Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 12:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://download2356.mediafire.com/dmxj06qb521gNWiZ1GXZ_HVXNBBdL5jZMeIGU1TzcbbiROlvNARelnzRi0X7nQMZQKMcKrAX25Ld2ANtIWXGM0-oDQXdd2gSnfapkzpNIMm_2Vda-LPl3m6FgrltmlAc0af98EcYjII-smA-6qWOmUSVSyd49pT3jE3A4iAhjeKI/ok95x08drvy416d/S0FTWARE.rar
Resource
win10v2004-20240802-en
General
-
Target
https://download2356.mediafire.com/dmxj06qb521gNWiZ1GXZ_HVXNBBdL5jZMeIGU1TzcbbiROlvNARelnzRi0X7nQMZQKMcKrAX25Ld2ANtIWXGM0-oDQXdd2gSnfapkzpNIMm_2Vda-LPl3m6FgrltmlAc0af98EcYjII-smA-6qWOmUSVSyd49pT3jE3A4iAhjeKI/ok95x08drvy416d/S0FTWARE.rar
Malware Config
Extracted
vidar
10.8
e5f25c023529d1a14d80fa58f094095b
https://steamcommunity.com/profiles/76561199761128941
https://t.me/iyigunl
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Signatures
-
Detect Vidar Stealer 14 IoCs
resource yara_rule behavioral1/memory/5808-415-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-419-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-440-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-441-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-460-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-467-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-471-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-472-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-489-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-490-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-514-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-515-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-549-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 behavioral1/memory/5808-559-0x0000000000660000-0x00000000008A1000-memory.dmp family_vidar_v7 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/6608-794-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6608-795-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6608-798-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6608-799-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6608-800-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6608-797-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/6608-801-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6272 powershell.exe 7076 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts HIEHDHCFIJ.exe File created C:\Windows\system32\drivers\etc\hosts Updater.exe -
Executes dropped EXE 3 IoCs
pid Process 5468 S0FTWARE.exe 5592 HIEHDHCFIJ.exe 7052 Updater.exe -
Loads dropped DLL 2 IoCs
pid Process 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe -
resource yara_rule behavioral1/memory/6608-790-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-794-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-795-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-798-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-799-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-800-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-797-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-793-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-792-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-791-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-789-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/6608-801-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 116 bitbucket.org 117 bitbucket.org 186 pastebin.com 187 pastebin.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 6736 powercfg.exe 6744 powercfg.exe 6752 powercfg.exe 5160 powercfg.exe 6452 powercfg.exe 6480 powercfg.exe 6496 powercfg.exe 6728 powercfg.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File opened for modification C:\Windows\system32\MRT.exe HIEHDHCFIJ.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Updater.