Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
922s -
max time network
924s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2024, 18:21
Static task
static1
Behavioral task
behavioral1
Sample
Untitled.png
Resource
win10v2004-20240709-en
General
-
Target
Untitled.png
-
Size
258KB
-
MD5
25811860c5ee9a5d25be24c4bcaeb34a
-
SHA1
2c80b6e3c27ede1837e589ef67ecdb4da70fd5aa
-
SHA256
4932eefd4a7e0037008f10b3e45623cfb9cf54943b2f09e0762d7a0facd28298
-
SHA512
eb1910e1d3b68ce2aa49300a6f692f839813a1bd8aa8a34234a5c529f0d0530f1549b54727ee7b65a61be52c5b050132b3e06a0c85eb19382c0bf3745f70888f
-
SSDEEP
6144:jR/mp0+VMP4Dbk7GotugGS8yReMdBFhq61YQBjRWzq1XWdnyNA:jE/2f7Go1GS8GekBFhq6OaRIq1XWsa
Malware Config
Extracted
C:\Users\Admin\Desktop\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD446B.tmp WannaCrypt0r.exe -
Executes dropped EXE 57 IoCs
pid Process 2168 WannaCrypt0r.exe 1140 taskdl.exe 5580 @[email protected] 5884 @[email protected] 3684 taskhsvc.exe 1432 taskse.exe 5200 taskdl.exe 2952 @[email protected] 632 taskdl.exe 2780 taskse.exe 4040 @[email protected] 4324 taskse.exe 5468 @[email protected] 4888 taskdl.exe 1720 taskse.exe 4792 @[email protected] 4672 taskdl.exe 3060 taskse.exe 4952 @[email protected] 5292 taskdl.exe 4400 @[email protected] 2068 taskse.exe 1992 taskdl.exe 6000 taskse.exe 2704 @[email protected] 864 taskdl.exe 2040 taskse.exe 372 @[email protected] 2952 taskdl.exe 5424 @[email protected] 5944 taskse.exe 4716 taskdl.exe 5004 taskse.exe 4792 @[email protected] 4672 taskdl.exe 5872 taskse.exe 5732 @[email protected] 5592 taskdl.exe 2312 taskse.exe 4800 @[email protected] 2480 taskdl.exe 828 taskse.exe 956 @[email protected] 3904 taskdl.exe 4588 taskse.exe 5388 @[email protected] 2764 taskdl.exe 4084 taskse.exe 5352 @[email protected] 5344 taskdl.exe 3508 taskse.exe 5020 @[email protected] 4504 taskdl.exe 4016 taskse.exe 4932 @[email protected] 5564 taskse.exe 3532 @[email protected] -
Loads dropped DLL 7 IoCs
pid Process 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4828 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nwsykrss037 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 163 raw.githubusercontent.com 162 raw.githubusercontent.com -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCrypt0r.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{0AD73A0F-9264-41B3-86A9-03E08E6B1277} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000b89a61c808d2da01c57e7ccb08d2da01059d3dcc08d2da0114000000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{413558C0-052F-4529-BCC8-2FF65F233299} msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" msedge.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1212 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 616179.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 200426.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4968 msedge.exe 4968 msedge.exe 3168 msedge.exe 3168 msedge.exe 4292 identity_helper.exe 4292 identity_helper.exe 5752 msedge.exe 5752 msedge.exe 5584 msedge.exe 5584 msedge.exe 5400 msedge.exe 5400 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 1128 msedge.exe 1128 msedge.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3684 taskhsvc.exe 3204 mspaint.exe 3204 mspaint.exe 5148 msedge.exe 5148 msedge.exe 1172 msedge.exe 1172 msedge.exe 5880 identity_helper.exe 5880 identity_helper.exe 4228 msedge.exe 4228 msedge.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5584 msedge.exe 1312 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4192 WMIC.exe Token: SeSecurityPrivilege 4192 WMIC.exe Token: SeTakeOwnershipPrivilege 4192 WMIC.exe Token: SeLoadDriverPrivilege 4192 WMIC.exe Token: SeSystemProfilePrivilege 4192 WMIC.exe Token: SeSystemtimePrivilege 4192 WMIC.exe Token: SeProfSingleProcessPrivilege 4192 WMIC.exe Token: SeIncBasePriorityPrivilege 4192 WMIC.exe Token: SeCreatePagefilePrivilege 4192 WMIC.exe Token: SeBackupPrivilege 4192 WMIC.exe Token: SeRestorePrivilege 4192 WMIC.exe Token: SeShutdownPrivilege 4192 WMIC.exe Token: SeDebugPrivilege 4192 WMIC.exe Token: SeSystemEnvironmentPrivilege 4192 WMIC.exe Token: SeRemoteShutdownPrivilege 4192 WMIC.exe Token: SeUndockPrivilege 4192 WMIC.exe Token: SeManageVolumePrivilege 4192 WMIC.exe Token: 33 4192 WMIC.exe Token: 34 4192 WMIC.exe Token: 35 4192 WMIC.exe Token: 36 4192 WMIC.exe Token: SeIncreaseQuotaPrivilege 4192 WMIC.exe Token: SeSecurityPrivilege 4192 WMIC.exe Token: SeTakeOwnershipPrivilege 4192 WMIC.exe Token: SeLoadDriverPrivilege 4192 WMIC.exe Token: SeSystemProfilePrivilege 4192 WMIC.exe Token: SeSystemtimePrivilege 4192 WMIC.exe Token: SeProfSingleProcessPrivilege 4192 WMIC.exe Token: SeIncBasePriorityPrivilege 4192 WMIC.exe Token: SeCreatePagefilePrivilege 4192 WMIC.exe Token: SeBackupPrivilege 4192 WMIC.exe Token: SeRestorePrivilege 4192 WMIC.exe Token: SeShutdownPrivilege 4192 WMIC.exe Token: SeDebugPrivilege 4192 WMIC.exe Token: SeSystemEnvironmentPrivilege 4192 WMIC.exe Token: SeRemoteShutdownPrivilege 4192 WMIC.exe Token: SeUndockPrivilege 4192 WMIC.exe