Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-10-2024 23:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://hatching.io/blog/tt-2024-09-26/
Resource
win11-20240802-en
Errors
General
-
Target
https://hatching.io/blog/tt-2024-09-26/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\MicrosoftWindowsServicesEtc\\xRunReg.vbs\"" wscript.exe -
Processes:
wscript.exewscript.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2224 takeown.exe 2128 icacls.exe 2424 takeown.exe 1904 icacls.exe -
Executes dropped EXE 6 IoCs
Processes:
MrsMajor3.0.exeeulascr.exeMrsMajor2.0.exeeula32.exeGetReady.exenotmuch.exepid Process 3008 MrsMajor3.0.exe 4872 eulascr.exe 3188 MrsMajor2.0.exe 3948 eula32.exe 3604 GetReady.exe 4912 notmuch.exe -
Loads dropped DLL 1 IoCs
Processes:
eulascr.exepid Process 4872 eulascr.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2224 takeown.exe 2128 icacls.exe 2424 takeown.exe 1904 icacls.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/files/0x000400000000f44e-707.dat agile_net behavioral1/memory/4872-709-0x0000000000360000-0x000000000038A000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\MajorX = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xRun.vbs\"" wscript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\taskmgr.exe cmd.exe File opened for modification C:\Windows\System32\sethc.exe cmd.exe -
Drops file in Program Files directory 37 IoCs
Processes:
wscript.exedescription ioc Process File created C:\program files\MicrosoftWindowsServicesEtc\data\fileico.ico wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\runner32s.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\majordared.exe wscript.exe File opened for modification C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\Major.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\majorsod.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\WinScrew.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\eula32.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\DgzRun.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\GetReady.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\RuntimeChecker.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\bsod.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\thetruth.jpg wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\healgen.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorlist.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\AppKill.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\fexec.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\NotMuch.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\RuntimeChecker.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\xRunReg.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\runner32s.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\WinScrew.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\CallFunc.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\clingclang.wav wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\rsod.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\bsod.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\Major.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\breakrule.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\checker.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\cmd.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\GetReady.bat wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\xRun.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\data\excursor.ani wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\example.txt wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\majorlist.exe wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\breakrule.vbs wscript.exe File created C:\program files\MicrosoftWindowsServicesEtc\weird\majorsod.vbs wscript.exe -
Drops file in Windows directory 4 IoCs
Processes:
