Analysis
-
max time kernel
1049s -
max time network
965s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 12:47
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.1\Guna.UI2.dll family_agenttesla behavioral1/memory/4496-605-0x000001A5B0020000-0x000001A5B0214000-memory.dmp family_agenttesla -
Executes dropped EXE 3 IoCs
Processes:
XWorm V5.1.exeXWorm V5.2.exeXWormLoader 5.2 x64.exepid process 4496 XWorm V5.1.exe 868 XWorm V5.2.exe 4496 XWormLoader 5.2 x64.exe -
Loads dropped DLL 3 IoCs
Processes:
XWorm V5.1.exeXWorm V5.2.exeXWormLoader 5.2 x64.exepid process 4496 XWorm V5.1.exe 868 XWorm V5.2.exe 4496 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.1\XWorm V5.1.exe agile_net behavioral1/memory/4496-595-0x000001A593B90000-0x000001A5944E2000-memory.dmp agile_net behavioral1/memory/868-860-0x0000016557950000-0x0000016558588000-memory.dmp agile_net behavioral1/memory/4496-991-0x000001DFBD7C0000-0x000001DFBE3F8000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 21 IoCs
Processes:
msedge.exeXWorm V5.2.exemsedge.exeXWormLoader 5.2 x64.exemsedge.exeXWorm V5.1.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.1.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeXWormLoader 5.2 x64.exepid process 2044 msedge.exe 2044 msedge.exe 4392 msedge.exe 4392 msedge.exe 5060 identity_helper.exe 5060 identity_helper.exe 4872 msedge.exe 4872 msedge.exe 1804 msedge.exe 1804 msedge.exe 5056 msedge.exe 5056 msedge.exe 2304 identity_helper.exe 2304 identity_helper.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 3144 msedge.exe 4216 msedge.exe 4216 msedge.exe 4912 msedge.exe 4912 msedge.exe 5028 msedge.exe 5028 msedge.exe 2252 msedge.exe 2252 msedge.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe 4496 XWormLoader 5.2 x64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zG.exepid process 4352 7zG.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exepid process 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 2252 msedge.exe 2252 msedge.exe 2252 msedge.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
7zG.exe7zG.exe7zG.exe7zG.exeXWorm V5.2.exeXWormLoader 5.2 x64.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 1400 7zG.exe Token: 35 1400 7zG.exe Token: SeSecurityPrivilege 1400 7zG.exe Token: SeSecurityPrivilege 1400 7zG.exe Token: SeRestorePrivilege 4944 7zG.exe Token: 35 4944 7zG.exe Token: SeSecurityPrivilege 4944 7zG.exe Token: SeSecurityPrivilege 4944 7zG.exe Token: SeRestorePrivilege 4352 7zG.exe Token: 35 4352 7zG.exe Token: SeSecurityPrivilege 4352 7zG.exe Token: SeSecurityPrivilege 4352 7zG.exe Token: SeRestorePrivilege 2156 7zG.exe Token: 35 2156 7zG.exe Token: SeSecurityPrivilege 2156 7zG.exe Token: SeSecurityPrivilege 2156 7zG.exe Token: SeDebugPrivilege 868 XWorm V5.2.exe Token: SeDebugPrivilege 4496 XWormLoader 5.2 x64.exe Token: 33 3320 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3320 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zG.exe7zG.exe7zG.exe7zG.exemsedge.exepid process 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 1400 7zG.exe 4944 7zG.exe 4352 7zG.exe 2156 7zG.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 5056 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe 4912 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4392 wrote to memory of 4252 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4252 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4184 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2044 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2044 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4088 4392 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/3JWa0b1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d48d46f8,0x7ff9d48d4708,0x7ff9d48d47182⤵PID:4252
