Analysis
-
max time kernel
504s -
max time network
497s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 16:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://kkk
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
http://kkk
Resource
win10v2004-20240802-en
Errors
General
-
Target
http://kkk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5944 takeown.exe 5852 icacls.exe 5416 takeown.exe 4320 icacls.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gdifuncs.exeHorrorTrojan Ultimate Edition.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation gdifuncs.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation HorrorTrojan Ultimate Edition.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 5 IoCs
Processes:
HorrorTrojan Ultimate Edition.exembr.exejeffpopup.exebobcreep.exegdifuncs.exepid process 5928 HorrorTrojan Ultimate Edition.exe 2472 mbr.exe 5604 jeffpopup.exe 5368 bobcreep.exe 4716 gdifuncs.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5944 takeown.exe 5852 icacls.exe 5416 takeown.exe 4320 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 146 raw.githubusercontent.com 144 raw.githubusercontent.com 145 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 6 IoCs
Processes:
cmd.exegdifuncs.execmd.exedescription ioc process File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File created C:\windows\WinAttr.gci gdifuncs.exe File opened for modification \??\c:\windows\WinAttr.gci cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
mbr.exejeffpopup.exetakeown.execmd.exetakeown.exetimeout.exeHorrorTrojan Ultimate Edition.exebobcreep.exegdifuncs.exeicacls.exeicacls.exetaskkill.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jeffpopup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HorrorTrojan Ultimate Edition.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bobcreep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gdifuncs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2708 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4800 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133681248535561352" chrome.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{2840A012-96C9-4ED8-822C-0B681B5FF766} msedge.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 558490.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 635426.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exegdifuncs.exepid process 3472 chrome.exe 3472 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 956 chrome.exe 4508 msedge.exe 4508 msedge.exe 1832 msedge.exe 1832 msedge.exe 2660 identity_helper.exe 2660 identity_helper.exe 5600 msedge.exe 5600 msedge.exe 5736 msedge.exe 5736 msedge.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe 4716 gdifuncs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
Processes:
chrome.exemsedge.exepid process 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe Token: SeShutdownPrivilege 3472 chrome.exe Token: SeCreatePagefilePrivilege 3472 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exemsedge.exepid process 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exemsedge.exepid process 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 3472 chrome.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe 1832 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