setup.exechrome.exesetup.exedescription ioc Process File opened for modification C:\Windows\SystemTemp\Crashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\Crashpad\metadata setup.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
chrome.exechrome.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\MrsMajor2.0.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MrsMajor2.0.exeeula32.exeGetReady.exenotmuch.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MrsMajor2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eula32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetReady.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmuch.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Cursors wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\excursor.ani" wscript.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723870807143166" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "135" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe -
Modifies registry class 13 IoCs
Processes:
wscript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\MicrosoftWindowsServicesEtc\\data\\fileico.ico" wscript.exe -
NTFS ADS 2 IoCs
Processes:
chrome.exechrome.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\MrsMajor3.0.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\MrsMajor2.0.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exepid Process 3840 msedge.exe 3840 msedge.exe 1700 msedge.exe 1700 msedge.exe 4804 identity_helper.exe 4804 identity_helper.exe 4328 msedge.exe 4328 msedge.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exechrome.exepid Process 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe Token: SeShutdownPrivilege 5000 chrome.exe Token: SeCreatePagefilePrivilege 5000 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exechrome.exepid Process 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exechrome.exepid Process 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 1700 msedge.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe 5000 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MrsMajor3.0.exePickerHost.exeLogonUI.exepid Process 3008 MrsMajor3.0.exe 2256 PickerHost.exe 1732 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 1700 wrote to memory of 240 1700 msedge.exe 78 PID 1700 wrote to memory of 240 1700 msedge.exe 78 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 4928 1700 msedge.exe 79 PID 1700 wrote to memory of 3840 1700 msedge.exe 80 PID 1700 wrote to memory of 3840 1700 msedge.exe 80 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 PID 1700 wrote to memory of 2428 1700 msedge.exe 81 -
System policy modification 1 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hatching.io/blog/tt-2024-09-26/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff96ee13cb8,0x7ff96ee13cc8,0x7ff96ee13cd82⤵PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,12775261819341384754,7177260781423982693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:12⤵PID:1428
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1288
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5000 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff96e6fcc40,0x7ff96e6fcc4c,0x7ff96e6fcc582⤵PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1980 /prefetch:22⤵PID:3148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1856,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2100 /prefetch:32⤵PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2228 /prefetch:82⤵PID:4300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:4228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3368,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:3412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3572,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3540 /prefetch:82⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4596,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4588 /prefetch:12⤵PID:2580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4752 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4992 /prefetch:82⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:2052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4800,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:82⤵PID:1168