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5468 set thread context of 5808 5468 S0FTWARE.exe 130 PID 7052 set thread context of 3384 7052 Updater.exe 211 PID 7052 set thread context of 6608 7052 Updater.exe 216 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6936 sc.exe 6980 sc.exe 6216 sc.exe 6340 sc.exe 6464 sc.exe 6336 sc.exe 6764 sc.exe 6688 sc.exe 6372 sc.exe 6488 sc.exe 6536 sc.exe 6648 sc.exe 6988 sc.exe 6596 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BitLockerToGo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BitLockerToGo.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2452 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690642915625679" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff taskmgr.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{04327A03-20BE-4971-B5A2-3EA39E36DFDD} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 5576 msedge.exe 5576 msedge.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 6052 taskmgr.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 5588 msedge.exe 5588 msedge.exe 5808 BitLockerToGo.exe 5808 BitLockerToGo.exe 3940 msedge.exe 3940 msedge.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe 3940 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe 6052 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1368 wrote to memory of 3480 1368 chrome.exe 84 PID 1368 wrote to memory of 3480 1368 chrome.exe 84 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 2216 1368 chrome.exe 85 PID 1368 wrote to memory of 4492 1368 chrome.exe 86 PID 1368 wrote to memory of 4492 1368 chrome.exe 86 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87 PID 1368 wrote to memory of 3944 1368 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download2356.mediafire.com/dmxj06qb521gNWiZ1GXZ_HVXNBBdL5jZMeIGU1TzcbbiROlvNARelnzRi0X7nQMZQKMcKrAX25Ld2ANtIWXGM0-oDQXdd2gSnfapkzpNIMm_2Vda-LPl3m6FgrltmlAc0af98EcYjII-smA-6qWOmUSVSyd49pT3jE3A4iAhjeKI/ok95x08drvy416d/S0FTWARE.rar1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe54e3cc40,0x7ffe54e3cc4c,0x7ffe54e3cc582⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2016 /prefetch:22⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2064 /prefetch:32⤵PID:4492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2460 /prefetch:82⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4792 /prefetch:82⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3096,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5080 /prefetch:82⤵PID:4256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3716,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3700 /prefetch:32⤵PID:5756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=208,i,8874459352432857169,1947732027889222187,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Drops file in System32 directory
PID:6556
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3740
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4924
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25154:78:7zEvent293671⤵PID:1584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcfd9fad8hd009h47cah8130h459ba13225491⤵PID:5244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe3eb246f8,0x7ffe3eb24708,0x7ffe3eb247182⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11065393022778408726,2131473727003321309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:22⤵PID:5556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11065393022778408726,2131473727003321309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11065393022778408726,2131473727003321309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵PID:5636
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5844
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /61⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:6052
-
C:\Users\Admin\Downloads\S0FTWARE.exe"C:\Users\Admin\Downloads\S0FTWARE.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5808 -
C:\ProgramData\HIEHDHCFIJ.exe"C:\ProgramData\HIEHDHCFIJ.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:5592 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:6272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:6456
