Analysis
-
max time kernel
490s -
max time network
492s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 05:13
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240611-en
General
-
Target
http://google.com
Malware Config
Signatures
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Downloads\metrofax.doc office_macro_on_action -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 857584.crdownload aspack_v212_v242 -
Executes dropped EXE 34 IoCs
Processes:
Avoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeChilledWindows.exeChilledWindows.exeCookieClickerHack.exeCookieClickerHack.exeCrazyNCS.exeCrazyNCS.exeCrazyNCS.exeCrazyNCS.exeCrazyNCS.exeCurfun.exeCurfun.exeCurfun.exeMelting.exepid process 3512 Avoid.exe 5844 Avoid.exe 4968 Avoid.exe 4740 Avoid.exe 5536 Avoid.exe 1956 Avoid.exe 4528 Avoid.exe 2752 Avoid.exe 5232 Avoid.exe 5284 Avoid.exe 6096 Avoid.exe 1420 Avoid.exe 2696 Avoid.exe 3172 Avoid.exe 956 Avoid.exe 5144 Avoid.exe 4192 Avoid.exe 4620 Avoid.exe 2608 Avoid.exe 5124 Avoid.exe 1100 Avoid.exe 2916 ChilledWindows.exe 5348 ChilledWindows.exe 5212 CookieClickerHack.exe 1644 CookieClickerHack.exe 4540 CrazyNCS.exe 3836 CrazyNCS.exe 5060 CrazyNCS.exe 1012 CrazyNCS.exe 936 CrazyNCS.exe 1076 Curfun.exe 2440 Curfun.exe 1836 Curfun.exe 5928 Melting.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ChilledWindows.exeChilledWindows.exedescription ioc process File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\W: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\I: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\J: ChilledWindows.exe File opened (read-only) \??\Z: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\G: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\Q: ChilledWindows.exe File opened (read-only) \??\R: ChilledWindows.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\S: ChilledWindows.exe File opened (read-only) \??\T: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\P: ChilledWindows.exe File opened (read-only) \??\E: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\H: ChilledWindows.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\N: ChilledWindows.exe File opened (read-only) \??\O: ChilledWindows.exe File opened (read-only) \??\U: ChilledWindows.exe File opened (read-only) \??\V: ChilledWindows.exe File opened (read-only) \??\K: ChilledWindows.exe File opened (read-only) \??\Y: ChilledWindows.exe File opened (read-only) \??\B: ChilledWindows.exe File opened (read-only) \??\A: ChilledWindows.exe File opened (read-only) \??\L: ChilledWindows.exe File opened (read-only) \??\X: ChilledWindows.exe File opened (read-only) \??\M: ChilledWindows.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
WINWORD.EXEWINWORD.EXEmsedge.exeWINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 4 IoCs
Processes:
msedge.exemsedge.exeChilledWindows.exeChilledWindows.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{54F543D5-4392-4DD3-B49E-1A06D77DC6E4} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{A586F0ED-ED73-4FB5-972F-F424CF0917C9} ChilledWindows.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{9CA40665-6D1E-40E7-AC75-D519BCAE4689} ChilledWindows.exe -
NTFS ADS 7 IoCs
Processes:
msedge.exeWINWORD.EXEdescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 325940.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 960823.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{3A352788-1168-4CC4-BC33-408F0C04B8CE}\8tr.exe:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\Downloads\Unconfirmed 857584.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 782560.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 121055.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 689111.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 5 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 2752 WINWORD.EXE 2752 WINWORD.EXE 5188 WINWORD.EXE 2880 WINWORD.EXE 5188 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 2164 msedge.exe 2164 msedge.exe 2908 msedge.exe 2908 msedge.exe 2180 identity_helper.exe 2180 identity_helper.exe 1652 msedge.exe 1652 msedge.exe 3400 msedge.exe 3400 msedge.exe 6084 msedge.exe 6084 msedge.exe 4544 msedge.exe 4544 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 716 msedge.exe 728 msedge.exe 728 msedge.exe 2404 msedge.exe 2404 msedge.exe 1352 msedge.exe 1352 msedge.exe 4696 msedge.exe 4696 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 2908 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
Processes:
msedge.exepid process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
ChilledWindows.exeChilledWindows.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 5348 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5348 ChilledWindows.exe Token: SeShutdownPrivilege 2916 ChilledWindows.exe Token: SeCreatePagefilePrivilege 2916 ChilledWindows.exe Token: 33 2872 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2872 AUDIODG.EXE Token: SeShutdownPrivilege 5348 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5348 ChilledWindows.exe Token: SeShutdownPrivilege 2916 ChilledWindows.exe Token: SeCreatePagefilePrivilege 2916 ChilledWindows.exe Token: SeShutdownPrivilege 5348 ChilledWindows.exe Token: SeCreatePagefilePrivilege 5348 ChilledWindows.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exeAvoid.exepid process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 3512 Avoid.exe 5844 Avoid.exe 4968 Avoid.exe 4740 Avoid.exe 5536 Avoid.exe 1956 Avoid.exe 4528 Avoid.exe 2752 Avoid.exe 5232 Avoid.exe 5284 Avoid.exe 6096 Avoid.exe 1420 Avoid.exe 2696 Avoid.exe 3172 Avoid.exe 956 Avoid.exe 5144 Avoid.exe 4192 Avoid.exe 4620 Avoid.exe 2608 Avoid.exe 5124 Avoid.exe 1100 Avoid.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe 2908 msedge.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEpid process 2752 WINWORD.EXE 5188 WINWORD.EXE 2752 WINWORD.EXE 5188 WINWORD.EXE 2752 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 2752 WINWORD.EXE 5188 WINWORD.EXE 5188 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2908 wrote to memory of 4824 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 4824 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2156 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2164 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 2164 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe PID 2908 wrote to memory of 1004 2908 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe35a746f8,0x7ffe35a74708,0x7ffe35a747182⤵PID:4824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:2156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:1004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:5228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:12⤵PID:5568
