Resubmissions
07-07-2024 17:45
240707-wb1phsyblg 104-07-2024 17:45
240704-wbwessshle 1004-07-2024 17:44
240704-wbhtpsshjh 104-07-2024 17:43
240704-wavf4ssgra 104-07-2024 17:40
240704-v85jas1akr 104-07-2024 17:39
240704-v7854asfre 1Analysis
-
max time kernel
510s -
max time network
511s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 17:45
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
lumma
https://bitchsafettyudjwu.shop/api
Signatures
-
XMRig Miner payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-1516-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1518-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1519-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1517-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1515-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1512-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1511-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1520-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1521-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1775-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1774-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1778-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2040-1779-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2160 powershell.exe 3900 powershell.exe 1384 powershell.exe 2384 powershell.exe 3976 powershell.exe 2128 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 18 IoCs
Processes:
Loadkeqwkedkqwekqwek.exeLoadkeqwkedkqwekqwek.exe1.exe1.exe2.exe2.exe3.exeLoadkeqwkedkqwekqwek.exe1.exeupdate.exe2.exe3.exeupdate.exeLoadkeqwkedkqwekqwek.exe1.exe2.exe3.exeupdate.exepid process 2436 Loadkeqwkedkqwekqwek.exe 4080 Loadkeqwkedkqwekqwek.exe 3368 1.exe 4068 1.exe 4756 2.exe 2636 2.exe 2292 3.exe 3520 Loadkeqwkedkqwekqwek.exe 4320 1.exe 4024 update.exe 1428 2.exe 436 3.exe 1164 update.exe 3772 Loadkeqwkedkqwekqwek.exe 2972 1.exe 1864 2.exe 3068 3.exe 3036 update.exe -
Loads dropped DLL 4 IoCs
Processes:
2.exe2.exe2.exe2.exepid process 4756 2.exe 2636 2.exe 1428 2.exe 1864 2.exe -
Processes:
resource yara_rule behavioral1/memory/2040-1516-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1518-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1519-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1517-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1515-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1512-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1511-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1510-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1509-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1508-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1506-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1507-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1520-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1521-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1775-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1774-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1778-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2040-1779-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WmiPrvSE.exe\" " 1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 24 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 1164 powercfg.exe 1652 powercfg.exe 4000 powercfg.exe 5088 powercfg.exe 1356 powercfg.exe 2576 powercfg.exe 4704 powercfg.exe 1324 powercfg.exe 972 powercfg.exe 572 powercfg.exe 2628 powercfg.exe 1624 powercfg.exe 384 powercfg.exe 4112 powercfg.exe 1924 powercfg.exe 324 powercfg.exe 2068 powercfg.exe 2228 powercfg.exe 2368 powercfg.exe 5012 powercfg.exe 4836 powercfg.exe 3520 powercfg.exe 4456 powercfg.exe 2632 powercfg.exe -