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:6560
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:6464
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:6536
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:6596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:6648
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:6688
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
PID:6728
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
PID:6736
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
PID:6744
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
PID:6752
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"4⤵
- Launches sc.exe
PID:6764
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:6936
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:6980
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"4⤵
- Launches sc.exe
PID:6988
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AKKKFBGDHJKF" & exit3⤵
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2452
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?LinkId=1297651⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3940 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3eb246f8,0x7ffe3eb24708,0x7ffe3eb247182⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:82⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:82⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:82⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:5632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:6984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:7144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:7132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:7112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:6368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:12⤵PID:6988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:12⤵PID:6532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:6732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:5592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6528 /prefetch:82⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5716 /prefetch:82⤵
- Modifies registry class
PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,7164455937662580914,14088224443981028176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:12⤵PID:6400
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5448
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5104
-
C:\ProgramData\GoogleUP\Chrome\Updater.exeC:\ProgramData\GoogleUP\Chrome\Updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:7052 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:6220
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:6364
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:6216
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:6372
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:6336
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:6340
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:6488
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:6496
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:6480
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:6452
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:5160
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3384
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
PID:6608
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD5d1ef4cc12e52b676fb9ee02152a34092
SHA1114218e9201a501179b6088b9e3ef333f429cfd6
SHA2563df15bbb2034a98aaa3d709075d1b8947950eca17a26356836aa07bb13fb843d
SHA512644ca61c898c7a4a384748d945edc006d43988804cf45c5aaada6433defc2b4424291d735d667eb57d0881ff373037c475708fef78d61b55154314a5d9ea8f52
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD54727647a36bb35d181f5f5ba5e49a6b0
SHA1ec18e6c258f84ca4acec587861393ffa70d6f5de
