Analysis
-
max time kernel
324s -
max time network
337s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 14:11
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://kkk
Resource
win10v2004-20240802-en
Errors
General
-
Target
http://kkk
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 6124 takeown.exe 1856 icacls.exe 1924 takeown.exe 4264 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gdifuncs.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation gdifuncs.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 4 IoCs
Processes:
mbr.exejeffpopup.exebobcreep.exegdifuncs.exepid process 2984 mbr.exe 6136 jeffpopup.exe 5580 bobcreep.exe 4220 gdifuncs.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 6124 takeown.exe 1856 icacls.exe 1924 takeown.exe 4264 icacls.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exegdifuncs.exedescription ioc process File opened for modification \??\c:\windows\WinAttr.gci cmd.exe File created C:\windows\WinAttr.gci gdifuncs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exetakeown.exeicacls.exetimeout.exetaskkill.exebobcreep.exegdifuncs.exetakeown.exeicacls.exeADM Adrenaline Ultimate Edition.exembr.exejeffpopup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bobcreep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gdifuncs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ADM Adrenaline Ultimate Edition.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jeffpopup.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4140 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4944 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{F71F8B79-F7F8-48B0-AEEB-65DF31266911} msedge.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exegdifuncs.exepid process 5056 msedge.exe 5056 msedge.exe 5072 msedge.exe 5072 msedge.exe 4652 identity_helper.exe 4652 identity_helper.exe 1920 msedge.exe 1920 msedge.exe 3980 msedge.exe 3980 msedge.exe 5600 msedge.exe 5600 msedge.exe 5600 msedge.exe 5600 msedge.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe 4220 gdifuncs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
gdifuncs.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4220 gdifuncs.exe Token: SeDebugPrivilege 4220 gdifuncs.exe Token: SeTakeOwnershipPrivilege 6124 takeown.exe Token: SeTakeOwnershipPrivilege 1924 takeown.exe Token: SeDebugPrivilege 4944 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exejeffpopup.exepid process 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe 6136 jeffpopup.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe 5072 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
paid koad tweak tool.exeADM Adrenaline Ultimate Edition.exejeffpopup.exebobcreep.exepid process 5416 paid koad tweak tool.exe 1272 ADM Adrenaline Ultimate Edition.exe 6136 jeffpopup.exe 5580 bobcreep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5072 wrote to memory of 3112 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 3112 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 4960 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 5056 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 5056 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe PID 5072 wrote to memory of 1492 5072 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://kkk1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3f7f46f8,0x7ffa3f7f4708,0x7ffa3f7f47182⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵PID:580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:12⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:12⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5056 /prefetch:82⤵PID:1640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5688 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:5732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2604 /prefetch:82⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:12⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3056 /prefetch:82⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2064,5114710977838401659,13363229632020143308,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:5600
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5000