Token: SeManageVolumePrivilege 4192 WMIC.exe Token: 33 4192 WMIC.exe Token: 34 4192 WMIC.exe Token: 35 4192 WMIC.exe Token: 36 4192 WMIC.exe Token: SeBackupPrivilege 5820 vssvc.exe Token: SeRestorePrivilege 5820 vssvc.exe Token: SeAuditPrivilege 5820 vssvc.exe Token: SeTcbPrivilege 1432 taskse.exe Token: SeTcbPrivilege 1432 taskse.exe Token: SeTcbPrivilege 2780 taskse.exe Token: SeTcbPrivilege 2780 taskse.exe Token: SeTcbPrivilege 4324 taskse.exe Token: SeTcbPrivilege 4324 taskse.exe Token: SeTcbPrivilege 1720 taskse.exe Token: SeTcbPrivilege 1720 taskse.exe Token: SeDebugPrivilege 4932 taskmgr.exe Token: SeSystemProfilePrivilege 4932 taskmgr.exe Token: SeCreateGlobalPrivilege 4932 taskmgr.exe Token: SeTcbPrivilege 3060 taskse.exe Token: SeTcbPrivilege 3060 taskse.exe Token: SeTcbPrivilege 2068 taskse.exe Token: SeTcbPrivilege 2068 taskse.exe Token: 33 4932 taskmgr.exe Token: SeIncBasePriorityPrivilege 4932 taskmgr.exe Token: SeTcbPrivilege 6000 taskse.exe Token: SeTcbPrivilege 6000 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 3168 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe 4932 taskmgr.exe -
Suspicious use of SetWindowsHookEx 41 IoCs
pid Process 5584 msedge.exe 5580 @[email protected] 5884 @[email protected] 5884 @[email protected] 5580 @[email protected] 2952 @[email protected] 2952 @[email protected] 3204 mspaint.exe 1136 OpenWith.exe 4040 @[email protected] 5468 @[email protected] 4792 @[email protected] 4952 @[email protected] 4400 @[email protected] 4400 @[email protected] 2704 @[email protected] 372 @[email protected] 5424 @[email protected] 4792 @[email protected] 5732 @[email protected] 4800 @[email protected] 956 @[email protected] 1312 msedge.exe 5388 @[email protected] 1312 msedge.exe 1312 msedge.exe 5352 @[email protected] 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 5020 @[email protected] 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 1312 msedge.exe 4932 @[email protected] 3532 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 2740 3168 msedge.exe 99 PID 3168 wrote to memory of 2740 3168 msedge.exe 99 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 1576 3168 msedge.exe 101 PID 3168 wrote to memory of 4968 3168 msedge.exe 102 PID 3168 wrote to memory of 4968 3168 msedge.exe 102 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 PID 3168 wrote to memory of 4948 3168 msedge.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 5096 attrib.exe 5980 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Untitled.png1⤵PID:4716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff881df46f8,0x7ff881df4708,0x7ff881df47182⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:12⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:12⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:82⤵PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:5496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5616 /prefetch:82⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5664 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:5432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1308 /prefetch:82⤵PID:6004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:12⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:12⤵PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6724 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:12⤵PID:5832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:82⤵PID:5116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1684
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:628
-
C:\Users\Admin\Desktop\WannaCrypt0r.exe"C:\Users\Admin\Desktop\WannaCrypt0r.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:2168 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:5096
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:4828
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 95451721500070.bat2⤵PID:428
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:5692
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:5980
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5580
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
-
-
C:\Windows\SysWOW64\cmd.exePID:5988
-
C:\Users\Admin\Desktop\@[email protected]PID:5884
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:5600
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5200
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nwsykrss037" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f2⤵PID:444
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nwsykrss037" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1212
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:632
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4040
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5468
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4888
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4792
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4952
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5292
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1992