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:5588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:4080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:6068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:4988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3464 /prefetch:82⤵PID:1664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:2268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:5144
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:5000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:1424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵PID:3644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5188 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2752 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6852 /prefetch:82⤵PID:2296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6084 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3512 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5844 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4968 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4740 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5536 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1956 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4528 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2752 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5232 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5284 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:6096 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1420 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2696 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3172 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:956 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5144 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4192 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4620 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2608 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5124 -
C:\Users\Admin\Downloads\Avoid.exe"C:\Users\Admin\Downloads\Avoid.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:12⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 /prefetch:82⤵PID:1276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544 -
C:\Users\Admin\Downloads\ChilledWindows.exe"C:\Users\Admin\Downloads\ChilledWindows.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Users\Admin\Downloads\ChilledWindows.exe"C:\Users\Admin\Downloads\ChilledWindows.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5972 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:12⤵PID:2460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:82⤵PID:2492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:728 -
C:\Users\Admin\Downloads\CookieClickerHack.exe"C:\Users\Admin\Downloads\CookieClickerHack.exe"2⤵
- Executes dropped EXE
PID:5212 -
C:\Users\Admin\Downloads\CookieClickerHack.exe"C:\Users\Admin\Downloads\CookieClickerHack.exe"2⤵
- Executes dropped EXE