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
- Drops file in Windows directory
PID:3124 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff75e2d4698,0x7ff75e2d46a4,0x7ff75e2d46b03⤵
- Drops file in Windows directory
PID:4340
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5276,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4288 /prefetch:12⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4772,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:3304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5112,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5020 /prefetch:82⤵PID:1096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3296,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4964 /prefetch:82⤵PID:4124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5052,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3304 /prefetch:82⤵PID:5040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5096,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3484 /prefetch:82⤵PID:3464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4784 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:1832
-
-
C:\Users\Admin\Downloads\MrsMajor3.0.exe"C:\Users\Admin\Downloads\MrsMajor3.0.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\1BFA.tmp\1BFB.tmp\1BFC.vbs //Nologo3⤵
- UAC bypass
- System policy modification
PID:772 -
C:\Users\Admin\AppData\Local\Temp\1BFA.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\1BFA.tmp\eulascr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4872
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5444,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3436 /prefetch:82⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5336,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3380 /prefetch:82⤵PID:3156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5440,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3092 /prefetch:82⤵PID:2028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5500,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3412,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6084 /prefetch:82⤵PID:4248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,14190577833664041656,1553399571629467500,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3328 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:5012
-
-
C:\Users\Admin\Downloads\MrsMajor2.0.exe"C:\Users\Admin\Downloads\MrsMajor2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3188 -
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\AEB5.tmp\AEC5.vbs3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:2124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd "C:\Users\Admin\AppData\Local\Temp" & eula32.exe4⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\eula32.exeeula32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948
-
-
-
C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\EF48.bat "C:\Program Files\MicrosoftWindowsServicesEtc\GetReady.exe""5⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2224
-
-
C:\Windows\System32\icacls.exeicacls taskmgr.exe /granted "Admin":F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2128
-
-
C:\Windows\System32\takeown.exetakeown /f sethc.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2424
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904
-
-
-
-
C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"C:\Program Files\MicrosoftWindowsServicesEtc\notmuch.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4912
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 54⤵PID:4988
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3724
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2256
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a3c855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1732
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520B