jeffpopup.exebobcreep.exepid process 5604 jeffpopup.exe 5368 bobcreep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3472 wrote to memory of 1140 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 1140 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4540 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 516 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 516 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe PID 3472 wrote to memory of 4292 3472 chrome.exe chrome.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://kkk1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa0b42cc40,0x7ffa0b42cc4c,0x7ffa0b42cc582⤵PID:1140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1880 /prefetch:22⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:32⤵PID:516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2448 /prefetch:82⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3024,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3064 /prefetch:12⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3032,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4092,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4332 /prefetch:12⤵PID:4232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3260,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:8
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:82⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3772,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4460 /prefetch:12⤵PID:3168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4672,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3316,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=728 /prefetch:12⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3280,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4956 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4692,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1148 /prefetch:12⤵PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4384,i,7890890278958915974,5238246759105356943,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3804 /prefetch:12⤵PID:1060
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f8bc46f8,0x7ff9f8bc4708,0x7ff9f8bc47182⤵PID:608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:1840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5664 /prefetch:82⤵PID:5592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5652 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:12⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1884 /prefetch:12⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:12⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5552 /prefetch:82⤵PID:6024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:12⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6768 /prefetch:82⤵PID:6008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6612 /prefetch:82⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:12⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5736
-
-
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\FEEF.tmp\FEF0.vbs //Nologo3⤵
- Checks computer location settings
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\mbr.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\tools.cmd" "4⤵
- Drops file in Windows directory
PID:5788 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f5⤵
- Sets desktop wallpaper using registry
PID:5356
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5384
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5380
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5688
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5980
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5124
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5128
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:4140