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5160
-
C:\Users\Admin\AppData\Local\Temp\Temp1_stealer tools.zip\stealer tool (most recomended)\paid koad tweak tool.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_stealer tools.zip\stealer tool (most recomended)\paid koad tweak tool.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5416
-
C:\Users\Admin\AppData\Local\Temp\Temp1_stealer tools.zip\stealer tool + secret options\ADM Adrenaline Ultimate Edition.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_stealer tools.zip\stealer tool + secret options\ADM Adrenaline Ultimate Edition.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1272 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5181.tmp\5182.tmp\5183.vbs //Nologo2⤵
- Checks computer location settings
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\5181.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\5181.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5181.tmp\tools.cmd" "3⤵PID:3268
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
- Sets desktop wallpaper using registry
PID:5548
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2508
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3512
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1080
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4208
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5196
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5776
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5516
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4820
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5916
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5396
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:60
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3788
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1752
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4380
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3756
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5232
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5252
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5224
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4164
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5284
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:208
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2220
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5316
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5288
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:492
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1720
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5328
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:3408
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:1476
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5000
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5352
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:5388
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:6004
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:6012
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:456
-
-
-
C:\Users\Admin\AppData\Local\Temp\5181.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\5181.tmp\jeffpopup.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6136
-
-
C:\Users\Admin\AppData\Local\Temp\5181.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\5181.tmp\bobcreep.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5580
-
-
C:\Users\Admin\AppData\Local\Temp\5181.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\5181.tmp\gdifuncs.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4220 -
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6124
-
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4264
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUDIED 55.txt1⤵PID:4328
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD57ed23c590f39823ae0d29022f7c0f5b4
SHA127ebeea94aaffba1dcc1daea4619b009bee77d0d
SHA256112745276bff0bbaef16ced67a66a817c095e229022314beb252057bf376eb12
SHA5121bf4ac46f3386a6080d68a3da04d55cc2b732bdfa3771dc8ffa13e1ce24a73489323f74809aa7d3ca23d1bcf6ff83b1f0bb1b26f8d4ff30fe1b999eefd4a1c9e
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