Drops file in System32 directory 10 IoCs
Processes:
powershell.exeupdate.exe3.exepowershell.exepowershell.exeupdate.exe3.exeupdate.exe3.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe update.exe File opened for modification C:\Windows\system32\MRT.exe 3.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\MRT.exe update.exe File opened for modification C:\Windows\system32\MRT.exe 3.exe File opened for modification C:\Windows\system32\MRT.exe update.exe File opened for modification C:\Windows\system32\MRT.exe 3.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
2.exe2.exeupdate.exedescription pid process target process PID 4756 set thread context of 1448 4756 2.exe aspnet_regiis.exe PID 2636 set thread context of 2264 2636 2.exe aspnet_regiis.exe PID 4024 set thread context of 4292 4024 update.exe conhost.exe PID 4024 set thread context of 2040 4024 update.exe dwm.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1696 sc.exe 4976 sc.exe 2308 sc.exe 3112 sc.exe 2440 sc.exe 4948 sc.exe 2372 sc.exe 2760 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4904 1428 WerFault.exe 2.exe 4348 1864 WerFault.exe 2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedwm.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry class 8 IoCs
Processes:
msedge.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe7zFM.exeOpenWith.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1100 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe7zFM.exe1.exe1.exe3.exepowershell.exeaspnet_regiis.exe1.exeupdate.exepowershell.exedwm.exe3.exepid process 5104 msedge.exe 5104 msedge.exe 2388 msedge.exe 2388 msedge.exe 2140 identity_helper.exe 2140 identity_helper.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 3032 msedge.exe 2700 msedge.exe 2700 msedge.exe 5072 7zFM.exe 5072 7zFM.exe 3368 1.exe 3368 1.exe 4068 1.exe 4068 1.exe 2292 3.exe 2292 3.exe 2292 3.exe 2160 powershell.exe 2160 powershell.exe 2160 powershell.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 2292 3.exe 1448 aspnet_regiis.exe 1448 aspnet_regiis.exe 1448 aspnet_regiis.exe 1448 aspnet_regiis.exe 4320 1.exe 4320 1.exe 4024 update.exe 4024 update.exe 4024 update.exe 3900 powershell.exe 3900 powershell.exe 3900 powershell.exe 4024 update.exe 4024 update.exe 4024 update.exe 4024 update.exe 4024 update.exe 4024 update.exe 4024 update.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 2040 dwm.exe 436 3.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
OpenWith.exe7zG.exeOpenWith.exe7zFM.exepid process 1976 OpenWith.exe 1428 7zG.exe 3460 OpenWith.exe 5072 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXE7zG.exe7zFM.exe7zG.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exedwm.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exedescription pid process Token: 33 3520 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3520 AUDIODG.EXE Token: SeRestorePrivilege 1428 7zG.exe Token: 35 1428 7zG.exe Token: SeSecurityPrivilege 1428 7zG.exe Token: SeSecurityPrivilege 1428 7zG.exe Token: SeRestorePrivilege 5072 7zFM.exe Token: 35 5072 7zFM.exe Token: SeSecurityPrivilege 5072 7zFM.exe Token: SeSecurityPrivilege 5072 7zFM.exe Token: SeSecurityPrivilege 5072 7zFM.exe Token: SeRestorePrivilege 1092 7zG.exe Token: 35 1092 7zG.exe Token: SeSecurityPrivilege 1092 7zG.exe Token: SeSecurityPrivilege 1092 7zG.