Resubmissions
01-11-2024 12:33
241101-pradyaypdv 1027-10-2024 23:08
241027-24hmasskhj 1020-10-2024 16:28
241020-tyzdvsxgqb 320-10-2024 16:26
241020-tx2gtszekk 302-10-2024 11:53
241002-n2j6fsycqb 313-09-2024 04:59
240913-fmwxpswcpb 311-09-2024 15:54
240911-tcmg6sygmm 311-09-2024 15:53
240911-tbsmsszbnh 1025-08-2024 22:53
240825-2t6als1gll 10Analysis
-
max time kernel
324s -
max time network
327s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 15:38
Static task
static1
Behavioral task
behavioral1
Sample
dl2.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dl2.exe
Resource
win10v2004-20240802-en
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
description flow ioc Process 174 zirabuo.bazar Process not Found 184 zirabuo.bazar Process not Found 198 zirabuo.bazar Process not Found 200 zirabuo.bazar Process not Found 138 zirabuo.bazar Process not Found 177 zirabuo.bazar Process not Found 152 zirabuo.bazar Process not Found 164 zirabuo.bazar Process not Found 180 zirabuo.bazar Process not Found 189 zirabuo.bazar Process not Found 190 zirabuo.bazar Process not Found 201 zirabuo.bazar Process not Found 203 zirabuo.bazar Process not Found 136 zirabuo.bazar Process not Found 139 zirabuo.bazar Process not Found 148 zirabuo.bazar Process not Found 150 zirabuo.bazar Process not Found 162 zirabuo.bazar Process not Found 183 zirabuo.bazar Process not Found 143 zirabuo.bazar Process not Found 157 zirabuo.bazar Process not Found 159 zirabuo.bazar Process not Found 168 zirabuo.bazar Process not Found 179 zirabuo.bazar Process not Found 181 zirabuo.bazar Process not Found 151 zirabuo.bazar Process not Found 160 zirabuo.bazar Process not Found 166 zirabuo.bazar Process not Found 167 zirabuo.bazar Process not Found 172 zirabuo.bazar Process not Found 173 zirabuo.bazar Process not Found 188 zirabuo.bazar Process not Found 140 zirabuo.bazar Process not Found 178 zirabuo.bazar Process not Found 187 zirabuo.bazar Process not Found 196 zirabuo.bazar Process not Found 141 zirabuo.bazar Process not Found 165 zirabuo.bazar Process not Found 154 zirabuo.bazar Process not Found 170 zirabuo.bazar Process not Found 185 zirabuo.bazar Process not Found 192 zirabuo.bazar Process not Found 197 zirabuo.bazar Process not Found Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedge.exe 135 zirabuo.bazar Process not Found 169 zirabuo.bazar Process not Found 182 zirabuo.bazar Process not Found 202 zirabuo.bazar Process not Found 146 zirabuo.bazar Process not Found 161 zirabuo.bazar Process not Found 175 zirabuo.bazar Process not Found 186 zirabuo.bazar Process not Found 193 zirabuo.bazar Process not Found 149 zirabuo.bazar Process not Found 153 zirabuo.bazar Process not Found 155 zirabuo.bazar Process not Found 156 zirabuo.bazar Process not Found 163 zirabuo.bazar Process not Found 195 zirabuo.bazar Process not Found 147 zirabuo.bazar Process not Found 158 zirabuo.bazar Process not Found 194 zirabuo.bazar Process not Found 199 zirabuo.bazar Process not Found 134 zirabuo.bazar Process not Found -
Downloads MZ/PE file
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 168 zirabuo.bazar 188 zirabuo.bazar 137 zirabuo.bazar 150 zirabuo.bazar 155 zirabuo.bazar 172 zirabuo.bazar 196 zirabuo.bazar 149 zirabuo.bazar 157 zirabuo.bazar 162 zirabuo.bazar 175 zirabuo.bazar 176 zirabuo.bazar 134 zirabuo.bazar 135 zirabuo.bazar 156 zirabuo.bazar 192 zirabuo.bazar 194 zirabuo.bazar 179 zirabuo.bazar 181 zirabuo.bazar 184 zirabuo.bazar 163 zirabuo.bazar 166 zirabuo.bazar 191 zirabuo.bazar 199 zirabuo.bazar 140 zirabuo.bazar 151 zirabuo.bazar 159 zirabuo.bazar 187 zirabuo.bazar 190 zirabuo.bazar 202 zirabuo.bazar 165 zirabuo.bazar 182 zirabuo.bazar 186 zirabuo.bazar 169 zirabuo.bazar 180 zirabuo.bazar 185 zirabuo.bazar 145 zirabuo.bazar 147 zirabuo.bazar 158 zirabuo.bazar 136 zirabuo.bazar 167 zirabuo.bazar 174 zirabuo.bazar 171 zirabuo.bazar 183 zirabuo.bazar 198 zirabuo.bazar 160 zirabuo.bazar 195 zirabuo.bazar 200 zirabuo.bazar 144 zirabuo.bazar 148 zirabuo.bazar 154 zirabuo.bazar 170 zirabuo.bazar 173 zirabuo.bazar 189 zirabuo.bazar 203 zirabuo.bazar 138 zirabuo.bazar 153 zirabuo.bazar 161 zirabuo.bazar 177 zirabuo.bazar 142 zirabuo.bazar 152 zirabuo.bazar 164 zirabuo.bazar 141 zirabuo.bazar 146 zirabuo.