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6000
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2704
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:864
-
-
C:\Users\Admin\Desktop\taskse.exePID:2040
-
-
C:\Users\Admin\Desktop\@[email protected]PID:372
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2952
-
-
C:\Users\Admin\Desktop\taskse.exePID:5944
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5424
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4716
-
-
C:\Users\Admin\Desktop\taskse.exePID:5004
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4792
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4672
-
-
C:\Users\Admin\Desktop\taskse.exePID:5872
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5732
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5592
-
-
C:\Users\Admin\Desktop\taskse.exePID:2312
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4800
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2480
-
-
C:\Users\Admin\Desktop\taskse.exePID:828
-
-
C:\Users\Admin\Desktop\@[email protected]PID:956
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3904
-
-
C:\Users\Admin\Desktop\taskse.exePID:4588
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5388
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2764
-
-
C:\Users\Admin\Desktop\taskse.exePID:4084
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5352
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5344
-
-
C:\Users\Admin\Desktop\taskse.exePID:3508
-
-
C:\Users\Admin\Desktop\@[email protected]PID:5020
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4504
-
-
C:\Users\Admin\Desktop\taskse.exePID:4016
-
-
C:\Users\Admin\Desktop\@[email protected]PID:4932
-
-
C:\Users\Admin\Desktop\taskse.exePID:5564
-
-
C:\Users\Admin\Desktop\@[email protected]PID:3532
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5820
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\download.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3204
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:5900
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff881df46f8,0x7ff881df4708,0x7ff881df47182⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:82⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:12⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:12⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:12⤵PID:5432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:12⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:82⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:12⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:12⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:82⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6412 /prefetch:82⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6108 /prefetch:82⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:82⤵PID:5320
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4776
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4804
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4932
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD57f37f119665df6beaa925337bbff0e84
SHA1c2601d11f8aa77e12ab3508479cbf20c27cbd865
SHA2561073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027
SHA5128e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817
-
Filesize
152B
MD5e3a89e2a42de982970178ccea85d51db
SHA17c763cc899fb3992998ee46920f80d8812bda0e5
SHA256080c62830cbad3ba39df547db96a696477535f57bdf7f47ddd27532fa5a5106a
SHA512c4202d309d453ff1b94673afe8e8ce87d434140e2311918de8cfa569fc9bcea20609cdb56b54e643e8d8c3b9be62eaa8483036634cafd7c09ee471a7f63c9ed8
-
Filesize
152B
MD5d406f3135e11b0a0829109c1090a41dc
SHA1810f00e803c17274f9af074fc6c47849ad6e873e
SHA25691f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4
SHA5122b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\169d6159-25aa-45e1-83d8-7e97a9da9289.tmp
Filesize6KB
MD5204f3c1b9205ba88aec258001a3cf370
SHA1e606639223fa5e49d293ebd8ac9c52321ae8a91d
SHA2560fd3cfd0e653cd7dd8a5c5479f4d47cf17e2c840f661cf90a43e00bea67f0a19
SHA512f4c5741c6d8b1227d3599e6fdc22ebc2273e117d997db44e689052cdb111f399d98c226d9e1bc7843179c0ed728475f820786eeccd8c4869fd86ba5ea0d828db
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD51d9097f6fd8365c7ed19f621246587eb
SHA1937676f80fd908adc63adb3deb7d0bf4b64ad30e
SHA256a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf
SHA512251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3
-
Filesize
43KB
MD53e4c95c68f28bfed38f6f12a8c2f197e
SHA10e29b9a92f4cff6fd69522f4b972d7dbf000f306
SHA256256e9bba80d098d0a90f0a4e9f6bf7ea0a6a50a4847caf5e5954a921fdceb8c7
SHA51201edfcfa99b35c1d60e29c0299e800c47163b4382c5144351b6635f4a6092b5be87ac9b83893724b98653acf8af1277fb794da4e7c9f5b53df00eb7b4f43378a
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5931d16be2adb03f2d5df4d249405d6e6
SHA17b7076fb55367b6c0b34667b54540aa722e2f55f
SHA256b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3
SHA51241d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad
-
Filesize
5KB