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeShutdownPrivilege 2576 powercfg.exe Token: SeCreatePagefilePrivilege 2576 powercfg.exe Token: SeShutdownPrivilege 1164 powercfg.exe Token: SeCreatePagefilePrivilege 1164 powercfg.exe Token: SeShutdownPrivilege 2632 powercfg.exe Token: SeCreatePagefilePrivilege 2632 powercfg.exe Token: SeShutdownPrivilege 2368 powercfg.exe Token: SeCreatePagefilePrivilege 2368 powercfg.exe Token: SeDebugPrivilege 3900 powershell.exe Token: SeLockMemoryPrivilege 2040 dwm.exe Token: SeShutdownPrivilege 1624 powercfg.exe Token: SeCreatePagefilePrivilege 1624 powercfg.exe Token: SeShutdownPrivilege 1324 powercfg.exe Token: SeCreatePagefilePrivilege 1324 powercfg.exe Token: SeShutdownPrivilege 4704 powercfg.exe Token: SeCreatePagefilePrivilege 4704 powercfg.exe Token: SeShutdownPrivilege 384 powercfg.exe Token: SeCreatePagefilePrivilege 384 powercfg.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeShutdownPrivilege 972 powercfg.exe Token: SeCreatePagefilePrivilege 972 powercfg.exe Token: SeShutdownPrivilege 1652 powercfg.exe Token: SeCreatePagefilePrivilege 1652 powercfg.exe Token: SeShutdownPrivilege 4000 powercfg.exe Token: SeCreatePagefilePrivilege 4000 powercfg.exe Token: SeShutdownPrivilege 5012 powercfg.exe Token: SeCreatePagefilePrivilege 5012 powercfg.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeShutdownPrivilege 1924 powercfg.exe Token: SeCreatePagefilePrivilege 1924 powercfg.exe Token: SeShutdownPrivilege 324 powercfg.exe Token: SeCreatePagefilePrivilege 324 powercfg.exe Token: SeShutdownPrivilege 4112 powercfg.exe Token: SeCreatePagefilePrivilege 4112 powercfg.exe Token: SeShutdownPrivilege 4836 powercfg.exe Token: SeCreatePagefilePrivilege 4836 powercfg.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeShutdownPrivilege 3520 powercfg.exe Token: SeCreatePagefilePrivilege 3520 powercfg.exe Token: SeShutdownPrivilege 1356 powercfg.exe Token: SeCreatePagefilePrivilege 1356 powercfg.exe Token: SeShutdownPrivilege 5088 powercfg.exe Token: SeCreatePagefilePrivilege 5088 powercfg.exe Token: SeShutdownPrivilege 2068 powercfg.exe Token: SeCreatePagefilePrivilege 2068 powercfg.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeShutdownPrivilege 2628 powercfg.exe Token: SeCreatePagefilePrivilege 2628 powercfg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe 2388 msedge.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeLoadkeqwkedkqwekqwek.exeLoadkeqwkedkqwekqwek.exe1.exe1.exeaspnet_regiis.exeaspnet_regiis.exeLoadkeqwkedkqwekqwek.exe1.exeLoadkeqwkedkqwekqwek.exe1.exeOpenWith.exepid process 4624 OpenWith.exe 1976 OpenWith.exe 1976 OpenWith.exe 1976 OpenWith.exe 1976 OpenWith.exe 1976 OpenWith.exe 2040 OpenWith.exe 3460 OpenWith.exe 3460 OpenWith.exe 3460 OpenWith.exe 3460 OpenWith.exe 3460 OpenWith.exe 3460 OpenWith.exe 3460 OpenWith.exe 4968 OpenWith.exe 2436 Loadkeqwkedkqwekqwek.exe 4080 Loadkeqwkedkqwekqwek.exe 3368 1.exe 4068 1.exe 1448 aspnet_regiis.exe 2264 aspnet_regiis.exe 3520 Loadkeqwkedkqwekqwek.exe 4320 1.exe 3772 Loadkeqwkedkqwekqwek.exe 2972 1.exe 4504 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2388 wrote to memory of 1088 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1088 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 3488 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 5104 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 5104 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe PID 2388 wrote to memory of 1596 2388 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCCmzcphyrH6Br5eNUnQR2mw/about/about1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0x108,0xd8,0x7fffd7e046f8,0x7fffd7e04708,0x7fffd7e047182⤵PID:1088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:12⤵PID:2512