PID:1644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵PID:3504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 /prefetch:82⤵PID:1500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Users\Admin\Downloads\CrazyNCS.exe"C:\Users\Admin\Downloads\CrazyNCS.exe"2⤵
- Executes dropped EXE
PID:4540 -
C:\Users\Admin\Downloads\CrazyNCS.exe"C:\Users\Admin\Downloads\CrazyNCS.exe"2⤵
- Executes dropped EXE
PID:3836 -
C:\Users\Admin\Downloads\CrazyNCS.exe"C:\Users\Admin\Downloads\CrazyNCS.exe"2⤵
- Executes dropped EXE
PID:5060 -
C:\Users\Admin\Downloads\CrazyNCS.exe"C:\Users\Admin\Downloads\CrazyNCS.exe"2⤵
- Executes dropped EXE
PID:1012 -
C:\Users\Admin\Downloads\CrazyNCS.exe"C:\Users\Admin\Downloads\CrazyNCS.exe"2⤵
- Executes dropped EXE
PID:936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:12⤵PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4680 /prefetch:82⤵PID:6036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352 -
C:\Users\Admin\Downloads\Curfun.exe"C:\Users\Admin\Downloads\Curfun.exe"2⤵
- Executes dropped EXE
PID:1076 -
C:\Users\Admin\Downloads\Curfun.exe"C:\Users\Admin\Downloads\Curfun.exe"2⤵
- Executes dropped EXE
PID:2440 -
C:\Users\Admin\Downloads\Curfun.exe"C:\Users\Admin\Downloads\Curfun.exe"2⤵
- Executes dropped EXE
PID:1836 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:4408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,8429111046446795185,16999573201162431576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Users\Admin\Downloads\Melting.exe"C:\Users\Admin\Downloads\Melting.exe"2⤵
- Executes dropped EXE
PID:5928
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3624
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2880
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c8 0x3381⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD582540c9cd5a887a5cd58f3d183b69d1f
SHA1ada91f717966c800c8c26ee3c0b6c95c63e1f4b0
SHA2569b43b6258227a4a4f3db2ecf0599c0072f802f5db12232b46dd5f3df01142b1a
SHA512e672001b1ceded517f46e97a55d10d39cc8744aa19436616dff86dd247f0963bd3e3287f9a277f5d6b837a58694bd9a27928d4cafbcaca9082c9e66285a6786a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD5601eee9665ecb95256d9707f12766579
SHA14399ed73728074dc39f0e0266d480f2cc6a69627
SHA256d72216945571a2f8d29dccdfd1904af6d8853f8501423ea31ca30fde7b9a3cc3
SHA5122abfdd9f530eae9fb7b75ab2ed170d9ebb3ee173291e8c22e87f13d7c4b8010e622d22b068027d09598e414cf3bb45341a59573d75442898de73f7b5b494c33e
-
Filesize
152B
MD5db9081c34e133c32d02f593df88f047a
SHA1a0da007c14fd0591091924edc44bee90456700c6
SHA256c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e
SHA51212f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744
-
Filesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\82df39e2-940b-4fc7-9313-af7ba01e8352.tmp
Filesize1KB
MD54a629530cd0ab2391fbff8f8b34ae864
SHA1cc9c60043c9fd564fd2df902e923cc4632d11dbb
SHA256b863016bd04950f69e8d749a1a9a1932c29b8fe8bdf0782faecd8861bd536eb5
SHA512ad5e51252565d9d1002af329fa71677396a77d85fa329790c00f34b023913fb295cc2e7d3b49ba774d0191f0965858b0de96d84750dcaea1caa7c74c83e65d47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5dd658b2c8822f23df483348e726e2410
SHA12e5daec1b43e658fddca9d43fb0239ff663305e6