198KB
MD56361c5ef86da263bd835f8e1297f9b1f
SHA14375c4b574860a75bfb78aca1390ac32c97922b2
SHA256dc9de9e44006d0690f5b789a84ce16f558d906d22c3b1647ce72e57bac6c56f1
SHA51262fd9c9e0159cf0fb74c223801d7b5b1a76093dda5bc05ac12ee7d45d400e25072149cab951d98161b6718043dbcc420bdc9fb2d496c1ca1d67bdfc7f7575436
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5f6c2c70bde1ddb0cd2659c698c68cdce
SHA11160354a588d255f3de40b1b230ca35ab47772ef
SHA2568319b2a45f472a6fd86211edc34baba08116997fd4f6baa8569af4c8df88a468
SHA512e0a008c519617ea1f368f2b1800ab888c091c5d87b9662ef6c337a081484ee6a3418412da98818775e1da06c73b145133f4844247623b50c548edf64bc7eb827
-
Filesize
96B
MD55d5811eb6836dd51320a01a96f5e049f
SHA1fa081149e55dd257a303619baef99a0f5aef72fd
SHA2561645addbe20c89d0154fd5c36d5f54bdcf5272804feb74dd6d26136fcaae0277
SHA5124b7ad3e5c10a6570cb5faf2de4a90dc14435046f6ffe3bc54b0070e663a23b80033d00f0f8d9b5511406e4f4996be2b94e1ca41b19ec7e1aa123a9a65e76f828
-
Filesize
754B
MD54751261278cff4d91cf37cc20b5e8491
SHA15b91d27649a59c43df17bfb2f02549c15dc17ba2
SHA256bc0831013236e73c3bbfc9c94d08b3d0959f85dfb00eaa9b2d23c4ab5a6a00ac
SHA512921d33a7a6e437d416aa3d97361416584f09d2e50c122f9157e1fac0b7e128e9186f8022855b9d71a8fb66bafefd48371a12204f412c7c3981226fe1a96dcfba
-
Filesize
1KB
MD564c164bfc6fbe6c600e9f79ecde796e1
SHA189d16a44c68c8c5d45aa86afe4274112310b76f8
SHA25602f56d05aa166c07a05c533edbd484b205367af0f06aa897b967c879dc80c13f
SHA512bc9b5995f6ff4bfcf453d2e5913fe7750a29c6cfbc3401f8ea4559e0d729c6caec2b4c3e1763ac5655efa5b4dc3b994c31fb1ac882228f04dc8fda78276110b6
-
Filesize
1KB
MD5890a0d041f5c3cbf5bbea3c2073625d6
SHA1cd9f10760c88b8396856b683427d63b89cbe9be2
SHA2565296195371600028654fbf798ab55d0b88e2e86a1c5f6c6dc512e0f0bc0c4539
SHA5125f12bb74588e2010b74573e471c0e213609bee2c1babf938a1449df2b132645aaf97c39ed291ad596b019b81734b2fca1eea183b1b97dbe0f9b9914e5f2d58c3
-
Filesize
7KB
MD5332673db7fd1379ab652c0e66e11c49d
SHA17dc84ac76dbcb2e003e0506f5f8325234f225502
SHA25604974a6f603a6f9d33e6b6eca3cb350652b5cf0cc5ba29bc017156ed699bee8a
SHA5124a9c602b782574e029f4f0501730491c53c7957a009f6e3ab1e30fc2b9271359cc55d256139f0214e9ecc5469991b9e28a7397c7adf51271659f611613d18167
-
Filesize
5KB
MD5a37dc918b8c71657d71f0a905311069f
SHA136ecac8db1f7e7db38d050dea610f453d87eb6b9
SHA256827cc68e32bc57cc2e4726a25c37a8df4749a5079af383a036e9edc76853f2f2
SHA512a2c0c5280d9890c40c844b910463ab02aefc4fb72f278c64781a9d6acf26903b77544d64876aeb21247eb83a527c9ca8a5a26340916e9386695dc48b63a8a7df
-
Filesize
6KB
MD521f1d9b48385e03a42ceb6277f2cb619
SHA176b60fd07f375cd81e230fe79a472cf1f4b44d9e
SHA2565a7488de8ddc0b6c3d53ad86a72a809d6d2ea1b28c6aa9fafe27baa88646b10a
SHA5120187c4fc505b0f93d62611e8680236d16add87cd230a257c05c3da0a73abbbd74c5e44ddcbd11f0a4b1ac94e8dc5f3614506efb83b0672712acfb401f2242a54
-
Filesize
7KB
MD559d1e61cacfd4e0e34828ecae77703c1
SHA1ed9828a87ceabb48cec4bae4e8820155338905f9
SHA2569300e3f4836d2648dd57aaa5cc97f9da92f633145753cb4e6b1745f58e4fc86b
SHA512888f4a182ce914d84ab535018cc31c54cc4b969f243bdcfd7380c893825d763db4db802aa6d58027d16a069e3489eac1df8faca57ad1edbd57fbe61bc46bd732
-
Filesize
8KB
MD5182435e5bf33cf76fa698be08a1c0807
SHA1fa9d97bd4672fb03f49abef5c65a312312e7ed94
SHA2565d2b54f1a3b59d10da5dfa8fa61df60905d5ebe80013334177e9ccf4606e126c
SHA512605c2a5621007abd6e93e0f4670a6d25c7c7b72da0152305c786e237e9d31b219ddec6f2cb9d266259e8c6bb3a39f3a8951cfcd9acc2d2e60524514a7487756c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\7eb0e544-b020-4ce8-9fb9-f506482ee552\index-dir\the-real-index
Filesize2KB
MD552cc6e66c201a5ce5d2ab82f4aff0133
SHA1a6fe2bd2b110af7fa136f575b365368b91de1e79
SHA256b277b2e3d4f63842cb347769945d4b988b5c82650d04ce009e190bbc466dc327
SHA51206db2387da19ce6c7cfb247c14d33339dada3ffcaa579cdaeeee9bf2c2460a3b1741d628288642bbf43a5a5109df8c68cc0230c065c4b3bd988c6fae9c2c3ee2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\7eb0e544-b020-4ce8-9fb9-f506482ee552\index-dir\the-real-index
Filesize2KB
MD59f73de2efa31055c944ce9a72e240c2d
SHA15387d9d4317b5ca1fd35914f51b33ea539bf223b
SHA256051ea175fcbbe55450b750a0069a7c50ef70611e31496770acd801a9e63d00fd
SHA512eb45c5705996f075a98ac3a610ce616f5745445585e417fa922647a38f68994114acb41e9c6e2d853d1da039aeea31db45edccd236c187cfaccef989d3249a96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\7eb0e544-b020-4ce8-9fb9-f506482ee552\index-dir\the-real-index~RFe590e1f.TMP