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:82⤵PID:5040
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:12⤵PID:3492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:12⤵PID:4884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:1620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:3248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6384 /prefetch:82⤵PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵PID:2224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6224 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1816
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b8 0x3b41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2224
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4624
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1976
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4428
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\" -ad -an -ai#7zMap24635:88:7zEvent197681⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2040
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3460
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\UnivMenu_1.16.rar"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5072 -
C:\Windows\notepad.exe"C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO0D37775C\_RDATA"2⤵PID:3424
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\" -ad -an -ai#7zMap23574:88:7zEvent301491⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2436 -
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3368 -
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1448 -
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2292 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2904
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1700
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WindowsManager"3⤵
- Launches sc.exe
PID:2372 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WindowsManager" binpath= "C:\ProgramData\WindowsManager\update.exe" start= "auto"3⤵
- Launches sc.exe
PID:2760 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1696 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsManager"3⤵
- Launches sc.exe
PID:4976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"3⤵PID:5064
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵PID:4912
-
C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4068 -
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2264
-
C:\ProgramData\WindowsManager\update.exeC:\ProgramData\WindowsManager\update.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4024 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:408
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:5072
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4704 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:384 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4292
-
C:\Windows\system32\dwm.exedwm.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3520 -
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵PID:2776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 10643⤵
- Program crash
PID:4904 -
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:436 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4768