MD5d7bdecbddac6262e516e22a4d6f24f0b
SHA11a633ee43641fa78fbe959d13fa18654fd4a90be
SHA256db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9
SHA5121e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1
-
Filesize
52KB
MD557f3795953dafa8b5e2b24ba5bfad87f
SHA147719bd600e7527c355dbdb053e3936379d1b405
SHA2565319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725
SHA512172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98
-
Filesize
649B
MD5e5f1a524896adbcec8f5fb29fdd713d8
SHA1e82572f4376de94832f327cbde1f19f821936668
SHA256e83e9ccce61b26dc1c2a3e82fba2dc630a345f67677741f42532b4dd9c913d4f
SHA5122dedebc53b9140aef318820ce79a974cf7204a21e8c043acac3000c8edcf6aa6b4fc12518d7e804e011f4d1c85282ee893dbd0971c0529bb591e5c43ce7676b5
-
Filesize
2KB
MD57a2536f14df251c25dba28cbe1ca331c
SHA1677a10a066b3daadd0e5460e1fcdc4ec63dd5f3a
SHA25688634f691efd7d3d8fa6a0785a1302033e95c116ea6db68707b05464ae290086
SHA512c8ff8df8a72e9f8b2693074b9c11b1066dc7a070a43e38aab58cf0cfd0b8029e7f88ebd020115421a6b01d4d4a2ea6d0f03116db98e3800b258de885942568b8
-
Filesize
4KB
MD5a37c536d585482e7c961dfaef57c44c5
SHA127ba8d7e6465e5b8794ef31eeff2eec5b732f9a0
SHA256114cdfc20f3fa49c8cbe208b492c4473c0e1ec7e29f9e58018119108859c4386
SHA5125c82ce3925013fd13b50b059fda9835871b4683c389640a3a52928154f13ac0b4497bf4db2de19be6222a3df4ed243be568329106c5a1964f2fd3011c49d247e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5e9fe46b09249c50ee16a0985c8ba9be4
SHA12e888e2d6e5f9c456399b354f0660ee472abbff6
SHA2568c96584a71008024d7e1c15e90e038a41ab18a5324f772afd1ae12a8528b9dba
SHA51286a1cefd12cbf43bed4021e061c85a0e64c18e2e7f56a574ab7b44757f58f8af190c4809b68a6b6ca81140ada6293800300d62fb1ff19a3434fdefe2026537c4
-
Filesize
356B
MD5e702ff7ffe1b2603382bcdc4668b1f94
SHA169534ccf9da0d92193ea51fa0d7eff16fb497916
SHA2562ac70651188ac2be754c5b4f7686774354c159759093428ab97c64aafbbfaf6b
SHA5128e43f4d587bffaa74bbbe7773959c604c0f92eafe7d292eb0639105ad5234a3d62347017c1003259ad4822bc48d8023558a9af6417e92d7d32b15dff7edf3362
-
Filesize
1KB
MD56e315c068d9a335f2006ca68911b966b
SHA160ab7a20aefff85d0e15eefb56a9d5d732dac57b
SHA256d6be4e00734668d8eace73fe41da96c91d7e5bcd73ae7b7dcce01ae11a69d662
SHA51227b6265678017e18475d113914cb71703af9023e0988f920950b77f393e348e8565c72cbe8f5de1e768059cb2a860564a7864e60fdc8fe488a5e5429343c256a
-
Filesize
1KB
MD5803832d934aafa7b751fa78db694b049
SHA18a77d900f8cdd43552fc31c555cebb612679e354
SHA256bd787c69a5cfe2d53b3e2bccb2104a0d0fa820b20258afa617ed2d4d986ea544
SHA512dbf4e69f49b0dd8985227a44ce363bcef340746ffda202e807a081bb5e69499af229c2f978ff39c5d2e9f033c1ffd9b297a7d1bf008733580cf26c93b8e84938
-
Filesize
1KB
MD5526d15afa08549db4c0ec60eabf8517e
SHA1d75ec33c3889c3f78865b3faf3f43363f7885783
SHA2560828af46fe677f957617370e444abcdff27063ae70537f743f903a71425b06e2
SHA5124e5a87676bdbe816502ee149c4dde3f063145562f875d7ef45b53585efa9d8eb0f3c5929feabc0e88b21709392ced8f383a4b9125688ab199594046cc5d915f6
-
Filesize
10KB
MD54962f31df647453ce710baffb093712f
SHA1c19d1571383282d02210910c0511b884a7555ccd
SHA2568019a68746d33e7ae69d712679ed23e4964a510933c69db6472eb975255067ce
SHA512b2a49cbf3152aaf817653ce0ce5c92d5e8de3ededa536dccef3e4bad92efa2960ea4859d1ef1e4d048dbcb4fa7d509b96cb9ecca1c98d18657cfea2a71be64a9
-
Filesize
10KB
MD52dd6471e0b47188a03341f7fd7d3772a
SHA1b93ed5398c51073f8becb66b7b705849c2e5b4a8
SHA256337a1001e8465ef8cf1bcb9bc259f709d51e8b62326a9242cd26ca0280b8d2ed
SHA512fe96af14bf0c5786dead7e62a715c2415558895fe41a1a128837c947527fadc56693e20e5dbcd3e147c8321ac11b0af87bda1d8ead4a850dc282be93da67f9ef
-
Filesize
10KB
MD5bcb74b15ebcebb25485ca6ca71c363ec
SHA13ab3c2ac58b8b65026ac62aa40ac19c72e45ece7
SHA25677feb06b6e8d6b26b835ca0f7625508365e155b59f6156680fd435063fbc6cbf
SHA51292289713cdcc84290d9f98b3148825ddc9e47a48e1d6373ac9994ad489e1d0c6b0abf77f557a3ae6df73ae5a6e694fb7c622c328a606ab747f71cae54c881bc2
-
Filesize
9KB
MD599c32f0ffd5bc5e7db3951c4f1ea377e
SHA19247ee3398b975195d6473fd38799e23f81805f0
SHA256d6b568fe37ba4e9d4a3da2af8385f64a1c4cef971d2f746a56b73ffeb47dc372
