234452717d9b9b85cbf2c1a
SHA118d9b191eb7cf21d739b27ddb86f48a6d1f6a079
SHA256b0288ae349227cbe22919ab7e29d5529e41ac81552d5a163ea9ff69c24ef4adf
SHA5121d111df481ccc2efa6debe862b3ecce4d6c0a45efb40da3e3711fb4bda6ded451ac7416ea94de3fd5d23950a5515e7c181de1fba649543a40d0be4cd1fe51b1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c2a32f84784a11d72464b12ed42bff15
SHA1a5770cffda0c84c4249ba57a3fbce6994cab0df0
SHA2561960639acd74f15229e4abfdb941d5e448ee8694fbed849dd15f0b8bf37c58f1
SHA512d3d93dc82eeade06f7968b1bb3bb94dd26d53595159f4a571d3ed8dd45a9bb65ed0d2cd5b697869884b29e6f4718603a2ce94bec456b60efbf4871735e1f568d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD519dcf14cb6c3bb6c8c157edac3ef0212
SHA17ef9748efe92ed4c17c6b6e2df14cd3d08dd769c
SHA256f32cbaed941d5a99c5639747c532e73a07573dd26f08fda1d10e769b1a44e96e
SHA51268794fa323c84e9ee272e7901c9c19061eb8197db6010b56659a4ff191a65ec1f62b549989017bebfc0560bf284adc9ab76db29c671f7ae440b969e64023a18e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD527808547e04f0b7db7cd0846202efdad
SHA1ecd7ee2a0d1e56375b8ed5c9fbf94c90ee703a9b
SHA256417f6891a2b9f8d43de2e3e399a478dc6d77570a63e9cdef4cb21ddf9fc9a541
SHA51223ce3cb230313abb6216a3751e2b7465fa3a919928f4f53b7b5ec8f9e8ede16e34f71fb1435cfd5aaec22bd7539daa39218c01ff4d72a98d8e80f6bdd531ef97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54e73cf6d9986496ae9ef496ad4435d8d
SHA1fc40e8a2bf81bc496b112f8b37b86ed7079baac5
SHA25626c56d586dccc5f4733b82e0b280bf559208ce7415c08920409eaff8dfa446f0
SHA51228d9f041eabb253102b9756dc6a12eba1745979bc27324aa11591d347b4d7f0a6b034b5ecd969addd32cd4af4ba41bb279fdf2b1f10ff2ea5ae35f4391786a0a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ad84eedeb296b87736e1e895e7aad071
SHA10f703f5c6e5d84b6003ccb73c4237324dbe22f3d
SHA256b61f2f52191f857cac47cd2cf370109e463cd04ff62b71f9355c3137e3ea15ae
SHA512cc9ab29557658d270a9a8f6fce12a5bd3dcc12255fa440cbc2ea8576367c8069d6e5979fc3c931c2218b6d55cf85648c72d01448d1cf1bb3403676a25ba8d053
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55834942122271f2e0d3e957988625156
SHA11671b4907437d8e9829f5aec6e8228cdd0cb0aee
SHA256cd6575b9b2fb61ed22fd337e0152bebece29a7ece7aa815d33a5bd616fc4262a
SHA512f6044a7d91b23e42ff3b88d1fc567027737ba5ec8f6a723f6f0847d12f959299bd9629a1bc665050e0605f9753ce3bd796bffbae318b02eed6c09e0b822c1335
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5bd807339880b290579e1289dfbcc2f2d
SHA17bbafad19c1199b0267e9f96ac62994e71bf2d56
SHA256bceeaf89901d9c391f9d0395fe2ab19fa3d821be37285f2ce4a6b275f2f367f3
SHA51297d54ba019f438b5ba95c37e1f5bf56f20a1a0b1ea4f2489a1117a1fe82b6ddafced09a61f57d1f2cd4295997b7a2106b1bce84d0254bdc2f0d4a4647a218ad3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50d64d30f067294a5b66e50e1ffa5bee1
SHA1cc710fe4a8e97d66a3cdb7e2f229fb2fb443e620
SHA25665b2915b812d05ae938d8701a3420f13546edab63423c7c18689bee3464f1fec
SHA512a8bbdd7c15b9af72dfd35ee74d1560d5465c381bae308d84aca7ea2c6719ce21f134ce6503136e8ab1214e377cd27b1993d5eb3de0aba2101a9f580643c52560
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
536B
MD57d8a274efa4923c18d5d2a305923b0de
SHA1f7fe00ada0d22e1455ba6507e9a3374508f10969
SHA25684e2541ed00305b2865453d2820acbf2b26de5d28febee31d6251919ada67e4c
SHA5124a807514d5564b4fd87ecaef2254819b64551895bc5a4d9769d63c85f137235577d93da6ca3b3de4864a5caca7c74ee313e6a3557148b24527f5298557ab9c78
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d84c937493761b7f467f6bb1dce11b56
SHA1b209c617b9182556b900495c1fcb33c49d978ef6
SHA25684724d409975413f77f3c4f1816f74fb9ae067fd6b26a9620fe234b4306f4120
SHA51282080255e54a1b4471e6af021612937469fa566d544abb86d85f4f143706eb5dd3ee9a3fe7d8cab2233ec59be92ba5485fe281dd30cc4a45b46d510aa7cfd862
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d1a414a4083d08fba302ba16d440446e
SHA14be15972c5e375349847df337a0dd79fd46e3191
SHA256bcea168b642b78ad1ea0df6704b73e11a9f0cdf5c51ec206fa45ac6b5503bcf6
SHA512ae90fbc16426644291810b61be6f305bfcb5c32a05acfa9d8032dc5111edde5bc743e4819822023a5872767c0f4e95af585a8d59ea948cecce40812c40adfa85
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580059.TMPFilesize