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1072
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4000 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:3112 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsManager"3⤵
- Launches sc.exe
PID:2308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"3⤵PID:2284
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵PID:4720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1428 -ip 14281⤵PID:1696
-
C:\ProgramData\WindowsManager\update.exeC:\ProgramData\WindowsManager\update.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4860
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4232
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:324 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\UnivMenu_1.16\Info.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1100
-
C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3772 -
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Users\Admin\AppData\Roaming\2.exeC:\Users\Admin\AppData\Roaming\2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵PID:4468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 10603⤵
- Program crash
PID:4348 -
C:\Users\Admin\AppData\Roaming\3.exeC:\Users\Admin\AppData\Roaming\3.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1072
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3508
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2440 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WindowsManager"3⤵
- Launches sc.exe
PID:4948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"3⤵PID:4188
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵PID:1472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1864 -ip 18641⤵PID:3460
-
C:\ProgramData\WindowsManager\update.exeC:\ProgramData\WindowsManager\update.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:664
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3632
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:572 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:2228 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:4456
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\Qt5WebEngineCore\" -ad -an -ai#7zMap28148:122:7zEvent148011⤵PID:396
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4504
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
1024KB
MD5fddbecb3d1a277e17fef8f2c6fb5b7a4
SHA11c6c43986da1e1ab295558f966602e8dbb3c4284
SHA256e64fa4f857d6aa411547391114ba4fe3d77edf32e0b730dce05950a03fc2d222
SHA51222c06ac10e7ea81956ebbeda19a331105caa1d023184ecd845d0dec8c5044d7d547bd7dcf62e9167cd45589870d4e57bef4d8376f785bc7b228ba783fd5d66ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize936B
MD51582a46ce0c0e7269660a53bebbc6dce
SHA142ee12bee39fe04f70db2a3abb1691ab7058a120
SHA256b1ef9de57712ec9a8eaba7571e8337f69b81fc89ee12020e8b35c033f5a0743b
SHA51272e16e76d2005d2403f1aa8a62aa93853fb4370c989047c6572ef4b24b74af106e6160ae511a98072e594bfa94893da010bc756d6baa21b7d35261aa40d4cebc
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
124KB
MD5a9cd9dc8728032e60e78b732f2fdaee4
SHA1462c8c7a7d07069782c26cd20c00f066a037d717
SHA25671d39b1d08b333342b4b9c1c67241e69e3a3e255beb6357042ff6cd3dd09da0a
SHA5120425e2c5435c73da12985a1773741391de6080cc9c9d59460d110bd3fa130ed46bc5fd123bfe458467233830b0d2873bbf87e7affa66bf280e4964fbf7d52613
-
Filesize
3KB
MD59de3dde114ca9250cb861fe109a5b381
SHA1e2dfd45b6f68e4b3368a9fb6f94bc10d7c4acda3
SHA256171032fa0129e38ba704e3f1049d985a09b8ae023bb0918a1a01f2cdd9bc3134