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 87.98.175.85 Destination IP 104.238.186.189 Destination IP 159.89.249.249 Destination IP 185.117.154.144 Destination IP 51.255.48.78 Destination IP 159.89.249.249 Destination IP 87.98.175.85 Destination IP 188.165.200.156 Destination IP 192.99.85.244 Destination IP 147.135.185.78 Destination IP 82.196.9.45 Destination IP 77.73.68.161 Destination IP 178.17.170.179 Destination IP 144.76.133.38 Destination IP 139.59.208.246 Destination IP 46.101.70.183 Destination IP 46.101.70.183 Destination IP 81.2.241.148 Destination IP 169.239.202.202 Destination IP 81.2.241.148 Destination IP 87.98.175.85 Destination IP 89.18.27.167 Destination IP 128.52.130.209 Destination IP 87.98.175.85 Destination IP 162.248.241.94 Destination IP 172.104.136.243 Destination IP 82.196.9.45 Destination IP 89.18.27.167 Destination IP 185.164.136.225 Destination IP 167.99.153.82 Destination IP 51.255.48.78 Destination IP 69.164.196.21 Destination IP 193.183.98.66 Destination IP 167.99.153.82 Destination IP 172.104.136.243 Destination IP 104.37.195.178 Destination IP 198.251.90.143 Destination IP 5.132.191.104 Destination IP 82.196.9.45 Destination IP 142.4.205.47 Destination IP 45.71.112.70 Destination IP 159.89.249.249 Destination IP 192.52.166.110 Destination IP 51.254.25.115 Destination IP 144.76.133.38 Destination IP 5.135.183.146 Destination IP 92.222.97.145 Destination IP 31.171.251.118 Destination IP 158.69.160.164 Destination IP 45.63.124.65 Destination IP 139.99.96.146 Destination IP 82.196.9.45 Destination IP 159.89.249.249 Destination IP 163.172.185.51 Destination IP 51.255.211.146 Destination IP 66.70.211.246 Destination IP 185.208.208.141 Destination IP 185.121.177.177 Destination IP 185.121.177.177 Destination IP 91.217.137.37 Destination IP 45.71.112.70 Destination IP 77.73.68.161 Destination IP 176.126.70.119 Destination IP 77.73.68.161 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 344 raw.githubusercontent.com 345 raw.githubusercontent.com 362 raw.githubusercontent.com -
pid Process 4304 CefSharp.BrowserSubprocess.exe 2576 CefSharp.BrowserSubprocess.exe 3896 CefSharp.BrowserSubprocess.exe 3100 CefSharp.BrowserSubprocess.exe 4756 CefSharp.BrowserSubprocess.exe 3248 CefSharp.BrowserSubprocess.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CefSharp.BrowserSubprocess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CefSharp.BrowserSubprocess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CefSharp.BrowserSubprocess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CefSharp.BrowserSubprocess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CefSharp.BrowserSubprocess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CefSharp.BrowserSubprocess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language multi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nyx.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Nyx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Nyx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Nyx.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry Nyx.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133680374094187299" Nyx.