MD51a63642cbd7194cd68461b1520647b77
SHA1fd17510bcf20cb0e8d169fcb2bbd2ccae9d2f2a9
SHA256be4feeb521da9824eb07749d1bc388bb8202383cd831b13e6306fffed52416aa
SHA512cc6d52cef77a476e1bc9815b290577fa6acb522058e8617df533ee60b1b1b9d11a083fb5286d704892f485b8c8e7badc703fc69602f261ad78d2588ea7d3f17d
-
Filesize
5KB
MD58c18d51f1c276ba1330dd4ad725a0790
SHA15a3271f937ad2268bf5bf7cb3a8955569a2fe5fb
SHA2560122fd3a1300664c653fade93fb1e450409bf5ca3ecdc14401f387eafdafc69b
SHA51228d568b8aee8887dbe50096bab7400a87abbfcd5b8fa367b5522b988ba1eebc39eafcf08aa0fd17fd8a78d623926b0403629c1ab472b270d7d611b2a0d7443e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5b33b46baa0503d6044d8cf036ca7e506
SHA1878bba21510562ade56d1fb34944a80dc58b70fc
SHA2564036d06b97ff9c511c57172b555405d1eb0fc194317244b0b20546abf925a080
SHA512e31417bde4fd8a4fecaed467cb6dd1e9d628c407c9239c3a6938d962213d3a4c6a0c30aa744ea45022cc4cd6ec8c93bb46967bb3d62f32cc5c81d094dc54ffc7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5cde8e426aa9392a01bd7cbf6cab30cd3
SHA1efce6ed7703ddd0ab06736828194167f0ab38cf7
SHA256ce2a5498789b4837310e699f5eec89345c49af5981b30710708ccce25983014b
SHA51299b79481f91041424944e58b380e97cbe75480d17ea539bf56e869215c762c799c80bd1b46b235696e1b056a73f155d0df74b66d99aa6815b199d52ad3f9fb04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5729c301179b9c0a8178549747687c4b3
SHA101d05d6ded2017dcfbc575249cf4e13ffde4f237
SHA256224fc458a6d81cfe2e2d7977a3198736773ea442ef1f15e9ebfb0c8f85966ad5
SHA5122601573bfe42e94b466e5ef1c00c81d02f976fe276e402c973227a7e13603344f482f4ad84c4afa578016e7775d16ed9fd7433b5a501e9fada8682576c396337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5fa6768dd1126041142102287cb2f3fbc
SHA158a5ea53213a77ebf003e815bad70922058049fc
SHA2568466b8c490909e9feccf468488fbb5af4568b48fc97989522dbf07a27b001c4d
SHA51234638953b2ee68589c5144a098baacf7c002a90e2abd7139ca1fb9af1b9c000775d40a6173a3899f0af826b3a56dbd1b742b5e7f9c055c55530d7bc6f87081fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD530d2c64a5c46f3626be0a343b550ccf4
SHA1e2471891c101dfe45eb216a2ab261763a5e320b4
SHA2560e68897d753d7a6f233e16fbe50f6a50ed2cfc3ca5e4319d435fe03d77f2b941
SHA512dd502f73311e392eef074b8139d96b5a8d16d7805ac68d05e71fcc779fb6fbf796c4249958cf82fb01a6d160f29e199a1beb8f7fe2e33a602e44818125dccbed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5e4d56e8fca503ea232b50854fe94da8c
SHA1fa050ef8244d53a2c45b708544cccd5c6a23d90f
SHA256d0f98d5af040d82eb95dd7dff470f50d3d41ebc9301f1cc0c7dcd5c21207b3ac
SHA512a594627ec7a5704953170783348a11254e14096e25e04c19c7a5437074184076b5828af71838fc8b161232f84ff82b04ebf2ccf09b7c04a574734b52f89016c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD57c645887bebbc9200eb1043eeedc08b0
SHA1e07eba1a4170573599368f0cdef20717973d9e22
SHA256ea50cc3e03c0701409915fff45227b87a81cd15dcf4ea12c7e9ec09448d16427
SHA51237f2f3edf54060dfa545d7ba51e8583121691e560806042cdbd9be7024bc2e9fa6cddbd417f41bc3484cfaf645f18b9c1fbc551c847dd17b4aae0163c89e42b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe6a8214.TMP
Filesize5KB
MD5835e53de2745458ed16f5770ae999786
SHA120e2a56a4e5e523095d312b11d52098c8d95d2b2
SHA256f54a567582b7a76782d54e3a1e665be80045da562a64eecfe71f6d729e032b17
SHA512989d901604b470e4c0e5099ea36637ce4eee498cff7faef47611c7005c466be5a4ef4277b6711a0d6b9659581ed9e9db5e968a9391e73d36ce2e74cf9934e031
-
Filesize
1KB
MD5b63cba9284d6feda75b3087dfcda5333
SHA10866f6b1b33357a1120ade6b4d85cb7abb15f810
SHA25664fef7e3a2164e8ac0ca9555a6c5d5c1b0a989e33f425530de4aa17d8389c4e0
SHA512737cc6dbf4f05265d01ef2f8a96f3efcea710237d182b18ad3b5df54c35017d4f1723f103266f7ff0b88b784f145e13f2fc23f0f5eadfe7fdd78122000a107c2
-
Filesize
3KB
MD5b6b386a3930e975e07b3c0d677c2d163
SHA142c78d2398ba72e3147a7a978278936dc7e62a7b
SHA256187c4bec14abbdd7e7c3760befd6e8e7092cd3d29b6d465d5eb094a150425bb6
SHA51251eab829ef828f8349378dda58bb5726654248012e7a623280779ccdb29c8e6e33d68f991acce7fb3601fe3cfc662e4d0a451e0515aa24e0d932e850fa9825e0
-
Filesize
2KB
MD51f1ba995ca2a068de4b4a8d67459e336
SHA1c8ba84f4d9ae2583e2f1cdaa7a4eb93bdf67603a
SHA2563029feffea8a08c47d25135595a628756d0b9af4e02a3044a56ab579b5272b05
SHA512d9d4ec99e22641e441f9a3708de6feece4481413086f39618877d589fa78a636a1042431e69d10ae7d60d201ba64e7103e8dae6ffb5afb6f33a2df4210aaf48e
-
Filesize
1KB
MD5ea5ea4e8d5cc9f2dd58c0dcda788fd35
SHA17e3974a050e31dc90168abfa227f46c9425889d8
SHA256c16922ddea02d0da12f9f2d638d8c8e3ebd45f0a0d083bd56cf1001fb969cd49
SHA5127a39979eccfced9d8e7aaac8853265ac084c1f744b63de1ede937729b05e6b3faf840dc7f0687008ca99c03b093e4a0496dc86687569aa62bcb4eefd699367dc
-
Filesize
3KB
MD577ee33a8e7f01e7d089a6c95000cc932
SHA17bb537a299c592473b8083a96de66e9f7bff5334
SHA256485314b2a828ba1689df0ce2d1bb1eebb8ce6965bb2e2282ffcc85a6f85445b5
SHA512a0be3ce4dcb0470573e4c808ae7fd92639bd9a8bad96707eb234408a893df6825bfb1496ef08115bc46b0a5e5e0040741b3c29f8e03cea6a64c5588f54ed52d9
-
Filesize
567B
MD529aedf1bc48aa6102f82623cafa465e5
SHA1dc898892c8632dec1d13be0df5544f716d4d30bc
SHA256be7a6c20f6b340233bfb6118a6cb4b602799bce63e0e4a74f7612174706b924a