536B
MD5d5b0e6c82d120ae70d0d7d37b7c1d621
SHA1fb07c81f13acaac8f4a86c7e63d512a7dcada5dd
SHA25682c74feddafbaef2ecaa5a77058688a308701820eb930edfc25bd68c9add7ead
SHA5129abcb488371388678a4af855a3ea0ba6e6669be21adbb5b9b299c3ae636a4b447c33f949254c0ba1112ea252f85ba4c39bb210dd5cd29a1a3905fd73dc4ecc50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b974b.TMPFilesize
1KB
MD59aa5309e9af8d6a8f600372580c50cf8
SHA14ba2f47ac79b9797b879eed6e89689b5db886d6f
SHA2568198266349e4aac414971f9030b5d561d9389f10495c8929b90cfa86a60d3942
SHA5124a985cd0cf90735193007a75bc57834864f284327c9fd26b137fd45e52a87f6ac74147067ea92bd6faccea6d41daa864e7ad83cb9d09376896e5dbde06b734ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58eb8936c7958227a25bae5b4f68c773b
SHA1e1f375045ec97650693d68c1743807afddf0d95f
SHA2567bbd89e0b25d4d487ce4897df68b08d14b2cfd90e5fbcb68f8a473d813b80605
SHA5120f04a0e5c61f8bfdeb6c29b31dbb6627ce3609720bedf3f76bff65f7d2ba55e362b45704706eca3198ef34c5ab35b46bba8a4570b8793615c7022c1fcb8d4fea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD524db01d9bea7ccb499131221cd0ca125
SHA1df3e7d9aaa36aed6714e3158249f9b7749d82318
SHA25676e06d43b0398d63ad03e4968281d5f1fd752bbdfb0063b4e973d0993796aa2c
SHA512c8ed5b58de1d3dc91b5cba389009f463ea1be9f898b6cc4960a5db5ce54acfbbec0a59c46cda06c8d3c5c1587223be2c750ff7be113242a337c933926260b004
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5258c28a68477fc6b4595e631517e3a1d
SHA1af8d7ea060c5e7bbc9f645c2e556dd9d23f2fd8b
SHA256f1560fcbe9ccc9443707ac471866f9282f5be7a587331856b7cb5c296945d66b
SHA512e05e2634256b23f24f0f5e61d764babcc62f3c72fcdec9d57ff118e5836ab1da41e1cdbdcbd4f705430c85356a74cd86e3b7c3580aed2f91e47593397e5a13b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD51ff5b2a2de6c80e4b45e493a68002416
SHA1a430875b41eb17ff628e62af13bc393e51d9913a
SHA2566edd26f269afb58aaa5c9714a924a02316eec95ce9afc2930e91187200740ff4
SHA5121fd4949ee267b9fd834a0c207a2b37e2e9babbea577ce7ccf3971a94072f31d83b55d2dc448584c8b5a887dda4fd1641f665b8364c93d73cc376f5434cc18645
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe5b89dd.TMPFilesize
12KB
MD5b3c0919715d1371c369ed9de6cc28d6c
SHA156925c91b5706b0ccf5fbe84b657be4185b9b86f
SHA256f8ac4fc2dcd5edc17fc39099c8a08f2b47d1021485e3108023ec6caa5b5d160d
SHA5129946dd572989b5d1cf90584e753642f1d81ab083c6f94afcb7311ceb945d0fc85e6ae8e7f635bc8e01e35bb8c158123bcd1315cb6a625bd412c591ad1e9d4e7c
-
C:\Users\Admin\Downloads\Unconfirmed 214978.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Downloads\Unconfirmed 619988.crdownloadFilesize
50KB
MD547abd68080eee0ea1b95ae31968a3069
SHA1ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
SHA256b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
SHA512c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a
-
C:\Users\Admin\Downloads\Unconfirmed 983419.crdownloadFilesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
\??\pipe\LOCAL\crashpad_4168_FXNKEGSLTAWNHJFHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/640-1214-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/640-26789-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2868-1268-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/2868-1269-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/5364-1411-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5364-13696-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5364-1401-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5504-1251-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1250-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1248-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1252-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1253-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1254-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1249-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1243-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1244-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB
-
memory/5504-1242-0x00000144605F0000-0x00000144605F1000-memory.dmpFilesize
4KB