SHA256e828b5c259b4a1caa620e30276fd5d405eecd004380b61a2c9c7a166576d3060
SHA512c876e1676ab24501be6422f39e6e049cb873d9d9ce7edc293324da56da6ed4098fc5916f53944a8ce661ca847e16d501e23704066ba5c5b3b892f8fd145935f1
-
Filesize
44KB
MD5d2a14a7788b53f4cd4fc8f24f173321a
SHA18f67f4e6e7fed5e4fc5ec677d524c49081fb1430
SHA2568bd3403303c3112b8b111a14f6755b49eaf7fd9cefaf17b2fbe50b0d7d7f730c
SHA512bcc658063d2738fdbe6e8c9f202933ce0e43586de04aa44b3ddc35352ddeaa181babd8f615d59936fbbd69c83e96b4b1f608f3f5c0fc5a6075b8a1a30f6399b2
-
Filesize
264KB
MD5d2697394e7406116f7890d7be66f673e
SHA1aee36d82600cf0c081262aa9f98a6a3e12b9f455
SHA256c9ed82eb3e0ec2d02dfd36355843a8f97f76faa6c40cb0c1816b35009692f37b
SHA51235a703fa4bed32275bfb938e99c66d6ffaf67a886fc475feed93b854a1f58b5527cfdaba5d8a53574991e6b4946e9f1bb4d6a9b0a8e8897df4a440492d605469
-
Filesize
160KB
MD50b8e41cae303c802290117ada01bff91
SHA1f09c96a5b4e4c89269d42e17ebb85d3fc7f1840f
SHA256c690d2c41518b68c1ef6d0735ec99c9e5847d2d161bb470a911d11b8e56a4dcd
SHA512363cd9a66f782cffd20e8e45b5d531fbebb9547dbbd09624d267850d8d2b3d350e83e914df772523574731c94a09b21dd967a5dc1e88a99641a303c8f8d95564
-
Filesize
1KB
MD5aba85dc1b72fdd3d4e2470843eb9c670
SHA118d4f5d4e23a3b920f9198b1ffe9a67cea74139b
SHA256e04f5257a3f72a8b408cc4042c13d4ad2d608e1258c9669a062497d05ab766d8
SHA51270be9ee69a5a5f3408edf1e21641aafce96fc4e86c560076315d47939908e672f84de59f5994fa25f27db7a535490d9ec8e5b91805a521b3aad743a5abae13f6
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD56d5148385f03b3ed5ca2b8dd14b36f85
SHA1e8f5470d0bbaa0a7a76d6d1ec30058a6c7adcb33
SHA256cd2c9de794d74b05a68cc9e3d201a51d3884e19d8a5dde1e37966e605f900b04
SHA512ccafffd1005ee21ffaea05b384d010c530f7c0976088199850256905b0231f907dd8dd1be317c8e5372ef4f101a256a249865585b36a122bf337a1bb6e79fd55
-
Filesize
9KB
MD56cea73acf6dce9900de018def5bd0862
SHA12be6a005d8698fb7abe681bfc0c7829cf07df201
SHA256d9ce99ff250b37499d8854f6e6ae777666d79b322f50b181e55d40322ef5e570
SHA512e15943b6307008dc9b1c150e42b3e9cca5ef50a4b3aaf895286c1e32a7c1f8f42663d02d4041bfb627cc48baaee803a56a1251a820c85c3304e906c453a4be95
-
Filesize
9KB
MD55f989a1df50e7945874e8be92bd97543
SHA1c6f915e067d8e3b88e1cf60fcf670772cdc6d840
SHA256e7fea67be23ea8f83aa942ec4d307b67356d99f7ac101011e9a0dad14ab3c359
SHA51288e249c3166cb658bfd5e7fe16d88429ca6ec499403fbe9a4a111de0bfcd6fde570ef4311ec2db215eeaf61cec32619f42804d1201c0520e4979fa7b1a726dca
-
Filesize
8KB
MD5034cdcfa176696ae3e32b37c200aafc9
SHA1c2b340e1a13a4b587994827bd071c774787c2821
SHA256951fdd9bd0bf4936cdeaa3cd3eeaa6c7d75087dcc09be31cbda212cfb505cbfe
SHA512669159360f989819bbb9153b5ae88b161e646344afe9c6f81c0b0182c1e40b0f067c1803cca9bdbc47af03c1ff15c36c8195e2979e01106235b4e869d6bad5c6
-
Filesize
8KB
MD5bb46e6ecacf90a832fbdead906399d48
SHA13250cad63c627a833f177414aeda6a164d089554
SHA256e3eeb18264ffe1f6bf26304cea2a1ad35418ecc075a8d98e0937b94462718585
SHA512bd5fdc9765ae6261256242abeb5d1467db5886fe6d8a7cb421eb50832fa839edb65258d106b6414975f475f22d0c3f274ca8cf4723af8dd82a68680f19fb0c2d
-
Filesize
9KB
MD5cdb92da4daf0bfc2d9d3b37f100da53a
SHA1ec2942ef73fb3edcd1e7bf5b1411a7e33910eb67
SHA2562bd4efe98bebf24fdd240e67f463e1f820f0ae942ad8ca1957b2c2d1a155eea0
SHA512b6a65ce9129025679dec88457ce6f64f7b37cb4cc407a51b27940194ee66e8c208f9f3738241daaa0f195d55b92b50e4f5c2c29de481a84894ef7ce6cbaa4499
-
Filesize
9KB
MD54702482047778032bc0d4edeffa919b4
SHA165a1128fe02791f3f51bf9308a9cb1c8bb1325fd
SHA25640929bc5c583c57c590808e32c4f02450b885d70459745e15ac67860d5db9b3c
SHA512baab17133b50f6843f5a637466ad78e0d400f0761b90686c6d23ef0848e84aba6dc185410c43953643b127be28cb616f648ccd93094279976755d60c564493f6
-
Filesize
9KB
MD546c49a882ddffe6aa20e8879b598c446
SHA1bd760bcf8057182fdb2072aaebf177b1e6d66850
SHA256bca04e720852c68ac32bd282a209141e602197564d7ead84b24a2937cdd87c9e
SHA512da257f019d703f96cd765cbb3307077e5cbfcc1bd356536bb786b09fd54be444b56b9dfd9de7ce67c7aa4b3ee20b130bf4cc94f5047fe6ec4efa65a623a12dd9
-
Filesize
9KB
MD5c75a3bf9d957d049875d6607c29cdd4a