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:22⤵PID:4184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:4088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:4676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:3616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵PID:3856
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:82⤵PID:3748
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:4504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵PID:1560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:1088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵PID:1552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4672 /prefetch:82⤵PID:1664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵PID:1032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:1368
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,6117060745227817778,4621486610449569096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1672
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\" -ad -an -ai#7zMap6153:88:7zEvent98271⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1400
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\" -ad -an -ai#7zMap27095:88:7zEvent35311⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4944
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\" -ad -an -ai#7zMap12625:88:7zEvent300601⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4352
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\" -ad -an -ai#7zMap17603:88:7zEvent307241⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2156
-
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.1\XWorm V5.1.exe"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.1\XWorm V5.1.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:4496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d48d46f8,0x7ff9d48d4708,0x7ff9d48d47183⤵PID:3612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵PID:4600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:83⤵PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵PID:4384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵PID:3312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:13⤵PID:4976
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:83⤵PID:1040
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:13⤵PID:2720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:13⤵PID:1764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:13⤵PID:2624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:13⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,14110015758631363402,13970238306177659420,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2696 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1572
-
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d48d46f8,0x7ff9d48d4708,0x7ff9d48d47183⤵PID:4988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,4020583610792118323,12219565402513586880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,4020583610792118323,12219565402513586880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,4020583610792118323,12219565402513586880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:83⤵PID:2260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,4020583610792118323,12219565402513586880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:13⤵PID:208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,4020583610792118323,12219565402513586880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵PID:2500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,4020583610792118323,12219565402513586880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:13⤵PID:1708
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:860