SHA256daa1405b1ca160dc60d585c95267d4c6e803ecec2ef2d7b38b655f32df1a1d43
SHA512834d017d9da7066b50fcd7725f9db8218f6b9abda1dcbc6b6c458fa139705533ae9e399996d214eb6a8aa83ac5141ea03f6334af387bb2c3659795a514d8f5cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD50855897301867f9268620e45bd9a0adb
SHA1997267a1c49e64d0a5b0471932ffcadcb4a6257c
SHA2562fed50ab088725368267235d500d6588742e300e1e65281471939e9e53c73f84
SHA5129a3d855caa9e735a644eb392f007ede569e0bce905c45a2f2e2458ec59f5088d1e0f9edfda9ff090b009c77b5db6984cc2c95ed5c8bcb0ef21d5150a45fe6b92
-
Filesize
2KB
MD54b52a17369999955cfd8ba6afc776ea5
SHA14c3c1086c39c074da1e949f094a15b555acdaf3e
SHA256f121c0fe2e3b54e869e685e3b409375abef83dfc4f55e632ef6336c08714f0f5
SHA512c182239e89fb04677e9a4a978a6f32c4afd0f552b3784b8a52dd3b8a89a6416e6e52ff00a4e56389e6eca3c0c160594198d45abd044e9a2ae6bc7f4ad537db85
-
Filesize
5KB
MD5fb25dc3e272393e6bb3e10c9a96814c7
SHA1a1c43f8d94be02854d56e298e9aece43e7654bab
SHA256f078b056b40dc86de240d8c94eabd677fc03ba89aaa45f1fb2a459d0c9b5a382
SHA512be3ee7088674b214bb60219d534596292dd76b34a63a113c5657b25555849e4a8a5ba407ac9d06bf5acae6cca5fb2fd0292891125f969abee2661f6b6c5ea1c5
-
Filesize
6KB
MD565fb1f63cce159ca2522bb92ec961431
SHA1dc11dcd1f9a5436ef1ef3e09cdf88f86956808a3
SHA2565733f02c86002f1c68dcd412c4edb0b8df980ff6e6a26a6e83a052bbc0dbe8cd
SHA51207539ac85f60293c9661a18da0651380becbde20b909872dc0c2f5e2bc8d7dc6a42a2270b27eb686c4230a71ba638d14d64c87aa8c31066c3c6f5cf59724f5de
-
Filesize
7KB
MD55ab205fb480868d6debbe4a800e69a47
SHA10f2abf99ba204327f27e84af2b27cc114a56bfe6
SHA25653d1bd79820ad6fdc46bda74cca8b20218ece20340d759aa5ea0e6ed2d778022
SHA512558aeaf734b7627180a5af34074a4c2aeb14e28d32e2b8dca74ba2e04f1579d602b0ec4074952333c39b7defe951ebedb23daeb0d7029ba7db31f38312ac681d
-
Filesize
7KB
MD5c145d1106f274a013116cbb33872e57e
SHA1da19fb28371f183dfe2058e149501bfc8869cfc6
SHA256f4cc45ede71533de93c4d4b8f50ef64eb36150293651ff2a4e6aa92fd8f3335e
SHA512383bd52223bf8a3b9cdb2b3da0cfaf9d54968f302d5b38227586d671ed9d2ae9db05cd92872739db2eead8cbe98e088fb49e4673d65c9e2860ec689494683ce7
-
Filesize
7KB
MD59ead4eab01c9f667aa427aa19799ad4b
SHA18129bd326b181ad093846a51f5de21001d90b463
SHA256af755943283691728ce9726cea93fd4796dbf510f99ab8fda52e378c50cb4bc5
SHA5125f118bf6575c035693fc88edded8373fa09df912f1ad003d7272ca3c6e1ff005e0939345c7ee5fead5bd6d45cda28911bed9a2439a172e1a60939694f660ce27
-
Filesize
1KB
MD56317c4af800273776d753c5e278dbf7f
SHA1fd6b2b9c9e1cd6f75b8016ae6acfeff5367f231f
SHA256c89418cc609c1005ccadc8f06e10472cd52860f848d5ebb2189f4dfcc47f75f4
SHA512c863ec704c8829f98f2909fda632aa353ccd6db798ddc4e47894651e05572a32adea8c7c8192c0419c1ee13c99378ee3b16991b18656151f6955964b4a884357
-
Filesize
1KB
MD502fcd53a2283db38ae79fec6ebf8451f
SHA1a8524da48f2b8414e352a09e40352ed7ef32dfb8
SHA25642176ebc7394742139bbcf5e025c2a3cb3c005f8ee22579fc11fe18ec35e738c
SHA51230b4dfefdfade285279db63457a4400007985c218c429556225495deb6cffb9c3ea073d2e17b5eee0950384720cd6e947f5147a335ac62172578d977709cf0af
-
Filesize
1KB
MD5d2a13aa79361c44a137ea35820e68f87
SHA1bf921c0fa6cf0cd75cbb48dd97e163140aefde23
SHA256f498cd5f0275ae8388f20cdde6f8c6f5a48185668b0fccd6a0482cf49fc38336
SHA512051c5db6d2c9e141105faf2cf33d75244615f856f4ab62df4129c5e5fa538e4dbd21d0774e627bb8776a7735b47bc663c0088d8870e4f1993e5091323591f2fb
-
Filesize
1KB