Filesize48B
MD58675a1a250098b9fa298dbbaf22dfb31
SHA1a078845cd504b99bd9146099a1066d4a3ec12a5d
SHA256f32194dee21c605c9a61cf3d9fbb7b9ff218926d6d56718bcb3ebbf729523a5d
SHA512a2cbd02dc5cd84eb263ad8f68574bc454c4d662ff757d08bd02536169416be81e660649d7522a8954b1f19f68006b551f77e844cd9895d1bf56b437890471ec1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\de1f2e1b-0e3e-470c-8e5a-bcc7c289ad52\4912ad923f67483f_0
Filesize60KB
MD5d94d7c47e742c34c2bf24c3b70e9c56f
SHA11c59a8ce10dbd37f5280a1c9bbd2d4f7572f0d27
SHA256b3edf377edcd9b2488cb890552bdf819803e4ab7fd1592ad34efd76ce3dc7b28
SHA512b19233e4bb957164fbb4bee060ca7dd5a28a566c4780bc4c3ca96cfabeec0c2b90e295a90eda63297f37fe6fcd78a3fd3b2c7f991149fa69d61306f4996db8bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\de1f2e1b-0e3e-470c-8e5a-bcc7c289ad52\9c6d83a70a3663b3_0
Filesize310KB
MD562e1a7f85652a2f2e25411ba64f85f26
SHA1315fc349659e092c1a097b9e7a3bead72708ed8c
SHA256108ce848946cef574ef10b8fbe5ec90463e1fd18d98dba146890a1149d983992
SHA5128512cfa2d8230c93f42a4852e5d513c898d216e9cbc33132c73b43058d14b66ca43456e0978dea6d8626624faf61371700f247a64fd297674dcd68485bf0d200
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\de1f2e1b-0e3e-470c-8e5a-bcc7c289ad52\index-dir\the-real-index
Filesize7KB
MD50da1a0dcf44ece9c6334fa406ead2ddb
SHA164cbfdd871915f7b372ef5db936c86dc514ea6a6
SHA25691e6d4bd6509351bb344d12c79aebc48804f49dc55d6698eedc92dff692e6027
SHA512f372d712d9bce426c0512cbee30b23f873f8c1a5eac240cb4766a1edb9a2a5005fc89076ccbe8d931c8026f22d6a7b9a58dfc7dd46b90440271ae558f7a4ada6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\de1f2e1b-0e3e-470c-8e5a-bcc7c289ad52\index-dir\the-real-index
Filesize6KB
MD59bd70275695db79c4c03bfa8e25ed266
SHA17cd62aad04dacf1fe009dd6a3286effcc61949d3
SHA256749aebba6371859f97b427691139f44044458d1bb21eaf92275c7148d2f0a7f7
SHA5128c59a0ccd364796445fe4a9eafecc618f70cde012aa292a63a2b9ee591d70cf0f4382794ed80815096459a7d4017be0c3e50a90629ea77279fec14afe73f3515
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\de1f2e1b-0e3e-470c-8e5a-bcc7c289ad52\index-dir\the-real-index~RFe58d83a.TMP
Filesize48B
MD57ba8acfa5d87fa3a28d738c6104ada61
SHA1ff80fccb90b50a98585146ac8d4dd766d1fdbf0e
SHA256b921903b98682da82f8801ea463ff9437918cbf44fc3b0baf6296aad3bc0ac52
SHA5123b035ad93e84792a4f010dcfe2c8873904f2b6180953be396f05e0a405a7944d4ae37f56f2fdd9fa7497509ab05303a8734caea69773c9e274c520d48d91bc3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txt
Filesize159B
MD57b30f178b4024a78ecb3b1f2f1dbc7f0
SHA1dda58c9a56452777eef6c53cf381c48fb1b026f3
SHA2561e1acefe1607bcbdd38e89960ac0f699d2843343a3f45e0dd7da42f64706ab99
SHA5126c2502c9e7a24f5c2f64ab94c323b42a07cf0a993b9ed0348519c20e7385ef034bdc308c6c2b8c8754cdf636aebb87b2e6e4f35197fd5df0c4d7869261e013ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txt
Filesize219B
MD5f17b0fa090fed1c380901239668afa56
SHA1d68484fc109f2d9ab722f090a5e15f849be2bece
SHA2561b1c8b31b073946bb659f0630d84599d075e0c3082a7d07cc8e83fcb725834f8
SHA512998730f334106162d1588ca7895d72c885b9629f55e06ba91e4c8415b79af194860c7fad1e85b941cf7ef5d42aa9f0cbf80d855a81d2cef6286e80cd1773a382
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txt
Filesize218B
MD53875eae2150aa85edec8fd88bf773cf4
SHA12c73715f48a0305e24f662f29bf2f1e82ba818d3
SHA256202adebdcb319907006949a21cf597277d2ce97b7c62f41132ffee0e445cd531
SHA512d24f16d9e6ae6cb5de896b43df930e554ef434dc9a44aab3195b1f13d85def3b28127533988f23d6eb6f5470e88a7dfa0541894a96992130dd6156049f3cc712
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txt
Filesize218B
MD55b5703414bc785d1c327550c3767375b
SHA1f7f325b2105092651c3db9c440e816d35525132b
SHA2561e6f7e5560ee799152aa6b5a0bc3e1134a8991996dbf9f161ec89f1859be7b9a
SHA512e1f8da3f75c2f63d42dcf9aa94c10bb4be5cac18d2f01be1333d98c302bfb140d889effcaea2da79cbd73657ef5d6c9127e514decebac0e025b2c20dab8ea6a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txt~RFe57f656.TMP
Filesize93B
MD55959618aae82320f2e9ac530bc9e82d7
SHA1657457294f3a523efd1efb6b96efd91cafb8d237
SHA25606709305a294b4661ae011c0d24bad586f8b2e74c813093d7ec5bb33a7cb9d9d