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2232
-
C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Downloads\XWorm+v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d48d46f8,0x7ff9d48d4708,0x7ff9d48d47183⤵PID:220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,7685712035911115008,8029323925392249701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵PID:1188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,7685712035911115008,8029323925392249701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,7685712035911115008,8029323925392249701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:83⤵PID:3480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7685712035911115008,8029323925392249701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:13⤵PID:3284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7685712035911115008,8029323925392249701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:13⤵PID:516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7685712035911115008,8029323925392249701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:13⤵PID:4848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4364
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2112
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4428
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56ee77096f3c34224bc57bbc11a3614ab
SHA13701a682043057b377c48d4f3a98370890a9bb5b
SHA25679308edbfb7a247b7591abeec2182aac1affcd6bb0ef1a12d11f563490e9ccb2
SHA5121938a0ff4707b5b7238bf80da8bd1d094bc7328158d64d0ff4f148a7e3c09ef6d687bf925f8b134d6547ae1e39f584edfd34512822a5c9da48759fbadfbae2be
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5646f0bd64ee1617c3f718bc49683b5d1
SHA1c741146021701e98702d56f07c0487d3a3b387f9
SHA25642541d16c833118aeedea1bbb88654e957dbce1b5c64a0432285856cfdcd04c7
SHA51281dacef0781255647ebc77df1ec07e45c3297474046674ed0d8b06b68141a23cc63b8215b3cbc4c973aecf5d2f461dfbe77e2f68b8a25323e1c395879f48f8b9
-
Filesize
152B
MD59a35e10619e92fe055bc1ed9a2767107
SHA19abb6520603eb621d39a8fef96bbc008a8df4f27
SHA2565906159de73933d3b5d0ca64cf4ee4504c71b4ece33c175886ab559f423df815
SHA512782cd307d3ab9aafb39bc1434a096a13ec898ff5b09478c60f6728f321cbb21a8c1dbd681b507cab5e632baa5ea4e2c31b99715c7ab1402dd27efc94bed72cd6
-
Filesize
152B
MD5f43cadf854f0194c3c795c38fef8f03f
SHA112e23328ccd89cb13c8486ec4a8a295e22f6c25a
SHA2563e865e079793509b47dfa42710a6f874b83aae3c2387cdd551b5357ff5468778
SHA512cc31b27c200d403b561ea1a73ee2aecd4cfddb009a62587a19b286d8177c95f89ffab2119f3637f38c2b5d50670ece835133edb1c24355a99367a557cb4f5fa5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8cd055a2-2c5d-4957-98a2-fcbc3888b990.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5166d2add01f59fbe6ba00a274b747460
SHA1f05c489326d61792122d78f5a6f5c014aa1d92be
SHA256f1a17511a34804adad3ae9c3c724ff1577579365ce26eafdde7dca789d955dc9
SHA5124f6703e5b9f624161e182e1c9f5a1501dc8f9058e89c066c14e45f76c20e7ee37b88079ca59113de8bb08144af2cc26f1eabc425b29be1857fa35f5aa2c6a3cc
-
Filesize
44KB
MD5f36a04e9b266bad68fb142da1f179a53
SHA1a6f81a483672057d321a39ac90b3ed7f3e5197e4
SHA256f8b528ee449750cfcc1fcd1bcc4e98348c0d07a6200cf3f7f15519fbb2395efe
SHA5124148fee3a7a92832fb444ca0cfba4e5b29bd61c97147310542b0a97bdbd8b18d57c441b5b8dce91e1f1d0f4d06ead63ce72ee48c2ac38ea184d36e8c7d9a209a
-
Filesize
264KB
MD5b7d4fbfdc4118ad8a3b738fcf71c4667
SHA1477f849d82fe67ef85bd0c63018fdf2e71ddaacc
SHA256c169dc01d4e9c76481c5e1eaebc38a50363cba0e5cf7c77acc14e810e11945b3
SHA512ffc469326159344245331cfab7e414cd0b0e1de87ceab9cf54a388a4e29068eb0cfe28422b5ba2f4463161c0e1b889def3383a28ff280ad4aacf7bbe4fcfcc4c
-
Filesize
264KB
MD5e8c04efb91029d15cab78ece786f87ee
SHA109ab4fedbfa08bcef5555379beee0b394161ced6
SHA256fee47ed14000b9cad27605e3edd5f27646d1c8d907e5689d1652dc0ab07859a5