MD5ca16a34a0b4da650f4d1cff261852c8e
SHA1bfc2cb460f86eb704bd1d055c1b832379848afa7
SHA256f1c1eecc1b636ceaf4b73a2c78509ad22d4861137b8d8b27a18335a70e5269c7
SHA512bbfa6148d61dc603e692febb0b9364d7370e6ed2daa9730727bdc0ee97b1869eead17d0d46c42330dcb680196c045bebccef985c4b17604985761d818836346e
-
Filesize
1KB
MD555a097749a4c3f409379b691d51dee33
SHA1abaf2bac8a5bf8707cb4b36e086ffd9c83b58fdc
SHA256bda151921392513247f711c2dea6f1186c2d86b4269102354157dfebc8a37b60
SHA512bd277f25277d1406afc129441a8bb1a59b3ce9cc2fd2705de968acd93176a97ed3b78d55b96e1b042876493a8af5f960171b920d4bd374e04e3e5c08493a9cf0
-
Filesize
1KB
MD50171a240b261fc2a80c1772ff0a8de7c
SHA1dcbd4a4a0cb5967ea2ef06a2102eb4e4a6bf8f7f
SHA25613f3f4d0924e79cd19340af179a3cdc8d5c264c26ce7ecf52518c824765a5807
SHA512d73b06e73a77e3c16c6ac3a7fea94f3113e35f87d2c8fd6260633923862fee0515a4c53ba19ead9ec999520f766103122fedcb7c3ec2605d524d18c93584e5f5
-
Filesize
1KB
MD5400b70e4f6e888caf6cfcf8530e11681
SHA12d09d23f7fcd098aa04e27accb97bfe5a6002787
SHA256c1712bd1731d7359a58e59d3693e2bc4d799e2e2fb7bcce0e26c02feb6ec1ef0
SHA512469791592c80e42b9ea711017721264781056a0ffb14867b2819dde3e0d1e77450e799d2645d89489031ec12c62bacdd570ddd8eb5fc58d5512a4e54e56dcebc
-
Filesize
1KB
MD535c05d3b045139549a5cc2a8199a3a15
SHA1a07ddaa5b804a0c37f4f214daaca5390cc293240
SHA2561fb8c5c3b604d8d7c653efcf361e462c5a4f95377b09086e297152e35db9645f
SHA5123174ad16c4446d8a4d796714c3b9a9430e3d91cac54318111cab83aaf3169f6907dae536a05b45c1377ff365c7417dd114ea59c139f728c379d93caa11329a3e
-
Filesize
1KB
MD53fb263e94ca543a44cd7f231721dfaef
SHA15f5704703a7044190cd9be8ff01a369546e9f9d9
SHA256bb193e0ba5b99828a392b50dcf81b6527940a2e3c705ef3ade7d330772245b74
SHA512e8750c85e0695e0418d2d3b64cb28659b9df14a7a0cf3916062502e13e6b6c40b50c0da115a8a72118590cbd81825ff7e407e6b5a7d0f12703d8940b8c1d5ec8
-
Filesize
372B
MD5979002b42b0f91761ee5c7e5a5f26c4c
SHA19d7d2f1547350ae2ad6c85ca38f2e73013a81bb1
SHA256f0aec0e8af79d28ea0f883995b260ed4bb53d9e86e3ae17e9453aa95757fbdd5
SHA512343f6fb33ee1c1f8f75ddb80141602d3bdf7968cd1d7fbf0959d23dea04845db508f08a2db1e6265c725ee7f9f6368300b21bfc3813474611b7ea27aee74d2cd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58546a8ff899713f0efe64b085c5214e5
SHA12bf3b99ca4d79fbb0d7d807e67fb31d3227e256a
SHA2560d1821df33785296c4a422447a2420cfa2ace100c48745129374b28407ed1757
SHA512423373919b9e347060b203d0b239857d85cd426366d60de0f581261bdde33554242896d2bed5fadd53d50b6d0fc78f088a8446291184d998a6d20db54ec2cc16
-
Filesize
12KB
MD5dca37a663d1973d322958b2984f5c318
SHA134b386be28a9c5c7bddf1b7343a0fffec770e1e4
SHA2562cebb64af7d786812dc991dfabc275fe93def7446f44cfddb7add591283641ad
SHA512c8db756764db0e1d8ce6c0b4a1469e12c670187c4cbba76ee899983cb24504dda3daf74aef33348081700f3b6c94c2167bf0830aba38ae79060af0025aa0c2ce
-
Filesize
11KB
MD588ec5156a898aeef4202023b55ff1928
SHA1caf38b8873bdd8fd6d8ec34fc0af4e73da377af7
SHA256a9bce31ce8ad06a9ece606007f315546e2881998721a94a0e78ac08606bbde47
SHA5128030dd76bad02b648af58d4e6b8a6da3b7e4f4c373f41e42335166b1052b3d1f8f3915ff44fea5c3350b1ff147558647f0a49725400b751c32d5d2899454a9e0
-
Filesize
12KB
MD5829558f597477c9bafe49aec58071d20
SHA17d42af673cb53a008af09ba2e9b1fca82d2e2190
SHA2562b2d009439a8ca744c2849b0719c7a2475264950892d93987ab6eb11c09c410d