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:3192
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:6104
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:3056
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:6084
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:6064
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:3812
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:1228
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5048
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:1144
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5972
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:1840
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5916
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5904
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:752
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5588
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5608
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:832
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5108
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5252
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:4564
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:3276
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:4652
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:3168
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:4572
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5172
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5184
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5224
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵PID:5204
-
-
-
C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\jeffpopup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5604
-
-
C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\bobcreep.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5368
-
-
C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\FEEE.tmp\gdifuncs.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4716 -
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5944
-
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5416
-
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4320
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2708
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4800
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,7327105543555322130,11759650824886418031,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5016 /prefetch:22⤵PID:5888
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1092
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2944
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x3381⤵PID:5288
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUDIED 13.txt1⤵PID:5168
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUDIED 13.txt1⤵PID:5200
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4111bf71-889d-4240-8060-12ed9d2a9f5c.tmp
Filesize9KB
MD5141427e5050d30d4beb1339782b77060
SHA1f2ca0066eac324553f11d4eb6ef1741a80658104
SHA25666a34039bcc204e66ab66399308a83793d3fd7a8409555d39bb1793eef8eb115
SHA512e6d6352f0f440235338512639e853b5f4e04b684e183a38752d25265e37371f3614b27e96ea581903ca1115c7afd31dae35d5d877f73c62b363737d3e9da3058
-
Filesize
649B
MD59d6d58010eae61bc89b742ed10f8e9ef
SHA11a13476d278107fcc98feaeaffe37c5d2f97bc62
SHA256565c98a8e211f9c7e89d0118eb5e8edf27e9bd82782aa758c3b3526bdc132839
SHA512856aa329875d78ee7095ceefaad7fb14c4cac5936fb32b982978e0bb614a4553b339410fc742e779b499f1152ad661996e1d7434aff75f3f2ea57a51d75422a4
-
Filesize
1KB
MD5e66ac71aaff376dd1dd01de9b5326d11