SHA5123620a20f0a741dbdcbb49f42cf4de37eedadbbb77460dc1d35e07713e5c831680b685cf554106053da39f67f65c0035249e7ac4097e374861bb960424ae481b6
-
Filesize
1.0MB
MD5fe5a20b22877c519cc7df9029fa5b808
SHA17e782860294e595e819050a815f244f483e73d08
SHA256a7d45c0f0746d4ba2478b265702b4f54a0aff564102c791a6256cc090bc68303
SHA51254dbed2dfeceaf8eb0d90601a662e5a44a2700e66d6812267db2ce34a0c46de63c467aa092599bb59673330ca1e024695d7cbe49e29fd6bc36d52f25d85b5858
-
Filesize
4.0MB
MD588f71c2e1be1567f1c791d5ebc0843c9
SHA10bf2b5fa376d5697563c957d1b254e79ded23984
SHA2566e80b1b651dc912b97303d4a89fb73d0e0de41632830b6fccaa2a81f64338ea2
SHA5121e9b20ee9bf8a023d15d5568580f9f4e5c0fcc1693da7cc2ef51fe9fe2d6b1969839253032bc114836ed7dd806df027da5fa0e9dbe555013ef270adfa34092d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD54f4a2bb4431a7fa669e612484a9af08b
SHA1dc69d805608a7fdcc75f27b872040afb8df05c2e
SHA256927455a4a4729740cc58b0d7462e59bf77b4bcbaf75912e48cc7d637ca9da191
SHA5126c562649141ffb4f2eb7639e0f62d111b40cb3d18143485ebbd214aaa0ebd29b60088e10c32d49fd5d96a030ebabe0c1999736a114673e188f97c174e75d6bac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD50cdd51dd679969390aee9c9ae34130d1
SHA139465b396ef586b8e0f234d9f3525949195541cf
SHA2569974cf057bbfe87f819000c8315f1c75f23d37c411959552ab9d79e2aa29863d
SHA51296614b5381a13f2fe813a79d6a781cf31722511bf145465e714d0b4c4e93c3b8d65626a70e44bde8cc819d8ee02f587ef3dc41fc8967fae436d28e3c465b9e28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD5499f9a87fde909de3090059c1560cfde
SHA11d396b2ac1dc874c69912fbc973f6c4b0b4525f5
SHA256ac0212785c3d83bbd5ab8bf7350205861cae5f0920c632db2f1f8394d4b2531c
SHA512880dea368e92f98d528c67001dc5ae39e5a69189aeee71d0c204a324fff547888d4b149492665e62db79c2cac62cb68cb0d81ec014a4eb4d497f6be9e19483e6
-
Filesize
20KB
MD59c0f938916277854cfc3cef52d3a5da3
SHA18519f71150bf693314f42f3a78b5148b83459a8f
SHA25605a9e2c99fd58d31f25f8281179fab97a21fcc264664747f6571388faaa72f85
SHA51277f796444aa3aff8e77651b7504cb9112543184da18f845644b8c64b6344fa824305194adc1dab6f0a7cd3a4c5fe88f43fd3b5164b69fc8cbfd689e733620bfd
-
Filesize
319B
MD54a5a993c1518af42c852c58cd5b9ad73
SHA18590318bd9f024a191618b27ec422f62387fa4b8
SHA25657b039f916392fb85cafe81663c026ba64ef71120299454a846f2099fa6940ab
SHA5123a7e1ac2e015894c0b2d5c3a5e66f8b287eeab550c9bf0a83e2e3171c457cff3deecd73b4f39105afaad140ad5ff72a99d23a16283a287a2532edd9a1a62e483
-
Filesize
20KB
MD57114e1d48cd3dc0bb7d7dccad9201e90
SHA10ec7fc7b47038222dd4a8ddc6d5f7bb2b0a4cf24
SHA256be725d372e660df874a3773dd31211ecb84592e6e21aa384ecec14f0bf597255
SHA512c41ffb88589742565d19f76e4a95d809645b88018e20c78a83be8c14de6136eac340aae01b9649c30abd9fa1c0bc8c5e990177dde77193b507a42f5db6e187a3
-
Filesize
264KB
MD5a5d19a49973d5d65fc8e31edb3039b95
SHA1d7b7d403bff46ea225660d351808f846c2480d76
SHA25626286314872b16bb45c641bfda01bea1da34ce5ebc3f655f1b1675ba16ad48f4
SHA512a666b0d08dff4b3d581ad1a965a3b66af8bfbfb9ec2d9b002f7ed6dfbdeab3980dcda5b8d046a033a05a7d7aa9f2c0fe83a59a070471cf7bf46a787bd239e93b
-
Filesize
264KB
MD55a4a9aba26358b5be3f14dbfb0a96058
SHA1549744712b77fae249d5cc530524a06492843542
SHA2567ec337ed176e27269b82608f9e7f1a7f9efda268a01a09f512dd2cfa7621e683
SHA512307a29b0f92268a634168b97318568523b9164143b55a06c539c538caa613210813a00f083a2e7ab670ab643320ee8c7f31a78cc598c228656ea8fb63f5c20eb
-
Filesize
124KB
MD59355d399f59f3aa0bbddf666284ccd74
SHA163caf19423ab769f0c3d86b6f5fe81de4b92698d
SHA2568ab49993e3c65350efce7bbb8977c058be5c09f3763c0f8fd52243ac9218eecd
SHA512a6a793e627c2f2fce36ae5e8fcfa4e66db6ed680051bad6a1360aed12608359aadb28320b94ab38325da41a88922de845d38454fe79f7967daa09e20ac7c56a0
-
Filesize
666B
MD594c0c3e84d87e2aae6f332bfc1a49fc1
SHA1305054e0893010bfea0700b0592c8e4fb473170e
SHA25620ddd45d6a4b967e2d926fa261690448b775626cfe57d2df37e43d9cb75d8404