SHA512c9ac91089c9fc6e52d44c65b7727c2e1e844e1b89ab62d85ff03cd419ece50ddf02b738cebc1e87ca7ede83361679f2f5120e7c74aba4b19c7b59b789d58e3bc
-
Filesize
12KB
MD56d06ce0164b9510f8d93eeff9f15e101
SHA13db227a4395ad0af38f96207d65814c4539204b7
SHA256303af9b205e2cfdc3d52a5eecc9d51f2e76e1601c93de7e74fc511edc5ef4c7e
SHA5125a6181ae2f7235a9226b63866ebc9ff2452320867eb5b4d89972e31d3d44965304515f83089fa4d424218ab66c4eac456a4f2361bf4349ec979e5c76bdbcd707
-
Filesize
12KB
MD5f468d18bbd81f37b4c0724e9bc4662c0
SHA1b6709bd1aacf43a3e857951290109b0445f06dd4
SHA2568ad20deafc2d7b4b93dd1e236fb983d02ed2c1ab5e4b8fa3cd7026dc025bce48
SHA512f22237a6421ac38bf8e00c5fcdf469b9f09b5427abfedfd26f83979dde56665d8f876ec7882aa079bedde490876f1210ef3b2565615d31c71b3a5e1fabe1b325
-
Filesize
12KB
MD5a570b8e0cdcc8a4ccfad265cff4ac08f
SHA1bdcf5ac6649231ca026a8feda4db64abfa22e5ec
SHA25656414ce1563f34c334ba6eaf37ffddc7828d3cd0cc23abf712f2fc9db2dc6117
SHA512e9bce33c2fc907ecef873eb5276bb9cf299cfe014997460136417fd55972966de9385d3c058e3ff2efa98477ff0aad6e40256109a097925e41d75a53a08038f2
-
Filesize
256KB
MD5adbd8353954edbe5e0620c5bdcad4363
SHA1aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA25664eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA51287bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4DCB178A-663D-45A6-8BF1-97D008269807
Filesize168KB
MD590bed0c9f80259ea6d3ada68f97fc620
SHA1c7d7193aea13188a23087a4afcefb6f2814b9e1d
SHA256256a760b6e9ff95c7043ee314556f53778a2a2ac8cc1892287f132ac7f19e532
SHA5120c56e226c06d9131052fb7c924481477a51bfde3a451e8b8acc783ebae7fa3b639ba1e89e371e443cb117245456d25b627dcb49ab4aa9b60d8016b0388a2b305
-
Filesize
19KB
MD51643f5620794ed41720974c12da663bc
SHA1fdfbe320480912ffb96a98d3b3c85cbca12fa5bf
SHA25675cda59a90f13d0f6049f183e63f5ea6a173c3b5c13e09c4ba89ab919c6b7b65
SHA512a5e4cf790b4e8d1a3ef8765856c1399ba8350653b8339601e707f754e18c65fdaf61ae3ef7b49e075476ad1898c3bd100dfbcbe3193dadc51eb403b1265b89d1
-
Filesize
8KB
MD58a3cfe315323df7a906458082c7b7da7
SHA1e501ed9d566e340456afea94ca8fdacfd601e457
SHA25692ea19db10ab0fd4019b218b9f9da3b45fc526a783fa04d2309579efbf2e2ef4
SHA5123d029dd7c1966b915cba5b13147b2136ce6ba0108e473cfb7f0fe86f7255ce885e9b7f50a7ca63a9b3514d7710afe4d18af5e1837dcde5af20c39d7cce3014eb
-
Filesize
12KB
MD52db5421b53665509319947a178e13fa3
SHA107c0530e36472928adaf12db818db17b9d1de486
SHA256af4a34120de264f4af38c4b2d2840cf93b2358af3382fc7daeae1b2773e26e0b
SHA51298c98ee6400cbfed42a57dbe384b8705365ffb54d3516a1d7cdd0f9d01249650ef88de0ae6a68e68b70b54910e0e96a8a981b4034b2948eeb7b93cd39f9bda40
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5ab2fbb7eafc21557e18f6ec78fd5f6de
SHA1f3ff3b475cfc1a58da34c29f2bee04c1bd831d10
SHA256d3fb3a9271501d00babeed5dc282f6aa57912aee8e6179482810553e43782af1
SHA5129dc303b7eed0fd7e52a1bf322a4671138f1da22c7bbe1d329cac17359979e849f6e2a2ec24583464e304def30eef8a33657f98bcb71380068852bb4438d9e000
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD5b5333bc7da574e708d4de068d58a5619
SHA1960673259c6e3079854aae08558dfee496f9567f
SHA25676bb0e33bcfefa49842c948e304a47a3fd1135e9cc5a2ccd0f6d6965a560e25f
SHA512b844349bd871768e348aea33a7b103961547130061b9de7e6dff046b9d1a94aaef4f469f59c09f57598d7b6757fa89b83c806b9c949ed206dbd395b7397b8d40
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD540aa1a4d21d8eb0222f68dc318284fd6