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3636 msedge.exe 3636 msedge.exe 3772 msedge.exe 3772 msedge.exe 1148 identity_helper.exe 1148 identity_helper.exe 4532 msedge.exe 4532 msedge.exe 4532 msedge.exe 4532 msedge.exe 1436 msedge.exe 1436 msedge.exe 2976 Nyx.exe 2976 Nyx.exe 4756 CefSharp.BrowserSubprocess.exe 4756 CefSharp.BrowserSubprocess.exe 3248 CefSharp.BrowserSubprocess.exe 3248 CefSharp.BrowserSubprocess.exe 3100 CefSharp.BrowserSubprocess.exe 3100 CefSharp.BrowserSubprocess.exe 4304 CefSharp.BrowserSubprocess.exe 4304 CefSharp.BrowserSubprocess.exe 2576 CefSharp.BrowserSubprocess.exe 2576 CefSharp.BrowserSubprocess.exe 3896 CefSharp.BrowserSubprocess.exe 3896 CefSharp.BrowserSubprocess.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 2092 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2092 AUDIODG.EXE Token: SeDebugPrivilege 2976 Nyx.exe Token: SeDebugPrivilege 4756 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 3248 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 3100 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeDebugPrivilege 4304 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 2576 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeDebugPrivilege 3896 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe Token: SeCreatePagefilePrivilege 2976 Nyx.exe Token: SeShutdownPrivilege 2976 Nyx.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 2976 Nyx.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe 3772 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3424 dl2.exe 2028 dl2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 1980 3772 msedge.exe 93 PID 3772 wrote to memory of 1980 3772 msedge.exe 93 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 2428 3772 msedge.exe 94 PID 3772 wrote to memory of 3636 3772 msedge.exe 95 PID 3772 wrote to memory of 3636 3772 msedge.exe 95 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96 PID 3772 wrote to memory of 3512 3772 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:3424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- BazarBackdoor
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4d1446f8,0x7fff4d144708,0x7fff4d1447182⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:12⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:82⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5664 /prefetch:82⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,15785611477313331652,15186300999571545826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {14A6B8A1-2FCE-44C5-8632-0520E90DF713}1⤵
- Suspicious use of SetWindowsHookEx
PID:2028
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ac 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1904
-
C:\Users\Admin\Downloads\Nyx\Nyx.exe"C:\Users\Admin\Downloads\Nyx\Nyx.exe"1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2976 -
C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3568,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3580 --mojo-platform-channel-handle=3564 /prefetch:2 --host-process-id=29762⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=3684,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3692 --mojo-platform-channel-handle=3676 /prefetch:3 --host-process-id=29762⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=3720,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3764 --mojo-platform-channel-handle=3768 /prefetch:8 --host-process-id=29762⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=5144,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5200 --mojo-platform-channel-handle=5196 --host-process-id=2976 /prefetch:12⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=5152,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5256 --mojo-platform-channel-handle=5248 --host-process-id=2976 /prefetch:12⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --locales-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\Downloads\Nyx\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=5760,i,10003546602238193400,10854231641160262706,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5576 --mojo-platform-channel-handle=5672 /prefetch:8 --host-process-id=29762⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:5148