SHA5120d6825e88c4c591dc5f3547434f37e93c3c67c9180ac395df2f1d5ec00c9471316256524dba025f5c9d5ee147a4937f00e6aee964bd7812cc64a5ef6730fa21e
-
Filesize
28KB
MD51649f408dc6debde1366112aa54f751c
SHA1cc5e924c762d35cdcfc4008717615a67bbca1ad6
SHA256a596947dddb76c90ebd9f2392759e22261406cd367ca605d973847f7def3e967
SHA512cd58b5749e924f2f0d19bdfc754c46811de78ef3ef4ede3076e44a89c7d5a8499e3eaa26fa1d7f625e2ce7a35b1bdb49197824b4214028ff5d73bb6018672e3b
-
Filesize
438B
MD57f7ff60d60bee259b68efceb727265aa
SHA1cf123d582ae16c58ec1dee8bdb184e0ed702b2b1
SHA2562b3fe68483c17616d634dc65e30637156f95727136835acfd6d4d34c4e6e0ac1
SHA5122fdef8afb6c50497bd5f14f58cdd267b4a22ce4e32a9fc3c402ec31e03681762bc59058ffc929f22fce8bfa5f0ff312f1f32b37d06c67ed2671b9624c6abd015
-
Filesize
331B
MD5b1963bdca33eb2f813628dfcd8de8c99
SHA10101500b3a21f93ea3d1980ba2b6df47ff8baac0
SHA256ab38d489c7f3f1b47d4f8966fdbafc36dacb6b562d4ab8f8eacb7e54d8e63ad7
SHA5128f9a7d8d918466dbbe11b40f81be5c70e2b5a5df92202b5fc907425f30bfc4384761428347dc2702d6e98c62a2608aca8414c72c4f15da7dbf8e5de490d0dd9e
-
Filesize
390B
MD531faa8489b5c6524fb1620b53a0ecc3d
SHA1c4c7d737e44abca37fbd209cd9a59e6e3e9d7ea3
SHA256ff9e0418f42f85bdd01f9e787d4a5f8bd2942f9bd0b6d463e39b4906c9253668
SHA5127707e0e83781606ee1aa21874052857c69f07a5cacf223fe3fed8e8eea14f8248a2a8054dd2400f195986aef43660150b92a9c7b09a62a5b4e902d1b8e8756ea
-
Filesize
816B
MD557c54250569917882bb773572efc8ff3
SHA16dc965ae1e50969e93c293a24d9cea55916d3f8c
SHA2568a962b8c4fe215fd3d3578dd7ef37211091f1f57920d26b5b0b9630112017f94
SHA512d8408d2ad1fc8e9d9137f2bf6e983194dcd698e15cc81900c7ba41a9debb86e93e4119d6921fb6da0c18d0291116c291cfd326e39cd916875b8c631b88c1e0bd
-
Filesize
816B
MD5e022d0dbd8732f76ea8aee02a3897902
SHA13bd7ae1d2cfcc80bee5bbd2e1cf3e9a507663405
SHA256046c6c4048b4ffa03e768f8dbe5bcc6363ac41e67440d37fbf2526af148b9776
SHA5128c9eb968e3d23441fa8904e0271b8d4842e644607572f09cb6a5b7ad0d5124a072b58e16868f9370cc9bd803e7ea09c1930cb7de1d1cca63f219da2929b3de9d
-
Filesize
6KB
MD57daa3a96bbb00e2fc776147d5c4cfe8f
SHA1d71aed3e0c03ca917b5058fda2a9a4a463e95395
SHA2567bd08e957efa4c8c3af2091ad532d39ee3f9480ebc7d0dfbe762aa8311c5beff
SHA512bb1064e428d23694374acbab4b8cb4419c2d85913c1085a75a4d8ac1861195ef05cb51286d2ce3af3b18dbec517d278d85f69f622ae678d9fb63949a4aa453e8
-
Filesize
7KB
MD5023d0f00af5f2112059c799605b382a7
SHA1ecac15c87e0e151977877553af2b456f94b53b20
SHA2566a36e2ea697e38f89739f59db51d9f857f98cbc76eb2c30bd035f449a8ee233d
SHA512189620cf1f0f3f236d99a8116198f12942c51d034c74291d81a40ff553578d242a6354593c5a2ac72757214ffd4148b92fabe2369dd5793c14f39cb911bb4fc5
-
Filesize
5KB
MD5097fbf839ffd909119b0ab729ba46dde
SHA182923e43b396f08a7c2ad88b5ca1db3473db3d21
SHA256fdef5ae9c67096fb67f3d52fa33cef37bfe100eef0535772fad81f8ba19edac9
SHA512fd706d254a10d4f4754a490b9314942fa694c420d973b03ff646e75c680cfb6bc3165185145178b304cffb3b131d3cbbea8bed70f66d75621df0e9835b79436e
-
Filesize
7KB
MD55c90474c38ba0a42ebda3ab9a1c050b9
SHA13ed108761437aae1b2fc1907e7eaeac3ab3fcb15
SHA256dae46ba5299b555924f7f966c4f635edd976678b4ee9f3a4a9e175ce42e0952f
SHA512355beafd77213de6a8e8629498103bb97fa298fd4f9e3485bb566e9a5f7bc508ff3567f85ee9304c471004b6ff0cd437a28866bd75f6e1bb1a15f059e0b32a8e
-
Filesize
6KB
MD55ce64cdb53f2f2d73a730938f37f5736
SHA1567b40c3603a663e8bbea73d59098bb9b0984612
SHA256bf4d4a37a57abfb9de1ea4a5a2c450fc2a6b04e50fbc08dcd883a94e82f1ad85
SHA5128f497d82015992c1faba59d82809eba8f8e4169d4be67711f49ddff0fba2eb17cc5d23cee68d8690edf49bd923fc6c81f6fcde55940429570e03fe6182a877e2
-
Filesize
7KB
MD5c2eb6eaa2fc525da0a4f00378ec123dd
SHA1e697969573a5576544731d1b3f7b59b9e93178d9
SHA256c391e0d58fc57c4d31ca04bded00edef8ca1896bd9d917196f638ad4b600389a
SHA512752df40e7bc07d3a2638f8789b028a8cf60354e9615a182810e8726869bd6de8524bdce0169f0e696d4b64fa5f3f2a658628242c18a96bac2d6e1a31e83c8c84