SHA15539147ba982ba900078bb144167a8ef0c030f81
SHA2565503c8b16d6db7f194f7af3b8bb974619269be05c67c0f041aad32124b997f13
SHA5123f205923a59b666014a0d75f60fc5fadeec0be3330c2e692892132096c55c9a6fe4517fa90975cca794827c7176a8b41a624e01c799d294027ae70608fbb500c
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
Filesize
18KB
MD576cf580647cd5f0208a3492f5a70de90
SHA1fbbf83c589fe65293fadbc39ea5e795b5c3e87c7
SHA256d75879e0ed96c7134cf7164dadf08d239cb486440ff497a7f353a9136660ce02
SHA512c6d49d8b16438a34a6c4c0f7ae435d8a8ac5696f0d0e85d9f9df6b0a48539923244b59c0327664c9392a29309368d5340521e087d8f2cf1d329630251c386c16
-
Filesize
816KB
MD5b3155199e8b1c0ef7d7f815198187138
SHA199689711af668fb92e67b7d081504870cd1709dc
SHA256c1a6e396ad3735d1a38eadc8e15be0c506c7f2bfd82f3ece39e9bb8db97cc7a4
SHA5120b13321930150b32dcbe1654ab8333eed9e9a631f50b84e8820f99a649281775e9295d9dc6c4bcec277ea1a43e319bbcc1c41f3dc0db498b41ae91fe49cb5729
-
Filesize
249B
MD574635f6e5554ebd726fdca0c002dbee2
SHA1278e66625144f9d89050b0bedb482a68855b97d4
SHA256483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53ac97cd1df38633559566263ad3051fc
SHA1c05f33600292e98f774c0d50df4c4a04c963bc8e
SHA256bcb800bae26b0d2c17be4954c9d35bf8067b82995cd4ca66bfff547de0644be8
SHA512fc661cf6e3668f004430066c759551c87aa388c2a35d542a95526b0bcb3765725ac6849b41768bb167d6609790fd33e2ce58b3b7ef8c06a68173fecc1bf8ada6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b664acf1b58f4045131941df7ed26a8f
SHA1bd0a079b853ca4af3e3738ea79a4f46b015ef641
SHA256e57e27b236800527a64c74861adcd47426e39a32b1acd88421cdca84a603b9de
SHA51257032b6cc440dbbc993a8dfe6fba90d682d1aabc206471539f54f873e6a23cab2023e0fe2543cc18484933a4643e2bfb743d7260750bd76d851a97a74a16e86c
-
Filesize
12KB
MD5833619a4c9e8c808f092bf477af62618
SHA1b4a0efa26f790e991cb17542c8e6aeb5030d1ebf
SHA25692a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76
SHA5124f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11
-
Filesize
68KB
MD5bc1e7d033a999c4fd006109c24599f4d
SHA1b927f0fc4a4232a023312198b33272e1a6d79cec
SHA25613adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276
-
Filesize
138KB
MD50b3b2dff5503cb032acd11d232a3af55
SHA16efc31c1d67f70cf77c319199ac39f70d5a7fa95
SHA256ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b
SHA512484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
122KB
MD5d043ba91e42e0d9a68c9866f002e8a21
SHA1e9f177e1c57db0a15d1dc6b3e6c866d38d85b17c
SHA2566820c71df417e434c5ad26438c901c780fc5a80b28a466821b47d20b8424ef08
SHA5123e9783646e652e9482b3e7648fb0a5f7c8b6c386bbc373d5670d750f6f99f6137b5501e21332411609cbcc0c20f829ab8705c2835e2756455f6754c9975ac6bd
-
Filesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
Filesize
248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
Filesize
221KB
MD528e855032f83adbd2d8499af6d2d0e22
SHA16b590325e2e465d9762fa5d1877846667268558a
SHA256b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
-
Filesize
162B
MD5c9b7e6fe93c14c097bf6a47fe01b2576
SHA12d31da6a67db7d77fe6971ceef1069e89863b3ce
SHA256b899340bc91b93a30b053b9694edd68a8ae3e8b21f7b11cb90f8156584dc6ecf
SHA512bce0b8b2ad062029a67dba867e2bf75d7214772a8885d595e17c5a7680228a2536401ccca151528f129f0c6326053c58323411eb6197fac54b6b02319ea47144
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e