SHA13b45f8ce05cb89761cf71aff364b7342be34a03b
SHA256a53c98d4737cce143e258cf85887a432a26c931954579e1ccff9c01c3f9cee98
SHA512ad43ab2146d064ebc5289fbcab07bf32bde85c1e90e2ab6c04f2dfe823fceab577df3f401d22fac37d16104f55f0101a64606cfa8227864b302c2c0f5a3a2054
-
Filesize
9KB
MD58eab22f5ba68a98dbff1a53400a8ff53
SHA111898cbe1c0052c72df8352d1af79b454265174f
SHA256bb17cf1827886fc9e71677436f32cc2fcaa2f87ee9c69b2cfe6fe46c3be78bf5
SHA512be59e05636920f407dc241a9fb35bc3025209bb949f3455a723f68cd72590d819b37139b445b60eaebd07d14ff3ef8b803dbea8eb1a61dec9bce94401b89faec
-
Filesize
99KB
MD5fd332ca485a474deba028eb804d5604f
SHA16d30a1a8727b8865f3a8238e361a7e6ab3f8cf56
SHA256d2609a41f6164fa964e9c9380aa7ab04c76ba6c17f2b237d178164cc515d748e
SHA512810e3f3c2ef0a6dc4d85f6704bd2460914207664490d67af0c5526ef28419f6c4ce5fdcf2768117a54f71a0e711c1cd37442ad16bebf4400cb97720c73275d88
-
Filesize
99KB
MD5bdc4e59c8e07a4057f6497daebc27705
SHA185d1ee1a7e22f7402ad6c4fdc058661fbd75718a
SHA25613e5fc370857831ede070998c15837f33dda2bbfdde09d0095afc14eda0d5822
SHA5129fe7295b392c0d836f4be95c38895705961724fab5934a425208159c6a97acaefd848c65e2e2bd646c0aa94585174ed3492d383d9af04e89237ce2b28d63c4ae
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD557ce7118cb0beed6973e62b94dbda4b5
SHA1a9876806f2adee0fa6200e79a871ae3637a652be
SHA25619e72be36bf08db3025ba96c0ea7c3d571ab2db5519cb93e3685dbcf747e389b
SHA5122217be5ab6d03f253c81299aef99d3c1900ada8037e4a74e8e1df1e4b238fd59dd1ba8cad14435ecf15c06a18eeca6981e75890089804d679558856fe4f7976f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7a3a25c6-3127-445a-9e30-b2b3f95a9651.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5cf59e9d5f01cc5022e14796c2e6ec137
SHA1c918590d7809e4c50de4c7b72d4145f72d08e1e9
SHA256cc54bb509cd29bfe9557f301ff22656c565e4be99ba7a9b16f0aab9d10e04954
SHA51237cddcea68598c39bc9b21e644b660f18a686fdddc8f6fd44254baa3240b8e0a238d34eec25b8d5a41fba1eaf9336fbd9b0d25eaa005544283230b87dba20db7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD53f31b8ebc4033f84abc4e514793b6218
SHA157825df15355bebd2a02ee250dfc4a2877aa3e0d
SHA25621ba58155daf26f40d6324b623c8533ede8cb9b667518c7fb63d69c1cbfb1909
SHA512f5f05406e2cffeba395a1f1562ca96dc97c19271a81279f15bac73f20a6ac3eacec7b7483b41c7da59da7f1df79d8b1794b4617c30901229618d1517959e2458
-
Filesize
334B
MD53ea525d8c5d17b1de5530aaf8e779413
SHA11be1b7a7d27d7e7066889ecbd90d4f97d56cca68
SHA2568d9a212164eb37ae16202be8e7a45e0a3193e744425220f1afe00c559cc0ba20
SHA512cbe683691ddb20a32459681b7baf76867ff02a1c3014cfdebbd25fe441ec17e07f4a33862c63da72f4d83516c41c569a2f53ba1ccdd5eabc51eef2ddb869229e
-
Filesize
6KB
MD5118f7a97642b3e6d5618b4e03e4bf737
SHA10c25bf91365a772127ff129a2383d25e3d6370e5
SHA256ec365cdc2ae9855d9b7625fcedc47bcd2b501bcac143c9c67a29e46c6e16e036
SHA51281751b97e621b02d4b79f398862ce679c77ccb5834bd46178d9e531d2bca26729526a11540ebd75dab8c3105a2568edd1ec4948e7754076b2b8978eb999d69bb
-
Filesize
5KB
MD51ff55695fdb8a4486c444b3e7cdac718
SHA1ccd30133afff850bac3247b2e715fbae286e3ca5
SHA256da9d56a393fe088d5c170665085d85c9496e6885110cd436d99e7fbda30db49a
SHA512734efe5ddb95951b1fe3292130dc8aae9cce88ab85a5adf2f7f56e6c4fb861071e163b68d3f625ee38e54fa859e5afdbefd58e30b5700732378f3ed08314a35b
-
Filesize
6KB
MD5b87abfade3173e363976105cbdff8098
SHA16bf932b4908a9bbb4fa422c1156dec8e94b0bb76
SHA256af9392ee0a4ebf96b610bedfabafe1d8f5d8a3f41a69694f0177b3aa893992f8
SHA512bb75ce501a514db7d72ebb345d6e563efa7804cee5c1028f047d0fe4af4a42859bd963f3798f05aef674cf5c3ba6fcc8493e320911f06d18189011848bd4ef22
-
Filesize
6KB
MD56b6dbcccd2ac90cf5b628c22972ae13e
SHA198d136ba7dc7236afdbf8db0c0b16f78d983c6ca
SHA256ad156d8889813148b250c99c5bc80f9aed399c6ebd6859ba662932c98d0519e9
SHA512db8048b5a13063b62597a79b2e63da110ecc8ff055ef2dfb7d7c3af1179165c1e102d9aad87403227e8e5436063c28c62d1da2868974108a727e271e238af0ef
-
Filesize
7KB
MD53ae0f9cfca23887a6b2b789809ae9b6b
SHA1248d73068dc74d98e1c926ccd86ceae34d135c82
SHA2566e2ec2b0c1b2cd8733f6e6226695534ca7663db9896c5e126aaa0ed8cccc70c6