SHA5120328405598096d49c5426069fa8288e96f8b0aaa22cb4e5590cbe37ebda6a4bb301d42bef94b05bb47f140ef1de8da9ab537b2c7dae77b2116df3d93d10594b9
-
Filesize
3KB
MD5dde5d110f3572d2b51198a4f8229004a
SHA15953677d3fbd69d75a66d1059270fe335dadc656
SHA256f68ebf0b4676abaccef499b76c454e1a3daf68ff83520e449e26ce23945e471c
SHA5128b4795fd48a3e1e9a56922bc0853ca2f79b4142070ca9ac4d4b2808c871189c57c82aa4d9df86e9e1cd2d712a320f282624f0d2dfbb0c0393ec8afce6d6400b2
-
Filesize
3KB
MD55130ab72fd1f491af0875179d0db1ad6
SHA1d73f806f01c292e60eb9d6d5b153bc09d8d3fc75
SHA2562791d919ffabf9fec8a9fcac68c273ae476b3b8fb0ef7b8a63684ee8d6900558
SHA512aab202ad83829db397a5e075005eacf75de5aa01505536315603bf547a1f363debbc6f763eebf5b1a73c3a78ffb8b0a4785ba3da929b2c96f67a61532c6da554
-
Filesize
3KB
MD5060d1797dcf33884312d1335fc0dbe1f
SHA1c7671083f67ed61e82221b566c63922585a766f7
SHA256485fce019e387a13fcbaf442a86f5c7866a5ec34fd795e67d12be9a358698998
SHA51213a780632ef226b8a6b83233630440dbc4952baad03ecfda64ce7dac784ce774c6c012ea883b7beb2e4d7eca43dcfcc0dcc82606dfbf35bdbf7d3e8533ea8f62
-
Filesize
7KB
MD5a4d2b975bad1204debcee60dc331031f
SHA11593c83afd13320674a1bb034e0792d49a82d728
SHA256fa5c747d119123e949063d8d29dc24530396c5ce705e87fffc3792b3b0dda244
SHA512cd7ce59804a8a8d3af5e95704be5f50cf8d4ebc75a44bf39168a1c4d7b816bb73fc8f4c25cb1de22ec691dac0761c2f880f48d8916c13db28cd136cf339b05a8
-
Filesize
5KB
MD581ebf42945eec863dd22ddfc9d5fe4d7
SHA1b33883f8446d8a86bb6c589fb25c545dc37028e7
SHA2563b91af5ee44c90b2d24a9afafde2e9ffb883a048e95635bfe8d6f16d994586b0
SHA512e6bbab90b8c534cf277f9352771c9d030654e02ccde9aa1cecc1022af635094596125b9c218661a49c091dfdd03a96ae02f4dd998d76c808e6cf2baec0ed7276
-
Filesize
7KB
MD56bbcf1f4539878a4c968e6d983b66620
SHA197e710de6bbbeb60163924c97896ed052e1972c1
SHA2566eb96f0c2c966903272fc28e8505821c9460d152b859d5052c3b341fb0e96c92
SHA5126b4050e39a113e08e051c038636ff540fc0f14ad4f8055e9e6ba8cd2e6c2d3e13e62a613883cf4b440870c47abe7729353155df6e1e7ea0c5e6c1d424e75460e
-
Filesize
7KB
MD55f30b71728a7a6579ac3654bf0caa609
SHA1be5686965e799c6414b4605e46c6d16f6a250b19
SHA256a6188c6462286913864043cb502be707202bdd6f8bdbfcbf513539ed9a5cc805
SHA512918f3cacdb33cfc906f484e29452993ee900f202c32fd9e65020b8f38cfe80d31a31f9784844f84e8045e2559baff6f532762ae237c121c2f87b2009c90896ef
-
Filesize
6KB
MD52b76bc9da2ce2130e3f08a6e79a29680
SHA15f48e0de7fb1dc39909b4a6b27bef299a52e0c92
SHA2568854af6ae4ed6bda1d09fc638db504aec206c0012ebfcd92805f75b146ee58ab
SHA5123dd2cfe58f0fd3642440a23268c15a2fefd5cfa5329cab23eb5c71190820470c0b9d2b5288efb8aa16397bc3f71c5c15b571e970c118174d5400d4492239b06d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\36e7e0e9-6715-4288-b38f-36cbfd235090\index-dir\the-real-index
Filesize2KB
MD5c5c47df9d5457d4d395d8fe5dea3a54f
SHA178dd60a5519d626087d7a998261dcb395466df71
SHA2567d93f5dad5612350b39d660d25fcc74ef211f20ca7d8fb6ed10c1ea34c322524
SHA512e9ef796added38be03d9557a6d0ea64713d6f1a500c2cbf81fa73680f5a805c5a3090f4acf9fab0045e1eeb2914296210b94b13d4f769c43eaf3bc13c5de25ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\36e7e0e9-6715-4288-b38f-36cbfd235090\index-dir\the-real-index~RFe57f59b.TMP
Filesize48B
MD5609926be3c0b0c7c79dfb16b4541dfd4
SHA1fb0e91ea7eda301e1ec10fce2fccb9f8290143bd
SHA256bcdfb5b0ff7e40ba3544856d716265edc1d5c4490f4001c993a6a8bd3d302ca4
SHA51228b6ba05b14bbe2df4336a015571ca572beca638975c7294e7ffae9729ed876a4113f71abfc947751b2e3a67bda1e3b85a0bbb89b848b87901ad57fe3df14844
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD5fb10e00700d19da07a1951c5a2b77207