SHA512b58f934a95fea1d3a166779c05382bf00f7c515b9c3ed46419c75416b34af5e092b4e9808b5c9d43c84f4f0f2e3c753533af233606c278481c7da79ce14fca64
-
Filesize
1KB
MD5ee100ed7f598a695c45f54259fe264b0
SHA1d2c17e3e02d981690d5c05d35c30c5e697339360
SHA25609e0b8eee439a9ac6d69cbf30f49b7ba09f76adff13ccdf4db88a1421511357d
SHA5121be498f1c6e150df0e5f6a3a0816ddbf94bb48c57ad60e4a59c9d927fb2b6d550954aea9d46129accfef1d0d30128fe186d495a9bd9d76b8911d513ddf01da84
-
Filesize
8KB
MD5b2c588b4c9a045d38a76b9ae7c862e13
SHA124beb595d61e85d7b425f4291ca70d4fc0c3e65e
SHA256296bc592d6729b20642447ea462f5c771b61b50f57af31c2c036b0d82bd5514b
SHA5129703813675d0e7bedbc3b1fb9211813b2f0933a58f1603eafb0343c51c243046171a50f442803c1cbbbdda1f22f53c3c505bf26ff6c1134107946e49a7042f67
-
Filesize
6KB
MD5b86b18502f7deca2817892d38fc668ff
SHA17f07d0ebaab2a887fb5f1ea40e68be50b3306383
SHA256c7fd02f3e863271f7ed5c9d8bdcbcd4486ccbd72d5b63b7905f15c98250d5238
SHA512cb7a14b3a3f11c85e1a3a15582b92ac3b42195ab5ab6f4a0535444203af97685205bbf1ac0e1be1583a5fef39856c84c57ee5c55cb479c0477d9ad6f9c9e3267
-
Filesize
7KB
MD565314fd52c5ca303a191244b09aa3e84
SHA1c963c1de0350a91dcdf341fad09dd1204e7a8924
SHA256faa8a933a7a9a4c02af82d7d617d5ae9588f7487aa966b1b595b84f5e3fbfe66
SHA51227d3b924722d44a6401401ec188622bd53cada4c61235e9ee2d7ece69df85505a9e7b122d37b2076845c153608bd9409cf0a5aea092bac1c97fd97d985678a9d
-
Filesize
7KB
MD508a6cd7bea5ae73f441edc778f3bbb1b
SHA1c0f3328f34850e49b902ad2a072df82af1135d5d
SHA2564b448cf44f327c1417f34ff2a5c9150cf25eee809de9b4effff154378e5b7407
SHA5125dea381c12049e0fcef3b11c6608ec26660a5c83d069ba71d4889b8ac2f8796b0b45fd842b6cfadcd8b32f9d650ee63cae0286f5b2016b6779860593b47373f1
-
Filesize
8KB
MD5b489a6fe35e2a96338696551332070e2
SHA1d167e960cfa174828be95e41ff61293154491a68
SHA256c9e9096fe92030bb273ef742e18aa5b06c9d8e04131bc3353537ca075c85fefc
SHA5125188295de3580a837c41b68eee777162b52e81b2bc06bd7e41d19b807f3cb10937475a81a085f54a43b2212f65c8cc824293d74547005a6c5933c1baa0fb6023
-
Filesize
7KB
MD519171e92989484430d412ee07e84dbbc
SHA1f7f6fd78ca2c5f433f803dbb9f701987f1cd377d
SHA25646204bac1e95df6bd14409de2bb902afb9fe5a23e0d70541d4a8bb5b1fc5f334
SHA512e41076a92e7fe43d13903df217edb3adbc2cdea46777f25c76cecc58766e75dee5f1541c9003a26270eb37dc33d6936210074b04440bf35f96b25ac58618b402
-
Filesize
8KB
MD59c837a349ff07b299df540f8dc60484b
SHA17a2f70662f8f63c5e15a5f43643812755155fc7f
SHA256cc241ebe16431dc6a278428ee65c1309bcb4f5c2597f13720d1139bfe6ce07bc
SHA5122d9bed5f9e0729983c5d16a5a2362b74daf731f340fbdbdacaeafdbdf19e55be12ed2ecbd94c8eaa2e1a9acf3a01888e11ee3851c6b1b5e1c67afcefaa3dd0d3
-
Filesize
5KB
MD59282364f63199cc133288fcdc29fcb94
SHA15c5ac33eac1de92fa7500d1d9be608142a17bd25
SHA256150e09424164bea87fd88d18a88bdbac0256d3ff070979dfcb07a6bf36df65fd
SHA512c52d7d594243bfd49a3f2f49c3ccf6859163cf68b242e186b3e2eb245381bcf3889077a28c1727c2bb43c36beb4077b223bcf07ee03769a4f36dc19608a4cb39
-
Filesize
7KB
MD591d0f277f3b78953c0ac6014e91118c8
SHA1f5467a9912b91d4f064f83111738f8bdc053d807
SHA25674eab921541f52b1a8ce2d24a71534ee9f3ba3e3a7ee37faf959fc31dc9fd7c7
SHA51292ba0da9ad7b37612e986dd6efe7a4b4a0161f751c396ccfbe8e1762911c24c268ac68cabce0a5b263bf590834bbd40c65e0cf4d61b1b2bde0fbfb4ddd666bc5
-
Filesize
7KB
MD58e179fd27db257316332b9170874c65f
SHA15e60a9593a750c5363f34b51c92674ca6dc5ac36
SHA256031aa2044e26fc95fd92aa6ef113a5e34b7a5f79453ff2254871459d7419de8b
SHA512d89e5a0703dfbfbab6b66011b2c5c3679f4301452e7299c59e1f9bcd2e8851b4aebc79be0d3ddd77351466990b77c449611d2ef9d65b81fff42e2376e9055d29
-
Filesize
6KB
MD5480a067cd439899f1a2b43cb5c9fbad4
SHA11fc43c0391d6349063bb122e3394601eb6dc9565
SHA256de5387b367ed31e50bbdaf37d5adb4d24f4a7edaac77605aea6258ecd4809a9f
SHA51238d43562771d20c13c1daf667441cde0605446a53c854a60c2e7bb63042418e0c4a5034becf8447929b559bb50cc259a0c81a910394c47af89feef832b3e959d
-
Filesize
7KB
MD5af9448ba72b72823e2e3d71f1ca57093
SHA17d90ee961311dda4dae20f33c2e765e6be99af10
SHA2566e693789eb45f8395e6795c30f542893a7238eb12f1dcc4440607b48c8838f60
SHA512dfa8f1bf977dd6cdf559ac550a314678117f92f78b2a2f0550475f3ef0dbd38a0916ad5e484a9d2088b5f8da0014a840cdd19ba4e50f90bf2b56eb6a0f78d5cd
-
Filesize
1KB
MD58ec9caeb42a5ccd49319d9341ce504bd
SHA19c8fff89dcce0459d8fb2ef3a739a8f9e819ad52
SHA25626d9c3f94e3b60cd99e61ac41f7eb0e102677bcb59dc3d4f35b01633d487277e
SHA51258053b971388b28f4d926f65a45bc32216eb4b7d3a29f5215e45f77427aede6702e4ef22545d77b5d4f007b5200e467cdbc62cfaa8e1a8d4d496da9a96296240
-
Filesize
2KB
MD557a56a8c5cf2b08eccf6b7663b8a915a
SHA1bff1c4c9aa0b26b996e37c43c4a31c1beac580ae
SHA256bcd5f4c4a21071069b3342b832458dc41007413f4e53710e8ffcc50e6d92e357
SHA512ba1378f1339995fdc9b6f9feaca19f8752d069b1666f02413a3825ca6b59b1818eaef89de99488308eccb951a5abc0d98eb47da59218da69899f10c720d7297b
-
Filesize
538B
MD51be7eb7b8ad7f2f4f0b3e2652dc89291
SHA118f7e37ea0ecdb0d89aa142f5c4dbd530108a5ff
SHA2561bc8c64ce8d49808fb44e47de97157378364747d0c8704fcbaf47570d1650c1a
SHA512d1d187cb658dda6af2281fa34fe02a1053f53ba5ed9987a0df3dc23a730be187945d320d7c36ccec4a3b473fd1f4c041bf160357c9a07c02d4b66de99a808718
-
Filesize
1KB
MD5439f19e5f390b9ab5595601fece52e72
SHA1837519582de401216917a571717126b5f2a3a4b6