-
Filesize
6KB
MD57852bcacf97b0c8c18860f300c9afe9a
SHA1adaa994ac09f3b6ce52c1ffcf35f438309074f80
SHA2568d0c0b1b2cad1bec7c5da1713227913ea42b9d73043a0a3dbee60dd2d15416c5
SHA512e8c17cf260c7c6a0ed7f9187b50dd582a0884caab3ea9e5d0683066f1086f624551db52a69cc77a53d319133cb01b3d193e1bdaea4c0b5e7258ebd0b8cfe197a
-
Filesize
6KB
MD5f58ed1d41b8d8afdb674594b6ed21c58
SHA1ddbe9784825bdf036d0d65ffbc69c13c33da7a58
SHA256f144437b9a3e9595f4b5074eb287242728b258da481dfd45ab3e349d19b392a7
SHA512dc101f506c5d83056379599923924edbb8b28eb65cbf4c373ef30421723634114d2685828a15ba010eedf7863793133119906b04759e2dd7e343684e61b58e3d
-
Filesize
7KB
MD56002f6e6c9c462d18c0547c9c692e2e0
SHA124677bcaa95c249de62a9a1ecb7cc0fcb6fb1a3a
SHA256b9448c4e8478ea41f0651bb66a0241e91c52acb4c833e1c7c664bcf854872574
SHA5127d34cb0743105b96adb1d3d97a857341012dfa1adbb59eb0654c5ac887f852380185f449745d6cd8eb57d6f6f6253ab24d75e43b1905e902f8201d7a8892720e
-
Filesize
7KB
MD5d544fedb3e6d61d82682beb3aa51fe05
SHA12c94e9598899a86f40f4ec61f7120b252fe10e4a
SHA25670cd64f98e89d47e64f978cea1ebc9bd175ee1801f6dbfc211b6419253caa824
SHA512d7d51e84897b2a857aea6bee5d080de0e37c573873f824b52fad2712f702d4e3b9728088374e183569f9059fd04802482e65b0923aec17685eaddeb4d708f527
-
Filesize
7KB
MD5a4f326e1649f463c9219958ab35d2955
SHA1dcc6b5be50826a06b2f7db3a5134b7f6c157d869
SHA25601b1a08436de09b71c07dd7708283f4e53dd8b9d90d3ccd1bb8e529a353f8c2b
SHA51244dfdc5d21121b649e6fac21efe41b4b5bf2f8eb3301d653b16a5307edd16cbf0990ed95f263d19b99759ed29aa014fbef19fed8c822349dfec4f2647c00a57a
-
Filesize
364B
MD51ae105682cf9d2ae3d9d4239c08cc54d
SHA1ecc2309ba271de5d9ecbfb72933f14667059d94d
SHA256f709fc7130d382d0a302ea4bb4aeeafcaed72aeb3da99b047ee68447ab46e30e
SHA512d2c918e73ae5428763c8037a260523d8fcbadaad908fa25d42dc03b21fedeb81d8738aa9921a97b08ede5de1109017ce8e599a70ccc318a58068b6db3314e448
-
Filesize
319B
MD5d4a5116eafe659437b7cb77a8e7af40a
SHA1adca61bd851a92b30d9ea2368fbe8d04b7674150
SHA256e350423b43a46b53a9fb64b6fc75f63746936430bafcec469fc96b9598ff9907
SHA5128b5be021e45e550c70dc1c41b1230e4eba429a81e08651fc9978912ae3ddaf309f0386a1d42ae3857870a2bc95e7bc20fc57eed47a756fd3b2d801b6947085f6
-
Filesize
2KB
MD58353bbcf5b6c1921e58725efe2592c49
SHA14507bb7ac98d113f573179d1a75704bb24fd6869
SHA2562d3a31b3980b4c6c0fa226487124b4ddf7fcb2298a08894276a21518d9966a28
SHA5127468dd11d83223099f293fd4868219d3e7fbaf417c80175903ec6b71e9f1e9ab41f27392e1f7fb3c33293021e720f193943f79cde3243f84c751ce807eef5e5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD54395f09426db53984536060684ef4f8e
SHA1327612214c1a678b0fe02c32d2b2a542beab6396
SHA2569484101322bfb966dadfd9ed3015d8c6d172c4976bbc286f241a21c20cf64c2c
SHA5121f8854008c930f7d7707a830bfc1df48309b3cfefcbec1ba095245cd103df25d6f9d584cfa4e7f1aa903c9daf6e7b73fe19d612220a23931fad69e296c1eca9e
-
Filesize
347B
MD5ffbcfdda2f720487f501663d319a6a7b
SHA101f0b032239174f7c64f1074d533dea87833a444
SHA256759e84c0d27c995c37f79f18149590f65420940d6bdcc62080759d303f59233c
SHA5120e9dc9594b79c9c7cd1c929b4bc613f5b5fb4bddb05e2b6ea2ba0a873d24a420f532fcd1efcd8c4992ed2d5737a9e9d1de1c6550afd59209760667c9bce0a79d
-
Filesize
326B
MD5863477010b6bd6f6145aa56c2ac49ed7
SHA1f10716b893e93c3f35e5393c00ef092dd26a0ceb
SHA2563058cb728a2b4dfa4590575482a6064f26aabe621cb206ab5291e111cf6ac997
SHA51211fa2384a4ebc9881a1572a28aff56a7ff7696d4bd96b7d375cebe22c219073bad071aa5be51596fef4a79f0ffd5d0fe5c64cb1777157629f23e07dcb9b117af
-
Filesize
366B
MD525ebc1382db718368414213d12cc2ed9
SHA1406ec81e26db01413b2b921c0ee4fdca5b3fda53
SHA256c21aad5c01509311fc818e93b159b10e878105ae235f166a361ddaab6c9eb002
SHA512c75c9d04b4a5fd317a0473ef711a8d990085b2a770d80765b711f296949462dea3048def0189fd907a17dcf91e5dfe850d824b7e02ed69e846a99356d83a4d37
-
Filesize
868B