SHA5122814801df0a2118a4c2747d308e1c22cd25ba8721bef620e56e3a4371aafd622b3124a4423f4265b386fbecc8ec6cde8bda30dc7d450100b47d8bb0de641fb3f
-
Filesize
350B
MD576347d4f01247041d4253f023993db81
SHA16a1b5cbddedf3a28b32dc9e808877ca32acbc1f4
SHA256e89c1f5400335bcff9dbb1cdb301f47ca47b3e896f6b5a04b0db5d68ee8a6584
SHA512c62e77bdf6df98e32da33fc78d5a2f65e526fa616e3d89f20e7e221c2d187554d7b1accad45509df35970e95621207f26f83bae60bd21a32c1aecee0946c1690
-
Filesize
326B
MD562b45ab0b51216de82f2e9a6ef7a399b
SHA183677c8179bb4e4bec57be4090b95a48de929670
SHA256323d6b06037917e06cc47e5eb95024d0736fc142ca3ffcfc90443f755900ff73
SHA512c6183f55848a2c31c52dc78dcdd1b8db01f2ab5bd5a9ecd43e6e8bee014c62d8082ffa67578a8b8b09988660a384e2f11dacb0c3aec988e69ce7a8fe3b919517
-
Filesize
1KB
MD560077c4716d506180a77f4e126da1a6b
SHA1088bd8f8f323f85a5a14476ead85d6e9e14a9459
SHA2567aa82e8b348286bdf75c96cfaeeae427bc226d4ea0f87acae7358dbdc29602d7
SHA512fa4ed40aacaf143d5e1370fc5af440390229fbf6b3c412b5505a58833a26aa6d1f686bd6dc3234252b0962490973135ce1d914b4e44f9c2e357e800d38dfcf81
-
Filesize
1KB
MD563dff95452abc93279c5ea146e328a0a
SHA19e5c5bd0bc73d395df74c1216ea7ceb424e4a533
SHA256d1e5ce3fba4da81e9b87f76f67b34d421ab38940dfee33238af997ec3ce9e7d6
SHA5121a698a70da76d848746f6af5363777c52070a392868c0904858f248ba9d69c2ef376237d58e5b2ada7928a671b40208cebd9e9ef5449427da8f5320c30eeaae2
-
Filesize
1KB
MD5d8f44cc51c1ec8e06632fb5e6c63b57a
SHA1c4946ec563170f1b5a45737e08c2863680a0fc77
SHA256a18315a127bdc70c30de74c722f0bb526b810e5f2a49862c8a7643d1ced82a61
SHA512781a035181496fa1a50aca2caa388926fb41c1deee0a64b67c70ce978b59fe176bca037c690989adb00ad6e92e390d83b8afba2cd5c53bfc19c78fb29791da5c
-
Filesize
1KB
MD53a70b69d17f3ccc261171d8cfb631707
SHA1bc72cb5e3e3df32267f2d27d53219fa9d7808abe
SHA2563b292cf4c5659a672ab5a069e2226ffee8f4db65c695dd721c4a09b30f996b0e
SHA5125b35f6038bf26fe7d7acc369dfbd4e52a5525bfbd3494e0050d47d4a4f77f9672ac5358246c26ba3964cfd73b4d573e8558d7a67daf0d93288941ca669f62705
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD5d7c46851dd5e22e2f7eafa542c9ce124
SHA19178465e0400c6abf59e4b1e95fd730065a8b3ae
SHA256b33727e954b6093bf93ea5b0c74711bf21d15d5ccfa074bcd719484ae1ddceff
SHA512961994d47e7db13107bcbb530089a4fa9602113a0236d2864ef87c1174aab8ddddf306e45e30198ce1900157f173863a6de9e08e5fab0d506a7e2b69f8ea91a3
-
Filesize
11KB
MD57605dd4f72a13959064ad4a0f3fde51a
SHA10a64577c5072edb9492ff9451ffe4aed1e2c1764
SHA256cdd453e302a202a12f5fca4894076aa91a59e7ea359e2bb3bd30f6818dfeb303
SHA51295b46c068a37a16c677e7badfa26deb946a9f1fe3e8d179c9b8a3ae54d4c34a4df2ac47c789397614b80062c1eed0f45fa0daefb15062fda90c54a863d3f502d
-
Filesize
11KB
MD5893907bf5d56562e8403eccd67d2ac71
SHA13d7639eca1536e80318d807b25acf9cb3f2115f4
SHA256078745b8cdf49ddab6818dcf561586799afc142c0ce988cb67ecd171a82df4d1
SHA51216f62bf980cf62c8e78f2f8c309703a068a89d6e525b2bbff6693efd837603a7493772a56bd7d7341be74a545ca6d616f1d428be1214cb11df90a7d1764542dd
-
Filesize
11KB
MD55b57609aafe951c9ef7823d987c59613
SHA1d4747240be9743d687c7713067fbdf2be5ddfd34
SHA256a920e687f821a1824fd146010fdb4a19fc83c19c11149006f4a5d02e172d5fc1
SHA512145d1b10f86d42ed6796c46a21ef8e3d1aeb1021adcc4d88033720b5d5fdcbfb2256790c72fed3d66f09bc07c75014a5da034a3085110d9eacd953215fbd5aeb
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.7MB
MD54ffe9c1e2820ea8e4846c2bc8c857b62
SHA1ac7ac2d1ce9576d916d53ef34b42ba9d0c61a65b
SHA2568aeef059e768a162a02a00770b4eabe9c4b25549dea4761afb372ccd75d80e2b
SHA5122d289c4fbbffdcc1e02b2c76c3b955efbfea7ff6e9e628125fd4f7817656a0a763d74771014ae090319360d2dee6107881b67926667eb25d4b3cbfca0383b433
-
Filesize
19.8MB
MD528a705bf9211140ae303c74ff3ec2167
SHA163cbc21e86aff821a36580e436ce8b31e9cf76bb
SHA256ddbf4da6374d9db20333495cbc7a3e5491ac76f9a82a20791b5699c9bc835a84
SHA51214118ecc11d03c3714a8ee84dde215d70834bdab119fadeab2246438e7d22bc20117b08bf766b5efc1ed1d41123d6ded6741d0caf8773da16010841544de4468
-
Filesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62