SHA1ed13f087737000fcebfcb89ef69de570f148bda2
SHA256facaa6ac8b393c64297c7f664582823764b110b7648697deacc487f9c11f58b5
SHA512ff7ea05da279ec9cc98ddf71fa3b78c7f03f193a1f4c4c64c1d22362fdb211961f2207214e53b17b816aefa33deed69a3d6ea2bd201d5abf132b0b202b2d5f08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD56d4b4ad16e5d0e632c1572ef9102e30d
SHA16262a106c43f7f263e565be93da0d53b7f4d1bc8
SHA2567404aac8bb2343c202f79e1f40aaf1209311ad18321093971e7a58880accf2f4
SHA512657aa730636d7fd8796ceb718ade3ae8f892c474df2b436e3239c58ffa374a4ae166d265d7f0756017509453e13e208aa20822de303b178af27e217ef1b8fe2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5b7788c7409aa1d929fb4a3e6fa271f37
SHA1b31afe662926ff0bdb2473ba6e641078787b2ce5
SHA2566d2066b86ea61857db1f988f470848720ca90f40f391ff96da728457169b2993
SHA512dc71bf78e655f3a7de6938e3f35e83dda9a643345d287b6b26c4105a68c2c103194dcec1c8265d832ddf71e47a9e70dace4fb8c480e5fc78821d9b972e4034b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize84B
MD5f9dd67bf6682e8ef8327c069e2788c45
SHA17e4e3918ecac2b31d7ca433c77d413085d7c6373
SHA25644ca121621d96f737f391eabc93318df992eb744a2d4dcf2226bbf3bac1a5b03
SHA512648ba44252aa8b71ba11b5c47e8dfb187889370ab804ebe047f9bcb70357cc6b6252d2dd6aca9df209be798757faa3537ca4dabe1ced86462e8fe6c70ed10d2c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize48B
MD59d9ff26aac916b43cb05868b020e01e2
SHA1a372181686de3c5ba228ccfe319a1c0f4277c636
SHA25671736ad9403fabd83b28bca490a8451c9bbd9498a9f4885f1dee8bc5149834aa
SHA51275c24d6189c165ca139b98113ccb0ac3c96096dd13c1d4cdf74faffa439ba517561a4f85955c3ebf5a8c5deafd59b4f7457faaf8a312168b98e4fd1517b9cefb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5d05b4ab1989791896ed33e70d6cf32f5
SHA17718316e864646895e793b45a3f027af9f346bc2
SHA25648d9791c5f34f439ca7732b280c3821e4f0e38cf29217190cb722ad8adbed47f
SHA51254d7ccdfd7d1517ef495ff317055064381dc428bbaadcfb53bfbfe50c0e3539992aacdc97751fa09340df9b974b18c7ef26615bf0e578997f1fbd5e4509b59e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57efee.TMP
Filesize48B
MD5fde241d1265eda39b9b377d3bc76465f
SHA1b512bc2c730311bea19c76a2c20436bbce8fe161
SHA25639aa20929d13dd7b8d3b81c2ccc5c4095fe0fc77d34b85afb23321a09d4bc50a
SHA512671ddfa4eae25ef30044eb8c559e572a833d18d2c6c7e6e46fe9ecccf3129d2b7b1c45b717c620f428a86de6c74c835d6ee1823d5a4d6f33613145a434412f00
-
Filesize
1KB
MD5cffadc99f4a4d43b297f1be9150bc727
SHA13f01fca111a801c5003928275f886bd70cb22789
SHA25673243893b346739c87effa7bcb81a22618dc84029920970a27594f6bf99250d2
SHA512f40c38c43c219031296cf900f2ad2a02a1a86fc0a4a823238b68bc22fd2038d7fb235f349eb8c6e50770775c27b97fbb169bee9c5f7891e71f88e1601d43912f
-
Filesize
1KB
MD50cf12c4ddc2d8c4837834b78a2a8967d
SHA130d61803841fafe8bbe3b7dada6d55079ff38bb3
SHA25675a25bc9825102c453ea3bb73c80963a6481728f9e9dd1acfdba506bf44126a2
SHA51234ea56d6d0a39eb7ab1f1d9bc0020b0af28ac34db2bde4fe908f1bcd81747fa0cc11e8b3a29af2845ef11d004b67e278568eb81c9f452f2d1bee8e336617913d
-
Filesize
1KB
MD59a98ad3409edd452ef0c01cbd70cb638
SHA1ca7021fa901695a68ed0e017e87690494ca407b4
SHA256a3b22e908cbd31d8f23e7b47d1dd13014ad1bbce490a9e8aa35e09629769e6ca
SHA5124ab8da2ce75c2bc53062b9d0451c085ec091b65c9ee89d51a497728e61db47e50a86915ed4abf29abf6965d7fe6ea1a5052300b099d0023855b941a721160f7f
-
Filesize
1KB
MD50e4c79fd70bae95699fc06c85b958dbc
SHA1c6d32af2867d8985b289e8a465162059fb4b52db
SHA25601350cbab24dc132bffd145bbcbd18293ecad3a60c6c1be6685bd17ce5928403
SHA5121cf9aaec204fd51c07116c5109f0f12c18bf3b9631c5bd4c9a46d78c0eea5ec687e9132b56941b67187b922b60fdc6f1d16f99273f41f2a8290117e9951fc72c