MD533e61fb1109e016c1972573dfffe62fa
SHA19ca470ad401765b326fc088e79f8080bbfee6c96
SHA2561682938ff98ffbd1969933e728ed7e5d92cbc4bf0a6e34024895cc9ef59a5070
SHA512f681536e718f4f6f10edfc26b32a95b0b78aad694abf39066fe30dad2b90989016ed864eb5951d3c6fdc3b0e1790553400535ab38d67c78dd6f05155625e709d
-
Filesize
866B
MD51a6a3d212a7ed93e1026de7d5759e078
SHA1e08830520c316a1710466d6ee46911ac041686ee
SHA256147c26faa3950a97419709de3270ddb277841d4f96ee01eed3d6af4a052c72b0
SHA5126a6b8261da031a6d1fe0255c22667b584fe751ce849bc4f14f1ecddb0cc323f8bc33d64337871c95f75bdff4cd9a0340c1faec1b23a1c19c436d39ecca063d83
-
Filesize
868B
MD52f206768b433c0ce26fb9e6fbabe484b
SHA12ff1ba92cb52463508510e00d782e186a4e7fcc2
SHA2566d0115a78fdbda8c9faea2ccee1151514722f8f45e62f3bb1bc34af647f55da9
SHA512397d3b0a378807e47ed4a2e3a0d12dea0ddd3f68cf16cd6365802bad285efe547bab83db5b675464db741995d308ca7e18674936561d33dadf70e9fb42147e72
-
Filesize
128KB
MD55beb396bfa9ad1806e4693634de865cf
SHA1368ec38362475a3b6287e6f525d6068649942821
SHA256547c57d5da7d806aadebacdbeb0a1e328d6962798ee50d7493b808003de744fc
SHA512d9e435cad1cbc74632e4fe14934248972f4060482e5728d778395570f4fd84cd9e13850cd30ecebfa267785c27678f7791491f759a321b081b5b315a95d5983c
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
44KB
MD54f0ee1333f73190775ed0492553067dc
SHA1df3cb0bb6f50ec2906e4dc873f6dd4559d4452a1
SHA256a511c1928007af288d60f834785045da2ef16ef4d0a0f5c273c27dcbf7e41739
SHA512083b373232becf1bcb373f635af65292ef8a431d6183a04e740219de4b868d8954898770efd7ec26689f6493c5bf854d7bdeb73a7caa6902e7545baa5226bf86
-
Filesize
11KB
MD59ca22182370fc53d7084798984ed533c
SHA1d86ff5627be1a14ce9443503b63b55cf45ed9a8b
SHA2565c5e100ed4ad6d38c9c63aedf0b2785622dd9222cdf00162c365463f6235d56c
SHA512355d84370188769c9d529be9b746d89f99a1fa095efabf779065bd959834dc4f86d79e3cc667ab0401881cc686df8abe52b8c618d07f431ac6ecc1ec31706241
-
Filesize
322B
MD5ddea5263a6452477e6b20d4e8da99ac0
SHA1305b78c6510443fb08691f95b6b57ec39e760a34
SHA25699cf2c6754bbbd738b63b3bdc045ffa545abd534b37810cd16e09bc0934a8215
SHA51277fd4c6f56b7c3dc4625c6ed4ab85909e59c8a82855c0f2f38f05d4cd421dbd820686eacdabc45d939ba431508ca65be45481cd0ee6f69c7d2db6ba454103fed
-
Filesize
565B
MD56fb545ce54aa4bbe7f518acb75ad2b63
SHA116bc653eb2769c057a10f24767fb85eb4caa7ae6
SHA256b7aa397ae1dd1a558a197c91ac7bc4a3909ecdcbfbbf690c1e6aa492d14311ee
SHA5129b570e8239310a74c4f6e72b2e235e974b38de521d6b32dbbf2a5f80bb0413ce90ff52e6e484e716324e70ba4c8b7b923215441c94979d3710a8a485bae10f38
-
Filesize
340B
MD5ab1f95a18bd1d246b1228cc3a00fdd4c
SHA1d94a8ac58dbbd27c225eb279f1b9f2a99adecde9
SHA256c3564e95aebf888e543c548721503aaba115c738cfceb40b0f38194724127599
SHA51225e2921617f1f9e75c28a3bd080faba32257d6ec7cfa0a09e28cff9215ba1dc6ae11d8a9bfea04f95d0e4326f6fd185f7550b09737aa4dd369514dae4f59d30c
-
Filesize
44KB
MD5e0cb0822af3b1f1200c480965ccdf7e6
SHA1c74b68da4055f68acc9dc2d337a5c0ef8317154d
SHA256ec371d6b26e76911c985873871474628021f491a3b13b3b632864ffa67e95247
SHA51279e591042f3ff5eacebe317c55ad25fc7bcbd2f589c55b271ef8a3d9843dc497fbcccf60f98d3f01ceb03f28eda13f1d7f322a4fbc3b5c26c5966e5ac41b5b48
-
Filesize
44KB
MD5bded76f0d682e868ae434b4966eab5d1
SHA19e34fc08f102d83aebc4803f12c836e7a90c0367
SHA25641b7ccadf103962440bdcafc91021e22f5b750444e837c783d82286333ef8a4e
SHA512ed4438a89dcdafdf7bb7d09018ed1b5cef20334c15aa68fb0c43ce0d68d6cb8e8f47d575f142256c3af40cdfc027076268eb371474864ed86a48e912b378a195
-
Filesize
264KB
MD50a40e2d33de4692813026102eac01dc3
SHA116802224827e408537edbe933c8de8ab4fb631df
SHA2564e5aa6ea5c74b61b33754e9773d8eaba29218dbee338725424207d77cbfd225a
SHA5129d2877eae8b3c482c1e5dfa276162d6108d3722177c162331c9fb215623d072a3674ec02ad89ac1d0daed15fc0103bbb515870a6f63a0b7d0c03ca8e0beb343f
-
Filesize
264KB
MD51bb24aec0b2ba7f9821706fa10fa8593
SHA16a1044b5b6b1e8869df7005a09e708b83b0c70db