SHA5121b80bd7a480a5b320b9df4f19b07f4a9333aa5c15531157cadfb283045c6c5191a88484557c6ca2f43d0b9ac0248841d768905e2b33877f50f36e1bea79f4226
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0
Filesize589KB
MD541791c04c36be86b4272838d2e527b47
SHA18da0ed19bb45fac00a422d3a65d646278f99afb0
SHA256e37376e29780ae33083ef4700554291eb8b099f1f62a24909a7d9a4269c7cf6c
SHA512a835948bf973033919c886ea5e400eb6f23188d05ef707df069c3e0fa5ddd4ad83cb2c22cbd7b35386de0487afca93d92dde8acd9342160590391d2469cd948b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5fbd7de27ebdaf8f59640a5bc4e322b5e
SHA18b6e9489b7ceff579a1861bed030910a2be23dc7
SHA2562066f93dd73ec22df9ef6d10496351ace0a5a733a22b8c972a2fd76336dab70c
SHA512d82c9e66367cbb0f4cd99d4294f60baf217a143fb34513a60b6286f1b1205f95785d1fd76d65318ed1bc01fff63dea1f95386ede390989de8d425cffe431a843
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584447.TMP
Filesize48B
MD58cbccb458fd7c4fc26bf8cbaac10a4ca
SHA1ea997164b04ea7261a6e9b11af1d65f23e3311f7
SHA256ae61e7d63fe751b976268aceb97138b8dd4ca2e248ad2c7bce1473ce09749cdf
SHA512e17dc28cb4f1a8437394aa90bcaae35783e94b32ed8f4d94c3f64bcd177eee5eeab880f209e61209db2e4cd024167556afb3f0f0d3d3a5723b97835e55c1d092
-
Filesize
873B
MD5e2ac3a25274e3e06592bb0989f01f6f4
SHA17d8eaa8fb1b5cc0bed25fdba527b57d2e2925f03
SHA2562b912db45b8ed1db6caaf1a4979d3f73223d726292bad09e9c7e07a2251d41ec
SHA5123a27a6c81bcc72d0e503032fef7de840953bb60b5ceeade0ce81aafd2b763ace7c4cfd1e1aad8113cda95368b40a00e16e2624c53db7546b565f9aadfd3f06e0
-
Filesize
873B
MD5185e33fe7abb6d008a35c203b72f259d
SHA172f9ef9a7b18993b3891720d2315b8043b78ecdd
SHA256b39c27fde7c362d50ec8e05a54fb951fb70dd376eb1d69cfb65cdbb51ff4741c
SHA512b7955424763cdb414bbe9c800d2223a5e61ab4039de9b2fced370c7fec3f7ca59ec6644a7c140d11b003f8f2182d6f285bd04652562629639cad18fd953d793c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD586e01da3436172f6f6636c00229691dc
SHA1f78ce9867e7f2403465fd3730f845950734ef063
SHA2566f537cc42400942f07605d29079a471f0359d72d912cd4e394a469653293e018
SHA512b61d69933d99e06427f4c5d55f6f2a91746876a62411ed6037e4cf2036d8db2419e040129b83987498e43b94c9bdbeac81b418ae05ae2e3ecfa5d6ba914fef98
-
Filesize
12KB
MD5e44921a68343f6e3e1d980129a322783
SHA11b0e6e5100081b7298e7f5c286741d081aba3d59
SHA2566716bacd26ada528edead77cc2242ba46b524c4d45422b2f2ea755e99e5de315
SHA51254cb80f27f04a61c9ea1ecd4bcc32217363967f015e3ac48b0902f64fae1da7754717163e166dd5a21e82626234f84bb5d85652ff8fbfd15431fccebd9df4ce0
-
Filesize
2KB
MD5a0679dce64fcf875f4208b823d4b85c0
SHA185abe3673db82bfe5b2c207dc98648e32afffea0
SHA25685a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA5121e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6
-
Filesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
Filesize
92KB
MD5219cd85d93a4ed65a481f353a3de5376
SHA1a38ab77caf5417765d5595b2fcd859c6354bf079
SHA25600c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9
-
Filesize
5.0MB
MD5c47c6a5111193af2c9337634b773d2d3
SHA1036604921b67bbad60c7823482e5e6cb268ded14
SHA2567c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA51256698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262
-
Filesize
780KB
MD54151b988c9d5c550ccb6c3b49bf551d4
SHA110ff979be4a5bbacaf208bdbb8236b940208eed1
SHA2565ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d
-
Filesize
1.3MB
MD574be3afd732dc010c8266326cc32127b
SHA1a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA25603fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA51268fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5
-
Filesize
2KB
MD5288bebe9f904e6fabe4de67bd7897445
SHA10587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA5127db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
74B
MD505d30a59150a996af1258cdc6f388684
SHA1c773b24888976c889284365dd0b584f003141f38
SHA256c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA5122144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a
-
Filesize
18.9MB
MD57c6c934f74033326b9af0bbf7a320368
SHA1bcd8f9fe4659396ec1ecc1de9629d22f2952cd88
SHA256c3c7837e8f3a0efef93422411d0908f8b64520da1df7a190f90415c858f171ea
SHA5127ffe37c8a9e7d176b939e0d3306f6bebab38fb5d7af68cb8cea190b801629807b9cab132c4442d373aef814c0c4ab3fd7214a45945f385c1478aa3d4d39fbfcf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e