SHA2566017906bfcd8d367e671a39d942132c7866a87e3d41f0412d716555edaefab9c
SHA512151576aaa28730b4d1220851569c82cce36b8139965685fd90045583950a607ca87d6f1d00dbc248194a7924721bb5c544dd09c7e3f8b8a5241409956ad6c271
-
Filesize
1KB
MD5a61349a31b8ad1f251cfd6ba315c0d08
SHA118ea34d022e8c6bb6c8fd853bb065eb77a0a6190
SHA25607f9fa277311dea0d9dad1e080565e8e3a834b821a779cd34957dcbde68bc0da
SHA512afd3b076bddaa4da41c6858130fc56dd251c5efeeec17045a67f337e815af1af39ea1b00c63e3ea141b0272098fb9858a6ad2c7ef1c2a7ed74ad7928be979468
-
Filesize
1KB
MD5d8bb99cf4cade45f90d0e13d1cbe28cf
SHA1053272fea4079d27eaabc477865e9e702ce86e31
SHA256c51afd0d83be0ed24ceb040bff5d489d90b300081fc87661fc4394b2cf427e5a
SHA51216fadf6fe580951311d4616e44c754767363492adc63d4198be2a67afe57e8cf22bae0ba02425d8d7f845b162339a1e0ed59000ba8225936f74f3235123fc1e3
-
Filesize
1KB
MD5980920a6649bed3b72d7ad7cd30820c2
SHA1a384c8c58cd26f8398d38d210545beb7b2e62e4e
SHA2564474d60e8d1c9c811764caf726f253f0baac4c7f6a4e98257f0b972b66e56996
SHA5126e5ab28c0360191222894e0938fdcf286c098d305747074dca11743c82e19a402ae077cf223ab3ce25528bd61f75309eecb4866d3e80a9b917cd4ad6ad921ab9
-
Filesize
1KB
MD553789396428a7d7ca3beeb3065b53b57
SHA1b8f53fbc8e14cdf4ac0b4724a80e385df0bf6e44
SHA256055ff6386fe1deec2715834404964316b95d65d15d830368d98955a74147aa5e
SHA512734145896e71098d8cee1136d288871360c95aa9ffdf528e55dc5856a2368fe31e96a5d1b96b82ff65075757b24ba42ff0720a39389ac266b4ada09d133e685e
-
Filesize
1KB
MD5ca12be6f41f24148cadcae1a916eb6b8
SHA1f01523ed666ce2773224cbcbbf0de00eea96d979
SHA256c8d27ed856af09cddddd865e5b69c2ae8f9b67f689727b4916990ee8b9aaa5de
SHA512daeacc614dea105b45de747cdc238c912e180d3aded5d779abdca32ec0f1d9d9135eb0a208a9f73e40305e72d52a903ba9d9944a4dad444978f1a8d6b97562e0
-
Filesize
1KB
MD52a9e0c58486b708e0c279b2932e8f35a
SHA1fa0dd7ac99b7157bcdcbbd61b8b1b87e386e6330
SHA256cb43208a6402e9104378b8d8477c388fb4cdc64ed64d44d478ae08653d01b26f
SHA512972cd93594f13c001c05602b627e4e3c49670ac73a5879d2eea1bf23932828c69fc53c71ce2dffdb588a41564bd8e08f64dada99c8ecff4c179c3085df27f190
-
Filesize
2KB
MD50661c3c92d6a79fa55ebab3d836facb3
SHA1d13aee9f46ea5881ad37ede49446a19532451019
SHA2566019a1f2bd9db666cd6dc6ca3f865f87085cd584b3808c625fa59afb6405efbe
SHA512723ca05c343a83b0747727cc79bae43a981e972819d3440de108fad2b1ee22f77e45a4e0ba3676907565cf102370eac26faabf2ecc3c586d6c6cc6575067d76a
-
Filesize
1KB
MD5b766890f0fa6355150800926583ab256
SHA17123b94de3f71f2ae2b65e48a297bd4be706e028
SHA2560ea7b6169f5fe6a7f89f07aaea5654e007f40267ad3d7e767ee67a786e3900db
SHA5125bda9a3d009cfe2a935fa5268f79fd5c2428d1d15012ed7fc59ca3e1b29e3dfbdb991c0d66518a6a1ee75f63fd630258e9236c8164eb7e3e7c03d31cc24dea3e
-
Filesize
1KB
MD5ebca88276df07bcb04d961bb902706c1
SHA1c3241742887c3d6114926fc5e34dd060f5166ac9
SHA2564b0b50d7f305810e0e08d29fc90061b98e8d13b892ce331b7933a449963b5428
SHA5124946ce8689dfdb06abe04ca1e0f52242106310b6ea4734ce59af29ca95af8754a47c9881d9a42e862ad535fecd7d7e4c9b424fb83664cb79718c4ebac574e1ec
-
Filesize
536B
MD5779b66f2111762702fa81631d5c6ee56
SHA1a850289bce2ab0cd609159b6172e1e79959245c1
SHA256bcf0334275b6f32c00b33fa4eb9c9252933414087678f1ce0313cc598429d35b
SHA512489fe55175ab55a276e784c17f4a7d428d6bb82660973affc5a813d0fb76fadf928ec99613d2cbe1d9dd325e8319ac6f06be97e53b4dae8b3167758d1ffc63c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b15cbdbc-700a-4e8a-b0eb-69ac33eba958.tmp
Filesize6KB
MD5312cc8c8ea38bbd21fe0027dde0e0991
SHA1d4ac7a0a6fb3d0d5e7610fe06f8e491f21a3810b
SHA256a2bf692fe533a8ad2cd470639545c202ed49ff7c0263edb3778e74a90024378d
SHA51220373cb402c10b9d3be888aa3f681c51779a271b277cde0b4b95c3ba4f1aea939de0adbfdc3fdd1bf7b80c34d358b8ddc266e264153ae379d86d67836b0cdcc8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD593f08e59ec4728b1d7396d1d217ce845
SHA1dcb8d99b5e4b9ceb47a7c21fc6ee440b066f632d
SHA2563efd65e5960eb3c405b67915941e3d1b58b78f66b62d65daff1ff0a678ed557d
SHA512fa855f86a1c5d6af366ea33bf6cd3b58d244afc81ebb05ba2ce6730a07e36a4ea11d3687060a4aa052e0912f01a28530e170c57ad6ac734846636a25040df2d0
-
Filesize
11KB
MD561d4fab5a2bc9ba41da595dc672347df
SHA14629c49ba34304ac418fb9ddf0e9d68568c507ca
SHA25609857c7dfee7e1d6d44c8bc2c19df2b6b7f7efe102f3a0eb0d3c1787d824dbe1
SHA51202cd8de525bdd9cba12017018b755c5a862bf805f41de5f03a030a50ed33a96e6fc77a7101d295b991c511e71a2c0f6b72944ce03431ba7437f7626a2e204cf6
-
Filesize
11KB
MD5dafa12abbac114409fac4d7b08b4eafc
SHA19c838b7a9849f3c2d7a9ffd2372b3b3abf49efdf
SHA256b81335b5608a9d01287ceb64670dbc60e54a9f6b5992d82411c27c01148a6b16
SHA5125f41da3c1ee5517197e6e2a4a747bb8a145f69419c8cc640498db2fa3681f1e9a009d17f862f638881677f62f9182c3e65644d723c65329c246412926e2ef95d
-
Filesize
12KB
MD5c6fca8657a417dc31e8597de549ac0e4
SHA16bdc03518b46acf178f34f561aa9d5b89f63b85e
SHA2567b81ea0104853c25539029d4fe5d7b684e89af3555d83a4e6f1ea58c5ed58ca0
SHA51223b44b1b16b1b49287cb1ad37ad8a9ebc7b403296a1e790434038fa51468eca1508d8d26bb30295e5fb211fb80ff7148a0d6f89fc6d305e86892698a0f27c16a
-
Filesize
11KB
MD5a447b76a0de40f68ac2b8eb096b8c2db
SHA1fff682c406b0aeab6453b3e5daea23977515642b
SHA256ee9bef5ec5d7990a3ec2c6114621c5737bf713112a5b5b83bd213567ffca5f5b