SHA256bc290c4a5bbed5286e2ce1f5fca5cfe4d4016be403d20b4aa959f725d15d197f
SHA512e75dbe3cb7c97ba4ec55807ee0ba34a9649c1d8cee902b49f3527070e496ff574a92e9d2e7eaf1afbe82a3bed3667a7f65c60f424ca45f733383034885ad702a
-
Filesize
4.0MB
MD53351aadaa54fd8eca3c3905109e336e6
SHA159731a3d784298528a23dfa6a8844bc376636edb
SHA25658e5e82fb3a1aacbd78018b6e24564a589574f5f2f74db309fea0e495070b77e
SHA51222015f0afed4c6699ccef7ee7913f9e9f4d9a3010cba0f94368e23ec5db654c5a19102e437afe99d1e282b2cdc24e6116072e37f80583f7be258ec713dea7432
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
12KB
MD51454c90440d232d67302f3ff061ddebb
SHA1ad859f94a86816fb6fd7fe603ac10ee93896a0b7
SHA2565cfe38be825a226049478c6ae85a16cabf8a5c7b732e1260a6b59442717dfa38
SHA51246c247bebdbddc12d129331f04e6e881aec5bc55aebf82b61433dda7ba1e5d6868e7aad13a1e460e1887ab904e604c09d2551955c2d52ecb10520f216eadcb1b
-
Filesize
11KB
MD5ce793b8d7bbd86f1c2404427dcc9dfd8
SHA165473e0ae8ed5214ccebcc66cb882913faf58eb1
SHA256e3af3b3ea77426d79d5c32b4fbc23f46608c3c5ca0959406df7d056f59e33182
SHA512ff409b9dcdff40563defcee224ed3e9d0a51db00489ae8632d0b043a3a5c906c95fa4ca5cafe1a0edbdd50265bcbdaa0c05d81dfefeefa23294924a3679f3810
-
Filesize
11KB
MD57b94a269abbe1cf59ddad1eab69aea46
SHA1e4a64fe5c4eb9075a948ab49851ca77916bd6b91
SHA25618ea3ce3e12d76b033980e04afe4c751859d864aa6ef8d04cb5056ba9a8d8920
SHA51229f0fa597d4c4b65dcfcd524c774283806b2db91f141b6b019796e2a689a04576d2bf9437f758555fea41f83f53c19797a70fd7e8c682c0a24e7215d5a710cf8
-
Filesize
11KB
MD50fb607a59dfed34fd4345ff260fde3d6
SHA19c84c811709033f17e6d19761f543483a12fe8e8
SHA2563050f7f5d47d1adff941f1520adfd69b6e2e896192c5880317c83c83a2981c10
SHA5129575663739f340ec65750d003e5ca860501cfdcd5e104377f7c9ac7390aded09f161be21feeddbf2467ab7781de57a796faf80efb154edd11d123eef54f1a1a4
-
Filesize
11KB
MD5c41728e5a0203e72ca06b469ead1a2ec
SHA10bc8b753260b19edcd3ffe2d0e27bcce6e2132e2
SHA2568e9f9593e77998cf32c0adf7b8a11e84f1ba442c1cb401568d37a3e18a97f4a1
SHA512ccab2996f082c7d145dfb8c8f8fb9cd4adcea54450ba8314c84e059469a08a72096fb0197bdc323dc8e903f791076c8a260c1430b5bad88f9aa6eb1572b56f6a
-
Filesize
11KB
MD50656ced8a71464341093c86e13c3a0af
SHA132ee3f441a1bc312fed5b6eacf7a09ac4e8515f2
SHA256b17aabca197fc94ea281da20ecc44f89bbc0229bc1630e69e598e6853ed95fe4
SHA512b40382a0afd161c6a76922bb4cdeace2ddbf6716e2b130432dd47e42167a93566a78090d4d7fc862d61bafb7c76ddb1ac4f5ccaadc6b75775eb123061c78e445
-
Filesize
11KB
MD591ed9f28b3f1668a88faf6f08fea9282
SHA13ea823aadd90fabb31dd0a70823162134adad3ea
SHA256536d9fe29b2cee3d73b10145cc5a693af2f88a11e3c52b0d966403ab6244f3e5
SHA512f7ebda5b53bea0902cab86a578c1c449bccd43fcfc98573a03e4b8e92d577df9c5f25b1aae56184c331028da3086d76b3d66ce8594ebff5ef8bfea85e604288c
-
Filesize
264KB
MD55748a21b983862e597eef1665c5b2f2b
SHA170975d2e9131e50fb68c81191db0cb395df1b697
SHA256ceab1ad0b13e21047a5653c2a2d448c3f2678d76497d3f84302611c9e161c9e6
SHA5121e46126ddadba45ac461c94502ed477ce56939fa3f97ff50ceef91c4304d33150a70a832186b861a611d86e1392965ef3d01251b0c69903ce3e4bff1549ce196
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5de095dfda1b5bfaaaf50d751b3d37dac
SHA17e95ca8d216d00cf028533a1ee390c7a26a37986
SHA25619eca2369f8cc61a54f1f285682bf544b2e18aab2ccf7a6b325890ecc54a2b87
SHA512462f4440043961d39df805d1cbebaa6792a162ad93206333bbb18a8b7654c48f2072d286a73a244d8d95d414798c80d2cb063e2df3518f572d1ee5deec71352b
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
9.3MB
MD5540a501c683c91729e712fe83cf4e92f
SHA1d426473f486cd7b46ec8d3bae4a3f9b42f780f89
SHA256567ac8995973807a1288847d357dd8014118f07194a4db64cccaeab5871d54e1
SHA51225aa06429cc1272c1932e543d41563905964ef2b7dad9e6b0a13aee8c6fff5a4a9e9f4ba023435d265ddb36cdfebaca8efadfd8e9a3918747e29a2764e09a2a6
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e