SHA11d08063e85217c2976f1cc2628b3e7a2c3e38c03
SHA256c548dde063582e8cc99f54605c58662dfe877df5cb89d7ebc40e7e0a5eb24c33
SHA5123d53214a609999d11f87f32c45f699ac8fcd70fb2bcde640dcb6e38258ae008a968adf3ff08365443daec8c5af03849c6fae2432086b2ad793e0d35c333614ba
-
Filesize
1KB
MD5a53a31d946c4fa4221b59dac5733ab97
SHA1c80bb3b722426f25b3bbb3335c3f8381eb2a143f
SHA2564323768f0929170ff14b48c0ac02d419b4979dd3b32a9954d97bae5ce5d4bbf4
SHA5123d648093962c5ba5167d3733acf592c30cb0bc3670c8ae0faaad2ad9e5ea438056ae5ea2c54869f4478c9409926e491771f16bfd8cfbd9e8ccd8a949901367d2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5f47c8c4cebc36ef97502bb1c84e588ac
SHA1e0f0ec293f495088095a33dd1e8429241a796258
SHA25655ed722880eccaa4869347a5d632bf694fc53412ed6bf6fba25911ba22a15ae0
SHA512b73f0bb2852ae25da76d9f7cfee2485c87d081b2233f2a959be1c8339ec5fd20a829228848e373edc17b059e7c530351a160e2292fe85fda51cae1dfb2bf802d
-
Filesize
8KB
MD5a536a397a6d15bafda1142c71b096afe
SHA1353945ca012fadb9438dbfe7e098f742ee1b1306
SHA2562ce37d60bb4dd2aa57d447762a4aa14f11e14a72fb3a2c287d1b01c5e31846a1
SHA51273f922624c544f51aaf60f63ff28b8af1b1af30ea2d0a3d02abd32555a7786d108f4a822a693fa944cbb98f3fffb45a25531242b4433ee3a9f44273d9fac6677
-
Filesize
9KB
MD535a31a6d6050850ee7c2b441029e2e90
SHA18e07c83914d140fb1b78c3256730726fc7bce36f
SHA256956701d7b45ed64dfcdc8de408b694030d90ec806419e27b89879f4eef2eda28
SHA5128e990c1b90f48c00d979f0fe5093fcc06c80f44bb8e15fd7ca472eb45698f4800a69ec2707f5e46329db004e08819ace9504c7b096cc20045d63869c9cc32dce
-
Filesize
9KB
MD53afdd05012b8aa1ea0bdfa8f714c2034
SHA126bd21ef1f12c1a3a529fc729de79bba3adeb6d6
SHA256b07c08193eb3713d40483f5704e1cca5af880d8719783589b2d512776a235e0e
SHA5120f99bc2bd7581d74eb963cc4f903aa5262c825927f1522fc6f42b07389ad48dc78d30c42e9f0534fdfaca8a93527f6ab62e4e6d941bf9ec839d436513d7f0577
-
Filesize
9KB
MD5b71ba1c38d096d8f111d4f7b65088692
SHA1fa4d1e4de6d78456fea6275fd566f8f5438702b7
SHA2563bd1d2df208268870bf1e71aa8d545e40e3e040db962335fe8b87981211966b2
SHA512dcede9de98f82d628b51d7c123581bdce6c6bd099b90668f27c455651549c4780dacd458b3a33ec7975196310a79112c28334bd4fb7dee67887e6beba707e55d
-
Filesize
9KB
MD5dbf79be742cbaa202e5b398e555a82de
SHA135e1b88916a1db0b4d8217471623e5f2b9fd8a98
SHA256dc56ab691f56e5ebc844bf851444aa43ce5313f3b70b4d2eeb06fbd4861fdc6a
SHA512e914f32e2d12d7708ef136510e7bcb7f97351416cc716a4800f2270260e90a2b91e22d59d9c0d2f9bbb411e19093c6e7eb5ad09ee00fb7881a304966e48b433f
-
Filesize
9KB
MD520a08bbd1196056c68b64908ddd8fa6a
SHA10fcbe02c3fb18326705f2257103ae71a1ac53051
SHA2566446bfa81c6692616b3089c7c61c84f2be9fab8ef4e0f2c73eed25b396335abd
SHA512f9d0fb6a2cc78de9e958ab5408471afc06e3dc0df05dae3ffad09d951eee9822113e7359968d861c9ceaf3b7f2198e7fd1881426b2f96c05c3e8146dbe654e44
-
Filesize
9KB
MD56c7fcfc38182f3962adc4cf4b62f79f8
SHA14fd6f2212af66ff8452f32f45f0377ba9aa55ea7
SHA256cdcb5c88dd1dd0d1ba2407d49ef58b4c873e37ecc58ff6998c8d8454a97b3d6e
SHA5120c2a34547b422c441e866724697c78f4f959c5f5695d558e558a17967660654871df2d9009e79a311e98bde9393564a328a0bad64dee9e9bf288d3c24dbaa525
-
Filesize
9KB
MD5498270e0485fec80bdf80988ebfc38b0
SHA11f49607d157251c130e3736af52c948ec5dbec90
SHA256eab64f7d9cdbc3244a1125c6a3c41c66f811498143ec9c7058ee93aadf0df6d7
SHA512cf5db5929996311b40ecd2125944f719bde4a3d40baee0c5175c207c8e0eb4b3752e00ffa14e393d6b5d8e31d1f9a087a296cbfabe75e8d08f1c138d15b00c0f
-
Filesize
9KB
MD5622b5a6632c37bd0395082afacc0973d
SHA15e4759865b3f50d52927393512e27bce852d1196
SHA25656758b834a7acadcda2780082e7b9095d663569d10e096838af850aa8eea1061
SHA51285027e9b5925b6e96251e9f28317cde11225fb250e4dc5ee4f40c77c4110426226c34a222941bbb15dfd53cc0faa57e969bc44cbbbb3e85521c9933c9821cd06