SHA5127b49f6353a5afb416a46703c349aef1346a505d8d082e4130908c20bb66faca4a5928562fb96c3702b411bde7e05a47b4776eaeb948cb2ccde7c7ac76cdcf4f8
-
Filesize
11KB
MD57590dc3661f66b0ea3cfb5d4a32a5907
SHA1e1478cde2a6c544ae07093184398a39b0ed04e53
SHA2565fdf438b11d105e390d72bfc9ed06b47f6b77b690027925a4975e5ca57e3824a
SHA5121a977e8dda24d6b6a8c782c8e8b02fcb243c1616b5727e44ea3f83ddc2e89b3aa6ad930a109221727b89589ed1740d490b90117b637a3a12a10a82e51449915a
-
Filesize
11KB
MD59fc13bd3d2ae589419cfcdc817bcc681
SHA1486649e320e74459e6ba9d6825bbea9aa5e6990e
SHA256fecee7581f58726be9224040bfa7fa2db49c98cbc80cc358bd62ceea2f1cbbf2
SHA51233b6c06cb8995b293576d87a5ea2818c6682048ad9d882317c355c7a404f993faebe47943ff01175a07a1e7d12ac41a632b130d9db34b10e70c35ad13161028d
-
Filesize
12KB
MD5c6952071aea83e85d604fa619e6b68f8
SHA12504f021bdd8ac55805c4d57deffb1489e01c183
SHA2568a0b2084c0a90ab3bb2015cd340a0ba29b2b023b6a76c4eb67ebbb10a6c271aa
SHA512db0d20893356b0845c89fae09917d2cd4cfbd4efaf64e3c2fc04c0131feeeb3f38f46e26392d34233363b6d041396cb0daca5dc2ae2fb8096983c04a89539e7d
-
Filesize
12KB
MD5882cd1abfffb0d22b7e1ba0c4f232e5d
SHA1ebd32c3f3930667aa907afef742cf928f5abc118
SHA256424dc43a854c1fab927eaa6ee9efe0e9a953d9f0767c340c1adf07d9295c9fa7
SHA51253266568c0a1d5d32619b873d6af1dda7b413e814ec407d738ec2be7fc60bf3be03177a981b7fe7c94f555f2eddb1e4f1cef02fb5e01f472936369e95184d6ab
-
Filesize
1024KB
MD54ddb698294de0a803ef62d19f6656fba
SHA1921860b92feccc90e8cbfd0b7ca3e7627a1f03b6
SHA2567a141c590a3f8e57ff620bc78aaab25bf45373bf04a910c46c04729e3fd3ca62
SHA5124f7232fa6a94a85d82415d329e62b635303b7e65f6093b3da7ceb12bbb04650d7d9ed421cc6b3bc036461a389d895ec6b989bf9740645afe0e6b5910b25b1490
-
Filesize
5.5MB
MD5529d2e461c5bd440e15247e35cbcf42c
SHA12fa48a583fb07dab6c9c03ad0da065453a5feeda
SHA256cee694e4cb5094155b363d75167a7dfa386cf441c8b2c49c7364815b61747020
SHA51268bb3ec262fea834e21942abb4037c79fd32d5d58471bfb345f7093ae22df2761c8dfa30af03bd0c6b7e0721df6071331540dc64eb6c4212ed4c97b568fcf6f6
-
C:\Users\Admin\Desktop\@[email protected]
Filesize933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
Filesize
537KB
MD50a8799951df800696532cdd457a9fb01
SHA1fa58317ac9a9faf1819f349bd418784c8d28ec90
SHA256fe64f84571c36b246ebff6b4fa00e9c0a2f1a0de28ef77033424d6b76a19fbf4
SHA512ec8f858b6c33ce7fb1c762219b81643799c166128202a8d1cfce4c06de24af217c16cf401c5f672899938dbe3a3ea83fb4d7da66021242debd54d58fa9647ea1
-
Filesize
943KB
MD5b2e92d923fa8a1446e4e662a3c86e3b7
SHA1043bb8ed0a2f6f7c3372971a511472a1658b7b92
SHA256c866d311c459a3454d4ecd461e37bf1a13dac7b1ea45c4e149d87d3fc1680d04
SHA512ed917bb559c0bebff81dad53d837f087ba28e60f60c17de4cda3a50a433f3833f5974c8e6b0c8c7464d0845e6dd4ed80e7b72b3317f5f0bd51ebedc3dcc5b5bc
-
Filesize
1.3MB
MD501809c96095286ec956dad4ac1e6bf19
SHA1e5172185c2e6dfda0182e691607400655d9c63c0
SHA25604f4aa9e0bda9a8be2eea8b0a7f7e4b892e41d8531e42d3018e06dbed74d7b55
SHA5125b27cecb89d842e17bb238c0e461b23504cf1b2fa1e3dbb1b7f33aa1f2c2ad36f5e53fe25f7a59149d95bd8417f25d23bca7f8106e5a854708a217157a2f5d49
-
Filesize
595KB
MD5ea1a1c8541a0558775dc06d1ca97741c
SHA1a904e45adb3057204c773843ff4812abfc8967eb
SHA2562437657ad468f48ce4da3b9451522abd03376b442516729a1997f8b9edd9616a
SHA512cc892ecc5098c7f3d79c20b618eafbb0e325801875b3d7338aca00fd99cba6a1d2b6fb1ea1e7b7e9a4b3fcccec9edffb19fef7bd7a9d433b5f3996c168a60f69
-
Filesize
914KB
MD59fd51d45bb82d742c4c0d268ca39b0eb
SHA1feca2446fb1feb289c23c094b430c7cb598013bf
SHA256fa376e66f275b28d84202cad70769115161e7e924f30b54a52059aa0bbb30045
SHA512c5f3972f6f9997a3106200b722ba3e4be70833390a5df597f4b03cb17df91eaabcfba0c18f16adc7928a07e75d7049b0f2811ea1bec27f21bfd3f2d272809911
-
Filesize
508KB
MD5e1d2f9ecd3a09cf01c07c8c418d4fb5a
SHA16e838b0afaf3a73ac25921f70fe923c44e77ce21
SHA2564bd688baff1016d4a8b815d41aafa597664b5510a0e13b6b37022d32ab92e2b8
SHA512200d2262f72cb084a05456a9f6caa0fb79ec717343a07c9466e4aaec3c5ed54bd48e957373af0914e0773d6c949a7a1f26a16fa5fa6979d4351c45b9264b1fdf
-
Filesize
362KB
MD5a715bc0b96daacdcefa05cbdca920ddc
SHA1dfc64350afb234cfb0ae05fe8e436bb4de028057
SHA2560b40e5a17c19df48c8772fe1914d09ab151dfbdcb4c4c30a0d0ce39f4cdb734a
SHA5129d4686c59e4685363d77ded5b62ffb9907181269a66eb2a7c2700cc7c9cd8d11e47575b995a92b1909e5e2a3162c71ea900f46b6c169c498c0511588e07e9f41
-
Filesize
421KB
MD5c87f1f1f3cd471a06917669dfb4f81de
SHA17d234d7551eb99cfd65861652e526c3f98bb898d
SHA25694bc94da54c1f308a06528da50b2c432b51aa3245f3ab1612e9841e2aa008e2d
SHA5122b61d5862490b2a9e7ddbaa71070b83de752046dfbc6a65650b7945f59f187c8b3ad9ea100a4f725f48084afa88c22f7c4edc2ae76dba2ee91d1f9b59301ebfc
-
Filesize
827KB
MD58c84b30b61495a70074682cb70b30eed
SHA15f7595bf88df130a7217315d331f87787211e226
SHA256595ac64ab09842e19ba5b236b5528a3900dd8ab2908d8faa635b65b034e44c4e
SHA5120e2150f15974559ec149057a46b1c38d979513f6ba632f3864de9fac53c9577a7d12c8eabce115c62817c6206b294aca78344faaf30b08ee8b6ba6697f519d5f
-
Filesize
653KB
MD595f9b285a3628e6a66198d2e4128f74d
SHA160db7e9ee91fd87008cdf689760e276974d1d358
SHA25610890239e599946b4ef13be3e4096806a5d0ddc75ba20b4a1e615f67ec4a0787
SHA512bc9468fcec9a17ed8f0c4765556f49fa345b557646e7c51340ae5f9bae2e452ccde8ceb2a52ea6a32cc347df8818e10ad302f3f5299509cdf77780b2f96dc311