-
C:\Users\Admin\Downloads\Nyx\lib\multi.exe"C:\Users\Admin\Downloads\Nyx\lib\multi.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD56c82bfae38ab4731d6d69b0ef17f03ef
SHA1e0cfcff986e3daa8b1ca466120c8eecf7a91a0b6
SHA256fa824e52c3cdc84e2a8dc517bc0f6c12577af29eaeff04b820ab59a3ea2f0707
SHA512322a7044e033101122d2638d854e6bd6523b6bd4c148b989dba249148949bed3a0870f3abb74b76e35f4b6941b0fd6c8b1d99ff1d754c64aee7db2e41b04c78f
-
Filesize
6KB
MD5e2b431a7ba302efe3c038a0a35209a6a
SHA157f38cce2ba372a9993e32a04f3713f2c44ce219
SHA256ba0c98a46f72ae3937e0c87c7f3e16ccd05935c88aa95c6c7bb424f946576538
SHA5122c852dbe30c2334b91b1f68a18d5f377111589af2cc6f548aabe20333074fc2c9c35e0132634cc423087404147f6414e7ef74ba9293e0b790ae9610160a85abd
-
Filesize
1KB
MD5a5b4b5eaa2c11bca8795819d20bca67c
SHA116a6eee62b60ad40ee277abf83ed5607025337e8
SHA2565275d8a2126e2a005876616047ef3012b9552e563729a7aa4fa7a7300eb79878
SHA512b316ce9092deda255e10038a283bfcbfa2ae550b09d4ba128dc0346848d837bb7efcee4283632572dc72e5b6dcf6feda82657b44cade21a1cd26be9a32a3f93c
-
Filesize
2KB
MD554ddc4f23d6b68807d28535a5f62ef3e
SHA1da1d1b181295c230fcc734b574f4909c423e5fd6
SHA256b7ac29c32314cbd53df5cd97c08b2d4d50fbc8023219bb717c2dd143369af917
SHA5121ecb2a388d116185c638d6cda97ca91f3e3ec11f48513592c0947c88258f1be7ffc71f76104b34891b1bd0c3df6379eab3973e3809dae95873ef8de44c06d053
-
Filesize
889B
MD5b12724005607069ddc2c008bc61609ed
SHA191b7cf3fab838766ea007424c66298a4a23953b6
SHA256f22cc27c69a26ef694ccdc1b0cc96826ad8bcfe4ce071003e41bfb1fc081e25a
SHA5129bb79b671952d36f93eec35ec50742e643164b59b30296d3f44a87c5cafcf64af3fd88a511b69a251faef8721fc858ddcad4a04d35c17fb8874e456180bdbe03
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD50f3a7c79ef7d2688d9e2fece83a8963f
SHA1ee8741e13b7c94b145946c2cb3db4e139d9a0c7c
SHA256cb097c344b9f296bac6fb8a4bfb65d3d97bd4bd3d7273c7a922b8eb850a614d0
SHA5127a2a3550ffd80b344406470cb906dc1cdcc2abd4d0f05b7c0f6df7d22a298151c5ca2d1bef2a15193da5ef3ecc299ac2d0a6c9907434e8f87ae1bd1fd5e5a206
-
Filesize
3.5MB
MD51dad533956e7c6fb010efee531839804
SHA1144f176d06b481d6f74e28d2dbe42b13f74fe86b
SHA2569ac622feb3c11b7ae96de8cb03fa515277dba517a07d65c5e8e6e5ff43832d94
SHA51263a4ad9af0273f91d29aaa354f9e58eda7c91a545a4b52a7c58d3cb6cfdd4b12d9bca6d7911ac87c5e04a81000e785a6f53369ad7dd21e704cf7eed03735c485
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log
Filesize25KB
MD5731404066eadc1e1a6e54a3deec441b1
SHA1bf4251b372fac63e20abd81c9f2f623db8903e49
SHA2565c31a4db590db3fd25b6a49d65603d6a250610a400e67f311a290659c6f7903a
SHA51282d9d5b3dd0bd2fc81b122e0b78ca7aa8a0a7c8bb0c0d767c6333a4a1b2caeca71c9372122b446e8574283b08f9133d41c3067efc6744e25e291f0f681aa4947
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize378B
MD5b8240ae6c28735781ae8fdaceb300831
SHA15e6f7a631737fc11317548f973608033fe298a97
SHA256881f0251b95964557f5abd8a4af4f640f6da66d80fdfc656b049a11d39fe2447
SHA5125230ee65de06158e0327b09d94a29191696e00d2788b3fb5cc4289da73e6f5bbeadf7bdea10ed72c83fd638caffca43158f34e362e19e3c8b0f6ed2c35752152
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize378B
MD55352df5a790fecb06d96521452085f79
SHA1aaf3cc8b626d8beae7ac52152b6d047d83b985d8
SHA256a0a1d8041e0b4efb53823a193a87384dcf1577498ea670ebf3fc60e30e2f13aa
SHA512c3b12af222678a4067938819973307b77361d2bb770914ee6d9ebc113f92b8394cc65cf7e2e53049900feebec4a7d8f4e9e76f060215aad0f9adc9734cf962a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize378B
MD59701a96fed825211b2eafdbd559f5801
SHA1b1c3a25eaf524a63f411cc8546747aec513d1538