-
Filesize
9KB
MD5e6a102b8d100f9acdea58c24e68c60db
SHA1783c7a8faa887b39c8ce3fcc5d751e879cffbe15
SHA256d240ba1a8ef3e37c6e1fa32c27f1a7a006f8f28a939bd9b1c5395644d8905573
SHA5123bed8abf82a0227a888e63d8fde9c6e9cc9670d4cf64104006f5bb07fc2c58edeaaddea923b8592f2cbdc08045de56209238178d479d91ba8ed5f9849ee47070
-
Filesize
9KB
MD582dea13010def9bf91982920a37527d5
SHA1b7aa5d59fabfc0d68efbce1f6eb5e9ee7e501194
SHA25628c4c8415500605ccb8f74cfc61a4b1231ce8cdfd09fcd498132b08df5499bde
SHA512b2083eb6b22300274ae29165b94a6b323f8c44572392418a6a2b211cbc4aaeb56eceded1bc7be67bb023298933b4906a40bb68a9b703e56f5cca0e15c4a120da
-
Filesize
9KB
MD55fbde86da0b92f59ef2a244c8aafcf30
SHA1eb4def120d1128552066c14aeb5950d510e60fb8
SHA2566e399aab28a247babf1dd126b6a24cd5029f27eca59bf054d392dd8e5ef3c23c
SHA512df9687e7e975eb7d15e94de100bab5e0f74a4d39b7113735f4b05db540438722e6bdb4f4ceaddcfbb2cf0fd86190a74c32d151889a4341445c99a2003ff6a3e1
-
Filesize
9KB
MD5b5633732bc7da59d53e7531b7a0c9c8e
SHA104ec76d7edd44b09c065f79030319623454554f8
SHA256d04aaf4da9aae7a5bb4a951b3ecac16d087a2ad5b494d5dc8b81727c5117b0f3
SHA512291b8cb33e6fbb3de218eec0b18969f8b2035618cbaade2fa0c30d93abb0fd37d4ab8b92464b9bb77ddbdf2aecd4a21024b83bb2d97a5a724e2bff1cabaa1a99
-
Filesize
9KB
MD5f28b7bf5204956b9af07a3827238dc92
SHA1d890bf4a0eb5252aa2ffe3332311fccf7f1d277e
SHA2569873e353d270499fd47ee721fde19123f8a6ef754a4ec6e1c7bd80aa545336ff
SHA5127a10d56950ef4ece776773c9dbed3319e372f26e424ecc073532f763f4b2c51d483de8d6168d66ad6179e926547e6ff3f01b4f82312946ae0fdc49202dc8b060
-
Filesize
9KB
MD558fb9b8c6846259893553cc77b059d9f
SHA10097794092ffb648f9cb47bc04998f9185500bbb
SHA256d36e2cebf9ffdabc38194e6089eada027631a67fe6538964f61a4ac72302a317
SHA512d9ab7701e82cdbe05499d2587aa97c406870cbf3f777c6ee64b0bd54af260d45076d0843e85fd4bfddd11f0f99ee5b042418f45837e8a7b33c814abab179d8e5
-
Filesize
9KB
MD5a91ac8cda739d676221f55826d996949
SHA1af91040e027ef50f2b27edeec6ee094782168dc7
SHA25644227a1ac08282c4d719e336914a88e66ee81548471ce81e96eb6034cc7b9c1e
SHA512789615f21e0eff3d66a0e2b193c5f769e509249bcab824c617259478bc61d1323af0e76d573454ead7db04e158bf456337df506b1b9fb47018632c5c71b2c31e
-
Filesize
9KB
MD517ff40097c0395c6ec3c41e440b81b41
SHA1bf368a465ee876d5908eb413e5482373f80d7f3f
SHA25634c72b534a5c0bbc3632aa8a130f660599903583514bb7cf2680e27314f2898f
SHA51243c201af9787e3c50d744261f8681af75cd330de48c358262d5a68d34d32dce41591f29ba9289a11fac4bf27eb1a234fbee003980ac9e4a0d62277d6c901ad5b
-
Filesize
9KB
MD54d28fb287a0636cec30af957a8248920
SHA13db8376b0967f351323b8fd98d0e04bd96fa7f1a
SHA256acec44b996f2f5b595c9c5187ec240afb7fd14517dcebe1107e614f6b273a996
SHA51240be3d22d988edddaaf71a80b0228b49c42f404456b937419c3c114de6e5252a8fcff1de8d4e1226ed84db09a7887b58847e0a450b409c810d2fa4b0ddf97374
-
Filesize
9KB
MD545ea7965f3718663e97d40c1106b84f7
SHA11cba504bcfb8525a69081812b33ee6f20b432e8d
SHA256216389e26a9f39ea5a46db33ea42d1d102483b516a97c910867b1775f6b36455
SHA512dd3b65e871af8444d6b834d8943bd2b8209eb333026e816d164d845dd7ad637237b31b90813c86914cafe40d5426b3a1347f9715d57a6ccb40b23e3b69e7053a
-
Filesize
9KB
MD5869a862c1bf09d3c556d1d54553ea731
SHA1456ca84dbad83b02b91f211c69340497a404fefc
SHA256f237afc64914170b4e4ef2e885169c46a1b471deeb9a56937b7ee06bde2cc55b
SHA5121b11757d96d6c99bae6469162eca24648525c9800bbf0998b1dc8ba573b4d36367adb46dc2749aff05324c9a6a6d6bb469a8d3edcb38859e52a2ca65bb326845
-
Filesize
9KB
MD546a4d666e03700d7425c04fb30b3174b
SHA14b461326dac2cc3ac4dd89f6cfb62593fb551c1e
SHA25635db8b5bd3a13c62d55f4f4b75e5aeb1084c3b83cb5cf17269efb89fe556825b