-
Filesize
391KB
MD50468678dd121a04903071aaa690de24a
SHA1adcce68342202721866077dafa1094056fc0e91e
SHA256baaf682d179d0465091f02522f71d955a85274d647bf63b7072a6f191a41c82d
SHA5126d62f65216d99b8e47b9016681687c4979e6b149a6323b3ad74dec8d885be65e78c03ee822f1b95febf7d4403b9a3161b10d4c0542ffb0738f57ae76b5826f94
-
Filesize
566KB
MD5293cf971a7346305dd500184fb2bfeb1
SHA1c7af817133a4dc47185f67ff3b3ac2b085204306
SHA256cb18332ac0c6f722d9aff285263a1adac38b33c7e065656d9b6be0bdb28cb42e
SHA5120e5ada486160dddaed893b80c9486fa10295514b428e5250244447176f5c5d825edf65e227615905705dee8cde348b5122c04f5d94295cbd85ef18d2033f706d
-
Filesize
450KB
MD5cc3abe85dccf3d2f83aaab343742e5c4
SHA10ab4f137e0e65655b05627d34acc877ec5538042
SHA256b459bbbbf5a7b81e15c1d8003e00968710c812b4cc13a61f920ca40a6a333a78
SHA512a9e59ed29bb1a8b04a4eee3f619dcb306069d942c1e7c338b4e5082b53c6e8c448ca612f77609cbbd54903e86eaff869def870919288a8536378e703d096aa3b
-
Filesize
798KB
MD5233fc8fec472704faa6a3771c97bff97
SHA174d088d43005e30eedfb729e727ab722cb7b6c4c
SHA256c4724905053c1e07cf8f975d0db25388bbd541d087e6e265d53431ad7ea12ef9
SHA5124db4a19c9fb8b447261f91fc9f9fefdfce919a1ed28f6ef2aa6322615dcb3f839bd5e9c484cf191585a6129438b145c12b0bdd7f385dbbad10563055e478f68a
-
Filesize
682KB
MD5d6d0ff7a3861c86d3919516ba0d97a1a
SHA149126891bb48e1cae90ed213ae8bb36c86c21414
SHA2569759ecdfb17f98166c81ba63377051e318366a774287972183aa8308a5a295c4
SHA51268e5320f97173e87b363e555923cd4d1009d4aef6140cf7d04ec8b27df54f504e85b4e17d7b732483c6e02f89019f05fa5e7abe3bc2f989434df0acf924b0d90
-
Filesize
769KB
MD5f2426a82c4d4f3eaf0dae3e211a6718b
SHA1da026ec5393fc36058c01488b912d6d5d7b1896a
SHA256204bd969dd434a9be9574239da7cc3f6acd833b49e5f1a36ced10561a788fd08
SHA5122a3866947d71f2df69d6b405a20a15921fe0e9f6075bef0b54c5681e0a1237addac29aa611c125b40192bb051ea8a6ebb5d02a930f624475d12704af2bd282d9
-
Filesize
624KB
MD55e04e7f6c487d1efec527d4e0d256552
SHA10bc8159b60afdd87c0d6f0bc6f5037abd2011c77
SHA256fb98a0e3eb29d0475e71709bc294cce0d1c266af2fedb1f4673ee1bd323957c1
SHA5127b9ba7348b0fd896dcffe4507fe253fd99bafcec0ef5ed0123de0478ba07b13133bfb875160520b859cb40df1bf738539bd0191ce0dc2578d86ba36d96014117
-
Filesize
740KB
MD5bb4bf980d59876d615b7dffe54abac92
SHA19131e086b12f49730601daf48f8a26130b59ddc8
SHA256bf99aa459930eddd1715a4117c7ae7b8226ed05609b6c7f274e758aa59eafaab
SHA5122bd4c042a691cf432d08f9ac055368cde9d9d95c56f9c5ef9367e80d6cf4c886fcef0371f43839a0af83884cca1c330e367f73d3a2f55ec7ca7469ab06c37c42
-
Filesize
856KB
MD5f0004df682ced19f1be5653a093bde2f
SHA16638eed5ac128769d3c3654fc66c9f4163025752
SHA256e3c93bb3d7b5854494cfddb9e4fa8ba4263973a76101bbb770464201df92d70b
SHA512f453d41f1f31adb37f12c98ecf12179064cfd0fac0962f50d7e2b6ee26b46180d0bd93182425d816f70a0eda840d50f636682dfa51d967359852506478ba777f
-
Filesize
711KB
MD5323ef157d0c95e1b61ed20550db5161c
SHA1b2346303655f6780f1039cb2de4d6d01a757f37f
SHA2560a2e6dae6c984958a7aacd82f4cf5a3ee4daf73d55418e14222ce16ed3fd4e3c
SHA5120d2963ec77faed234d82a20a59632cbd21a42bea7cbf888e7a2d8a8ecf8debc39f14c8a734f9e151701832097a805db33655ebfbfda1fb83b9256dad86175e97
-
Filesize
479KB
MD5a67a4f0e8ae203ecf4727462b13f5002
SHA17766523460de2d13a3842db54b3379fd7f1c8e2e
SHA256e7ccce83d67ec10d099396245c18deb85577ec7b52e03bbdddf53771007d8997
SHA5128151481518168093fe979c3a5c66574545edc3f10e0e3d5d0ecd5d59959b6de9a67dc5731b35dae2e282fd4c1685e2d6ef5058137bf6203e1b819d6a29c7b3bd
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
333KB
MD501f0d80a1df73da4fbe1e9b0c530bdfe
SHA1ab4ff6e33bc7f47462ee8252b96656ed6573f228
SHA2561ff266c1e6cfb8839132166d504d43f9b1a0cecbd6a9d35bcb23c86492298903
SHA512fad05dd9fcfc66569993541007459bbba14f96f9fdc9e779040980e710a0ce292828fb50740e35caf504408603d6f2322e30a90ad78ee992607db9ad6e172763
-
Filesize
885KB
MD514bf072d10d4f10d6c60fa6bea7a3f50
SHA1a5a7ff23f297ac33c9f2e12243cd853f089181b8
SHA256ab0e63752ef265839e421360403b830ea7796f9bf166cb7e37465afd424e45fa
SHA5125b5328e03d5ad653f672da35b3b00b43f6fd90d0cbc1ff3a6ea3d2ceedd8f87a8a4d71e69a336cf33bf6256df4a7e781f7d1a82d13d524de7152875f4f04b40d
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD58124a611153cd3aceb85a7ac58eaa25d
SHA1c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA2560ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17
-
Filesize
15KB
MD527e626cd2de3ef44118d52c4430e248c
SHA1e3c5564f146fa5281b8281b5690992f483993f00
SHA256f2d2bc3ce533bd8a5150ffe340b9feb6f9656de71ba1428b530b8ef0b7163ea7
SHA512ce0b0fe7b2d9dbce7d6d03f49796995fab22dc25e5a4514c8512f8fa72b60d587326fbb71d9cd62c4cabb02143922d722f04c5a746e6c723354af5397d439fdc
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Admin\Documents\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
51KB
MD5ab29d7a89c5dd74b8efd651084ea9d76
SHA1789291bd9b71fa4364cd2bd868c3dc2aebae4df0
SHA2560d868b8e8f305fcea60cae1e1ede65b817f62545e4308793bf0417bcd56b4a85
SHA51275cc0448d669f02d8f1debd4b06d847fd308e85f966640bf089c77319f05aadf9a1b73a91641901bf1b39c989978531f6d6cdbd816d09c7144b5496f3af71b88
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244