SHA256726cc807d0baeb2254a1bbb73c5d8b8d6603316834017046b432e8e7113d7249
SHA5121c180a3956175544614e38c866f459aba50f945e7f6649e4c6a45b8b2959d7a80859965e039bff1084d4942263b9743785778a1e6102aed4eedfcda29ef27f73
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5ad9a8.TMP
Filesize337B
MD5baff51384895d692f9c6b3a41f4d4acf
SHA18ed07bd0b7fe59459fe8524016a0a51255148eef
SHA256f96e927d21ce27213f78e509a9c7af2353d60270dd6aaba5b5ae0ef59046af78
SHA51214d5edc81f2589629a317e792411741a2e883745ef8f1e5928b1d1201c42e49388656d268eaf34f29751ddb3b87879bae157e99aae70374652155a8923386ff4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
258B
MD552f54408f73dff022cd0f55af561aa06
SHA174a916221e9e3e20e2822ebd0a0c9566c048cbc7
SHA256557ae00786147ceae4ed8a20bd62bf9bb294a79934fef591c81207f571b2c9d2
SHA5122cc332790ca397e93e84bd6eff33723ec72321dda5eccf9343e2d2ba9e1906b868383034499eb53fcd7e335718faaf3cf3f1d2b97e340135dc5195701de810e4
-
Filesize
6KB
MD56a8579a1c407cfdd698cd9556284915d
SHA12cf354ee66b9d67978392fd0f061f606783f346c
SHA256863ea84ca88b4952e42c1ed48abe02d74b7e25d4da4cf7fd175869bde77890a5
SHA512116351ce68e53d692aed081fcd68e9212c18ef0266b375c36670ff87fef13dc93aad620778411043245c2283a8045cbfb26b6e8a157fbd66145ccd00b7b5089d
-
Filesize
6KB
MD5ac2ba7501460bec25a39329f549e5b2f
SHA1fc9431869bd6a2ae6c73ec8bbe146db7f4e81fec
SHA2567b46fce61de5c86290baab14c14e94f453458a6f1cbc6999647831ad49e59d43
SHA5121f1cdd3e153f74cc4e2cde6834be610b457e3b7f55412d30943330ebf5e5da32c1039d7978a5c68b381dc2c13770d9284e975fb88cc7c0b62ed439c2a2841fec
-
Filesize
6KB
MD5087fdd6c681d86b6168f11b252c98a90
SHA1eefebfed07424a5a0fa73b7d35dc1df3a6fcfcfd
SHA256def8fe8f51b27ec3e18359187fc50b74b342480014b3e6bef433c2f63b4c49e0
SHA512d0005491e8c51389435d9435f2c0a143ca0e66b1f5fb9f9929d02eec8c860055540230dc9402d2fcd0276a25448bdb325f7bc93875dd8ce8d25096e6e1c9e727
-
Filesize
6KB
MD58d415f5de38834f9526e124ded9ced40
SHA113971191de0eb71e85cd267b39330687a3dea5de
SHA2561ef1fcd40b4a985a8e511e20f4f69081b26fb961b53a1662fb33c0463a5f9e7f
SHA51297dfc3e546d457866528b401ad1758369156a4f9df7e47e17c344d834f066329b890250dd77ba35856091f13529116f107861d69d81293a5be2f861fded5bc6e
-
Filesize
6KB
MD56f708969ad75200ef409209180542434
SHA1e3c95044cec078bcdbaa3d0f6787ad9a2269a5ec
SHA2561bdc6831330ad9f1429c9de680f2ccb26089774d56f75f16dace07e3f9663048
SHA5125f2684cb4ef777b1bdcfdef6dfdc97708ec5b266c5d2705aa314551fd1d717a753ae973cfbf457b2089f1be104fa1c9fb609dccc8d633ff607977cecf9226205
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5b1e9887d9680502348d883817dc1a55a
SHA1f621e22dbf3ac1a206096073bdea0ad4e968b909
SHA2569e54b7cde04fcc07f055b2d002e0253ee75239a3ac8500b1665265c4912a7d1d
SHA512ac22b399263c7656f5c00ad5f749cc94ee16bda502b4b8517a309a0785c2f0c3e2ca5fdb1a01b11d019e95600a735c062553260a000cf2a31b304c62ced4b4b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5af0ab.TMP
Filesize48B
MD59153d6562169a340113c915d077dbacd
SHA190380d643443f3c807f97ca3dc284c632e1fc1ab
SHA2569286f76094dc451b1e7a60bd3f51139a6942a020bc5a242f9a8fa3e50e92b3af
SHA51240546e8927c02b6ddc6f30777a4b703cabfcb07ad0c4a741265e289f8f7e726ca7d707c753ecb59e2e84fbb6185fed3cc14666881bd9b4a77dd647d0f5cd186f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5f16d74b1040a28e275137e9ba30fa2f8
SHA163e271aab0932cd55dc3f4ae940f6bea3f4bee5a
SHA256891353d8cf3f6cac7cf8d925d5db3626af8a4785f389506b09e04b1d43c04920
SHA512086eddd0d807b8a4bd934002e2fbcfeccad2c270b8896e41e610373ac8def607bcddcdf3c5276b1fa980ac142f99810718f95d5d8062539a9b90e8dfac3a1586
-
Filesize
12KB
MD53e24139b048a0bae47a1e7663f4cf5a1
SHA1aa725ba4fcaa83b3d8cff9ff36464722231c1fea
SHA256dc64726634220ce73d1e0df9b935822de8876aea679ea43b450a382e4df7023a
SHA5124300c655bd1a604c86351757eeca2d381370c6a7d546ceb553bbcec9eee70bdcf33efdb4de12696b2c85006caa7fa2dca26439bef53dc7028bde9af80fc7f8e8