SHA5127e2302427916356e7c364de5604f0aa3ced1832e2357bc9e0dfcf74b1d06d7179dc2a77fd064981c3c220917f644bd42b69c4c69e5f49ad35129869d2433d536
-
Filesize
9KB
MD54e367cae529c800c9b6163ce38ddd843
SHA1625861f41849653838ec4d4d2decd727ff11bae2
SHA2567bb0a2768abf546b9ad61266371029d51223918932994ea29aab3887a4202e0c
SHA51253e8630e9c6c659d58c128d451dc10b9ed5053c195a67e6a0dceb27887ab51b3a7e51ccaddc11ff067ed0acaa821cb4ffefff0404fb906692548e7b1e5e017c9
-
Filesize
9KB
MD526964265ccba865663227601d7744170
SHA17fe0a256837b6b20232e147a0114477f257a017b
SHA25615c4e2b28fd35c564f9ef8f6f62948b237d14fbb61b8acde9ce30d6b9a8eb857
SHA51282d73899c07e6843df678ee569a2b34403de731c55d3ed469d0afeadb0f13c6e8ff7031e07462594b54cc922d3f531e28b41e78b99f5d8a5200f74c4c5035814
-
Filesize
8KB
MD5befb540735e9ce0a34ab66abc2b4682e
SHA13dbf83136d7e133618fb40ef2eb6cd2342d88a2d
SHA256326d93f61eb3a19fb207e5deca49c5d464a0d2d240f05d9b1a4564c6e7f4101b
SHA512e823e9b3692f708ba1075ffa2ad31e9c626e32c7f14624d50b816d8ac951ec5c051065053aeb8cffebf348da58ddb1b0578c4b532c05039e8ef912b9b4090ff7
-
Filesize
9KB
MD5b734f054256aa9c6b8033646ee65efc5
SHA1761919b599f6b1d4a8e76e9e1621e56f7ae6aa4b
SHA25604bc3277ae0a746142aad8b54c3a99d9c831b977cfd2030e094843c03422dacc
SHA51258b1c2ae29b564607801ab659ff8c8d72fd613b1103e5a66baefb3d9260b8225b30ac3cf19c9f4d05536664ada541f55cc2ca4a534c18406dc2c3257f5773dcb
-
Filesize
99KB
MD5b1e09d1aa09edebcfb12c90bd9bb2805
SHA18afb49772ed18c009e6fe1f5bc64f6d8730e1943
SHA256728497c56f0f290e8c7a92e998399f56f0556641bdd69484820ebea0de1befb9
SHA512cd7ec1c08d7d268e5426068d8ad0a9ac464b6a8542f07a10415dc4b553623061ae5ee443a00f9afbbaed5f0ac86c8c53183572311268ee9c2b416e3f9201cbe8
-
Filesize
99KB
MD5742b146ef594038a820da280cb929841
SHA126aba22d9674860080d5d546e78cb3e9cef94db1
SHA2567b7f6d50253a01d6a0b9d4f506b8985b306ed79281be28645031d5936d9afcbd
SHA512738a9b0cc37779d68d92c46e326e4f225de4086e585224b1f142e9d404b38279534a8d39617809f302b0759d50601b7ffc08ce0e2c82bf51728b4ee3dbf55967
-
Filesize
99KB
MD5f2afe10716560454b263bc4c64ede06a
SHA1747855c2f4bbae436bd38abd8dee0163ae046a98
SHA256edd78345d0fd77bf9b0216b661c377fbdcddcc727e4090a40f1bc7bed6fb24e5
SHA5121091a028178452ffd4587e1230d148fed514f94daa31cc47b58346d58104db2463e11c33adc74de67421175ffdc229d163987fa2c6c2d2834fc2ff0125e51993
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\524dc3c4-026c-45f1-a1aa-75179fd3257e.tmp
Filesize6KB
MD5b883f12180319a66d3b86f600c24c5e6
SHA1d11039bbccb43d06715460599fc847931df33a14
SHA256e4384accf67780a8e34b481bb52dd6e5bd83a8249daabc314ffab3d3aa506139
SHA5122868c0de934a015dd2ba958771cb74863949caaed1f6e793753b9481f27ac994808731b30caa6ce871ea472d49663a0dda45032e58e344bad908ec183acaa9ae
-
Filesize
15.0MB
MD58f5a2b3154aba26acf5440fd3034326c
SHA1b4d508ee783dc1f1a2cf9147cc1e5729470e773b
SHA256fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
SHA51201c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c3d22ee6ca0faccc2660cb6f28e9e14a
SHA1a984d55661273b8ba099348d874040c825e9b254
SHA2561a50f9e03ab7508ab0b35d241b6998674df9dc3d3637eb536b8f738ebae82dfa
SHA512770f44801deadad8e30047277ab7f3cb64a859a4741df9dfa3807249757de0c4a4c1734d50557bfbcb57ec8fb89915b7a8f94cc0fadc02d28e852c25da6b20ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e8da8ae42ba2cac03b02b45f1a40f58a
SHA129ce7081808d1947bd2d3eb5a65f20491ad7e755
SHA256ad5e47d189e9d07799c28a3bfb8d0a93a97b818d6a3670a6ef2996b10c90dfcf
SHA51208ca7d2de4adcf84c201e685601a66668ecc4f2cc2ff39de56f5a6a3bc46f3bbbb613179674610a5cdc290dc7519733bf739336394d24f3c139e4381d5bb6571
-
Filesize
1KB
MD5e116bd79aadb37fc627bba42859977ea
SHA1072687358ffce87276edddf7e7c9a1b02ef122f1