-
Filesize
1KB
MD5fd39e945c2abd3c0b13f9a9b25c833b2
SHA1d5041cc06173f5e9aa78a69793f9b8ed186baa74
SHA256b479558b76d014a201eaf6cd8d67c398147008e7af97b20c44567339d9441f45
SHA51235112a713e6b7fce2219d7bc7d4eb548528a0158cbda4fc0dc0aa12868138c9c973fecd9c97efc7f4a35fa8652c576337948a84bc61ae8b6c47da2dac65f0125
-
Filesize
1KB
MD5802deec3860c685ddb2d8747fef62932
SHA1e2987927a7d0258041ec0ee8260369b1c0676e96
SHA2568791fa86df51f618c7563cdd4e4b7e4b070ff5957c5c451cc632862162b5ae60
SHA512a55c4489cb5a4c74a4561d17a875d99e6a0d9026c6c5cb6a907984ba63ab656fc496b5621593eadd3a67a9cb261d7bcbcb651de683ca589e71ed89806aa5d008
-
Filesize
1KB
MD5ffce748db69274fe48845b79a024c2bf
SHA1846e2175108e585c1c4e0c276da589dd1176ad60
SHA2562233ebfcb3ee7cd00a4fc259703570c4c4024b3461af2aa406bf9c7e7bf6df62
SHA512a50639093bd730c49778d164a20c868bb07e9e03747ab2ee786ad9dc0b6a589f8b8a3936657d846d305d8837a78cdbce48590cd4e260e2912effa790ee4b5241
-
Filesize
1KB
MD52b2fd27bf01f7e0d56f5499636a87c55
SHA13e455cc119e481a1370a40ef64a925223e5b64c5
SHA2560610d0d64c4dc5a03e2837a00a378d6d4bd5c11014a86b1b0deef4ab7f47e2b4
SHA512093818531ce1c1f431da131b2c3bb5ea8b6a2a2f238b885c55b2d2eec0104dd960c86c820623405b5ad5ddb6282b0665293ca467d1aff4032aed45dae5a56171
-
Filesize
372B
MD52c1e5d079e4b5d1b6ffc77c3ce17d5ec
SHA13419b9d01995c56372691bddbdf17acdc693754e
SHA2562154cd8eeaaf1f4bab0e98cfdfdba44a1260a5711f97c457f7815ce184adce06
SHA5129cbc9fb4184568e21da4e548a5559578d1c0d81cfa3235e0806cbaf0b078294bf6e2368bb12bd023e12131d7473e07433939afc32ac29b79b9155ee68be9f30f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD528429cebe9f052a98783016424daba39
SHA15219a395bd21d9fd0e7b31d10437a72b4538b292
SHA256a8a533394f8e3456069b7c92e41f83a27207d81f3d67529b36fc9eb2405a0c1f
SHA512b6ebe7039a2996b0a270da9882848043edce76279effbb4ee23bad06b6b029cc466ace9967177b988b5c3a611501b6878f91d0a3ca1bc91b411de43346d7ab36
-
Filesize
10KB
MD5d8337301833edafa84fc429aa97ef60f
SHA16844dbcaec035921f51cb3184c98830386e72252
SHA25611010ce9bd1da70102bf5b7cf196828e49ab9280af193f7dd6479c24310da1b3
SHA512f7e88e24107b0aa4cbe80b7d1df3d762c20c395d1e15f35124fb47393689d62d51038b8ae1f2b35646c7a84ced9ab4f0096ffcbbd3cea37f734c20abaea7ed6d
-
Filesize
11KB
MD55b262d770c3eac82535249be06b70739
SHA13fc7592049efb62ec8e32f0f8c7b42b078dac277
SHA25674c19ce387971b3f2b2c9c623a310542f57e57cbb1b5430a4d957e5d59cf9fa8
SHA512bb552e25a08b807253e455ae5a8e0605bf751855b178b8e261847be544f6d06b2909bda51e3af6448d85b3bffb01e1f4875ff53f4084d7c7b7277a277ad95224
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
512B
MD5defa4c241d8ca09bc04fb00aeba1896a
SHA1d3a883c908e4de1e5186f88515e0ac18e420adfc
SHA256463b156b15235f34a672fff591e896c5b4b17db848808623ea222a9e2c523f71
SHA51266d040aab75df64fbf706b551253558352aecbfc841c2b6b21650ac0d3576b0a4d4c1b0d678e387f30a29c555286ff9322debee91a28917b66f07c7d848e5043
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD57700a739a7f20e1e09dddd0659e69e4f
SHA1340e39a309ab0dabe3116cba04d73a72a40053f4
SHA2568d9a56cb3a2b7be78749f3f59457144a8bc9caf8b7dc702608a7c45e51af8800
SHA512bd9699823ae300991a14a31aff69e0a5a4ceca6c96bca5c6a8fcd97bf2de091e1a091962025c864116251bb5968c231e65152c6e10436f96039aba31a337fc38
-
Filesize
193B
MD536c8a4bd123238dc06375ef132ccc726
SHA1933783c603dc8216d40f7e119dc0513c752ec2d3
SHA256042aa4a3db98617580a3a05a5571e08bea207621e7e74ac040171049cbf3d36a
SHA5120d50089f33bc59dd396eae9a5cd5f1900efef44f08f5fd771b2e9b0bee50a7943f575e138fb3483ea1c1e9f296d86d57642ab15821b48cd69d403e2963bb31eb
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e