SHA256c37920033e8b455db71c145487afc1947c01b3674edb1aed4bdc8e6d0b8d9a8a
SHA512d5224266ec4166b926bb2eef3c74a14d97fa2d1e6b62db88c24dea431da2697f59463ff5b26dc466b332ae6970622f08262dd58b684d1ab2a7fecd3823bff177
-
Filesize
939B
MD5a0c9b13ac33892f3fdd5e467eba819b5
SHA14442f8d1d00ddc27f5d7e12dbcdadfdf0ce31c15
SHA25608c022650eea557a9a26ed0fe813cce690be2fd7ff7cefca57c4767d82589d06
SHA5123b63a36c9bdbdbb2e5c554eac87e7e88b3f4730ef077cc7b96591d1e5538f4d9a91a76f1142b9e70bb620defa29f97f74b30ca7895a82029fe69872826078869
-
Filesize
1KB
MD5fe64cdd575340dacee1ef51ebc10fc87
SHA17550862288acbb85f74ad74099847208c105f051
SHA2564a2e4de78b4d227a64c583ad03330b2e5df034f068713ae0c2d95266eade02c4
SHA5123ac6c40afd72f26fd9f79a03aff2b0881b6ad216b746cf023a3f4b377c27b54750625e6273ff7e0b5371e0bbb2ad8d155f9391fd284f4aa39b8d043f2109cd0b
-
Filesize
7KB
MD5d9e7275c8fe56f6f3295614e2fa71d41
SHA17b2f9ccae91fb22ed43e7282b5af537f48ee14f8
SHA256d77aca077334bdb2d1cb69ceecf869e3dfe31e634feda618186bbc12b55d3e8a
SHA51295740b6a28c65c3aee7a6d6e3bd340618db4adb041c20028f4fc06aaf9b4cc8211389687547a497edbbbd70665267a293c6daf165b2a85d608578eebae7e7325
-
Filesize
6KB
MD5cf103dd38673c4ad6169b4793860e6f7
SHA10cb7d4cad8db983ee0639c712fa9bb945a0db648
SHA256d977651a13ce33e39a3bc5306d781e294b27bf357fc3a424c2fcf9b4728e2497
SHA5128e3dde48a3343900980f8e3508b3be8d4a010b1b268ee34c058c6c33ce9b8ef199b9490058ec957dbd967b9e0a9b7c2905d8a9efbf7764132a10292612e60e32
-
Filesize
6KB
MD5b966ccefc917a3ec811ccf92e66d3c16
SHA167df25897e3618ad7f2121cee09acd45a30ee6e6
SHA256025f194d23aa8890ee15e4e45ff9a570afc66a1bbc1c77faf56c0cf278a2c269
SHA5120e0c8d66312c81607f37fbf822c7d64d14fcb4c193c5d3cd8c9fbb7de360c3ec5dd8cf5e4524fbdf96a4e96e7a65dd9e6f3835d05704d02414371f7c323d3258
-
Filesize
7KB
MD54761ebc79419df260fc021a9b2be537c
SHA18c628fb513e6d3cae97902d5de1ad90548612d3f
SHA25610ac51b55bfe44459b55a8afb0d437f5d16f2b3ba133fd073df207a6cbdd6881
SHA51283774814279ca2cd53f56271aab8cf0a6c658543419dc42390a0cfe83770f4f8e2c0a361427148a92c6f46791f3b3a9095f5255cbb420641ee4c94efde25cef5
-
Filesize
7KB
MD5db20c5a1d00560096250c9b5f446cf4f
SHA1f8669c9456f891c82a967105bff67091e00b52ef
SHA2562a6319d3493693fd8e0aba4accc8814e43df714d04062bfc947abfc975f72152
SHA512c5db7ef29fead861024a468ae934ace80f559757b7d11b76e6e18569df925da393a28bc11b186dd2b7d8f2adf559f53c67c6c30f3b7a5e0d3a511609a77a0667
-
Filesize
1KB
MD5c5f0e8d06a32af4a756875e76b5a0c1c
SHA1fde80a6a0ad4e39911493cd8bcdcd38aa97d18c3
SHA25614e5d7e187ee825d95347aca9333c272cd052fead2e2e37458f5c8a55ac8e527
SHA512eb7f8337dda7922dc41a880cb803615dfd6950e5e0d326b2e30340aae86ea6c101e4e17fd03906afe107ba9c7074fd358a6bc32802cb93f91a71fbe07754b811
-
Filesize
1KB
MD5d8317a598725efb8c641af86e62e510e
SHA124adce38a7da3590b9ba6b63e11cb85a8028c382
SHA256d900bd6f8c4c94a590a6e529fcb38251bcdfb488e2cb9a90e4bfe3ff7d06a91b
SHA512758d6483e3a87f070942a608ec7a8be9318cc52703ffec6a83a4ab0cfe0142f71a2af257ad0777f3f9688a3c04e1fb3340cc3769cf9865bb32402d7326012cff
-
Filesize
1KB
MD5a6bc3f16fed24e00fc18c316b6495796
SHA1a91a395ac7025ebcc3e4d88901051babedeeea97
SHA2569163925c67b76d3ebe2e6660f8a460d5941f0641efa455e29c5371260c9890f4
SHA5121ca43312cc080d0d97b201eed88404365bd77fab85832df8b6643d1aea26478f985bc601e291a4080a74fba103d88127202414d72778e88a1f120d319fa235c6
-
Filesize
1KB
MD5125f6ac962876e93d35861bd1ac80cf5
SHA167ce34a796bc71eaee3fd276c8e7276d4cc73c3d
SHA25699a2ea1d01386447ef1809e5b88383e1794c49b01f30915066466e8b907b1d93
SHA51228a514081cdfdbe00812c63584432fa3111f9a6621828ce8398d0fbe75043d44ee706f05f64b7b98909aa169b2714606c4353694cb596d0bc018cbc222398ef1
-
Filesize
538B
MD556f4115b138b1fdc0db373dc4655314f
SHA11d8465254dd1bd4362532aecb42aef00d5e85761
SHA25670fca7d6d3f654eed1d3f0acb799feae0bb42faf416855ff31eb77e020cd3b93
SHA5127c37e58fa57a91519fba764c59f92c7651ee56f158dbb782511b892540d889dca9e5692dce95f4b0b9a0fcbe5cd85eba1fe617ee0bd8654bfd5dc61da0bb096b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\9a60b377-cf52-43ea-9e7a-71c0ac620024\1
Filesize10.0MB
MD5f5ab85ea7eb77f497d765e8df3c968da
SHA1d088d8a8029d7ffb2f942a1872ff8582b74c8469
SHA2567a0f8bbd0d34af175dc5806378b62f17567131c45b46be75535a4282718c6d8a
SHA51282c1c9d8f0e39904671274bcd9fb14e15477649cef6a1aba623669d83b84ea454009d997444802aafa1a732bc6d3dba2b6cd0f82c70547c3bdd733421030c216
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50919bda127ff0e44ccaa8a92e21db57b
SHA136548a0e51f665cc14359059711eb71d748a82bc
SHA256f3d10af1a311d5955ba89eea9cc0d6aa0f5c6f61f42d66954e24057805ee2499
SHA512cbc0fd583df07440c648aeafbfcab10734065b69d1352c8d9bf9668230f17404eb4577bcefde2497ebeaed18f90fcdef9700a1728c199af233c2dc8e984f94b8
-
Filesize
11KB
MD5c8f57e5c5236fafea9177887345cf7da
SHA1e77d3d9d79e2e1aca48e94b2ccafa68c61d8a0c6
SHA256781029994be26bd63a3b4ad033fd49b72c921436293ada86375991e4b6377e6b
SHA51286f33419b6f0dd9e638b151dda49d30022a25733467a943dcaa9c85713fd0941113686a65c28dbbe0b326c74177f6f3ab68c6d988c2f7f6b09225209b81bf472
-
Filesize
12KB
MD50f5ece09517c9fd89ce57fa42cdd46a7
SHA1f1fc052891fc37a13f58541450a8cdd00230234e
SHA2562ca42ff1996486ea4a42cb308d6b28d10554b31065c1e8ffd7eb7c59fc783aeb
SHA51228ffc518df260fc7a4ff15905371163e6229536f25709e2beeaba002e6ab6bab80eb20ddf1005e902e7aa8dc067b0b653730102e2780097bfa024e62642c8890
-
Filesize
12KB
MD53f1bc68c02fedbe2bbf9f3cf3e17a4f4
SHA1ba699f94ac6a84961edc88634c1966e8972dce69
SHA25647e0aa8873bf72d8c64f4a63cf3279c7749dc23f62a9dcaddf9a8f67f41be89e
SHA512355e49bb0b1833b723cf9a62bc4caeb280be4c9d44146fdb028cdff5ac61523d7e08adeec554bdfc5a18aa043fc877db88b008bb7474b5359c15941161141410
-
Filesize
2KB
MD5a0679dce64fcf875f4208b823d4b85c0
SHA185abe3673db82bfe5b2c207dc98648e32afffea0
SHA25685a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA5121e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6
-
Filesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
Filesize
92KB
MD5219cd85d93a4ed65a481f353a3de5376
SHA1a38ab77caf5417765d5595b2fcd859c6354bf079
SHA25600c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9
-
Filesize
5.0MB
MD5c47c6a5111193af2c9337634b773d2d3
SHA1036604921b67bbad60c7823482e5e6cb268ded14
SHA2567c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA51256698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262
-
Filesize
780KB
MD54151b988c9d5c550ccb6c3b49bf551d4
SHA110ff979be4a5bbacaf208bdbb8236b940208eed1
SHA2565ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d
-
Filesize
19.0MB
MD51b185a156cfc1ddeff939bf62672516b
SHA1fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA51241b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7
-
Filesize
1.3MB
MD574be3afd732dc010c8266326cc32127b
SHA1a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA25603fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA51268fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5
-
Filesize
2KB
MD5288bebe9f904e6fabe4de67bd7897445
SHA10587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA5127db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c
-
Filesize
74B
MD505d30a59150a996af1258cdc6f388684
SHA1c773b24888976c889284365dd0b584f003141f38
SHA256c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA5122144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e