SHA51249e8a46add3c585778c2be5844ab1a6fb263671156bd8e5b7282772b192a828accf8f609899130ec29471bef1da9b642934af1b87d3c2fc0fa4e818f7c6ef02a
-
Filesize
10KB
MD58990be3b811a7ac385d5f085089cd18c
SHA1edf140bf7ac92c3c606332aa9eb89648fa2a8fe3
SHA256449f4bf71723395996196d104f692307f4ec03aaf2f25ed727a7488c3e8e244d
SHA51232d74b40b922f336b8aea0e604809b25ea0faf72f93b51ce65bedc7756ed9c02b60f3ed1910dbb7e0b418c66a2bdbdcb59f871cedcbbaaefb2eb42bee9fec4d3
-
Filesize
10KB
MD5d765b2345679577e93f81a1299ec2499
SHA150864a2d37453e709c0f823858dbdbe9921d7682
SHA25651d1795ff3a921042c57d8565964835a37a42ff2c2d5caf591fbd1df4166eacd
SHA5127fca3aa0305533f53b788397f9ce6a16024fd5c1274d922ba7af1a7b7425ff51d8279af46873fac74494315db205794dfdd51d7355295e66480772c4fe2c6f15
-
Filesize
10KB
MD5f37b6ddc5a5b4ec64954578ce38a81cf
SHA1420aa82dd45cdeed9d216d593e36bc331f4794a7
SHA256bb2e512dafc68c8ee083eb10c91490e2170517180a56b7eb6de91524d041c827
SHA5128c328246a6346b41f62bfa3706afbf6d029a84c26d11f0c97457d9e8ad646db6ec87ac93369464831e9bde4879e9d35789989f4bd8f238f6b8304f1b7462af2f
-
Filesize
10KB
MD5b458979d67d39327942b057d5ff2505c
SHA17b6e7184d92514ea953deb2a6daea6f6684eec16
SHA2560713678dc8bfbd1bfc97c46e14568161326a5d20931e6a9531a7415d27fcf344
SHA512fa11e694321af5ff9e25dd890072c38d5ba5c331cf51a691a5e6141120fbbb06ab4b599ffd3b73c17f638a4b2baba2e5da973d3658cda38bcdf87f70db0eff71
-
Filesize
10KB
MD5b865d5f87ff8990e7bfb6dadb3a3b77e
SHA1a8ef95109f8fce2e30fd757a26bfc25935370eaa
SHA256d0b807f51d2a17c40f16d96a991bb5923dc272dd1455296a36af7dca4879063c
SHA512efe130222d8eda315838dadc97db068b38cd2fd0ae21f0e0328273ad8cbfecd82beec1c56901705ee32ddfb590d002f1e6a74e1058682ab65a534801b6f847fd
-
Filesize
13KB
MD5b186e1e1dd38755ce0c3cb18f2327df8
SHA1394bb9e5d38ff0a1ecc8eaed062c4e7343e8a910
SHA256eb69dfb6966da0c0e5baaca4b70921c4d78e47e570448d40b1250085b08b309c
SHA5126b70838668a1c0f75ff075719f6fba1d8f7c468873cfd2ee8fea05e8d6a9d7509ff5e5059722f6435e74f039a5cc9ff3ae89fcdb0f5d70aceee29c924650ec53
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\38d7c342-2c47-4f7b-afb4-8d56377d73ec\0
Filesize20.6MB
MD52637afbedab09115d71d70172f8dc64e
SHA1891075f5b066edb1fbb5b1ae2057c2e8801f2757
SHA256f9794a7dae9e8cf5eca1cfa47c8b313443c6a57d5b60735e53d91f61c9e8f92f
SHA512c1da5b2e41bb2385aa7119523b9f5286689d8dac53bb400249ab12647efab372818cc5ee8832d6051e19ac5ed25e38101c3dcfa869f02465686f1b47fe0428d0
-
Filesize
213KB
MD5b58eb970fe8118300627ef6bc8a4e8b2
SHA14f0f1d573989228cd5a34b49246b7b212176c2ab
SHA256801cd2cd348593daa9806da60cc98c25f82935f6f3c989bbee6fa437602d9e9f
SHA512e78241f86de127eabed9ca4734646024435df9507811c861cb1a4ded2963a28fc5e4cc4cae7d3032c9f2ff44553667170e907138face58ba6790d468a061c9e8
-
Filesize
213KB
MD57d11ef17c2ff6f51f687792c8ef8a716
SHA142767d9cb11600b1f4b1570887ea2a5b18850c2a
SHA256061f6e06a283d6237cbb3b74578ff4697b2edf6be1937836dd9341624c368d4e
SHA51217104c4e9e325aff4029496cc0a29aa24a5cc5dc925ca19203cd6f283be7ee42dd7bff5325c3b86b01d9ce2ac99ec3214af136a39b86786bdb784f418bcffd0d
-
Filesize
101KB
MD5a83bae0b547c26ead34b2c33281957f7
SHA1e5d185579cba8dadceef4f9e97e62698b8c37a41
SHA256b05537b4195f43a169c3566923b61f7b60f11b7725ab97db2eb3d51831468e79
SHA5123913466c4260c19a12b881704869713407ea3b9824d3a165513c0827fdbc638eb2d683f581bf958c76a94b123faee18ff988dc5d5c84adaeba08021e38016a5d
-
Filesize
213KB
MD58b9dae91e2c174a98efd0d2c0f57275b
SHA1812d8185777c3527879901226708847f2fc4f798
SHA256aa4de02885afee89a9e8cb759adc1e447736baeba68d5409986e5e2cca744f01
SHA512e6e32105d981a30f5b2d2cae17866ef394f8965d5e7f43dc647b126ac59442c9fe1a89b6534e6d3692f6aa9246f9a6e3e975475809cac1bc5dd67de3f5cdc646
-
Filesize
242KB
MD59db084c887b15089c652ce71b64852d2
SHA13e08c600ace640cc58b70cef5433aa6d58c2a443
SHA2561f557a54303bdd3ec0e05aa4cae4fc38a477e1beeae349f5c316c55c6693bcad
SHA51264db88497bddc714d0b95d365fa38706e1bad4fee10e5782e0e57cb288dc98236da1e53e0afbfc1e69a59ac5c34cafbed1b95f5e4ae473c4d787ebf8e3c454d8
-
Filesize
213KB
MD573d5a1a28888660c2112ae50e010f592
SHA12049b079daef17f0a6cade554a1e9f6f4860e8b1
SHA25634ff2041ab95f5e0c70809e7baad3857692412443f87e85269f967d8184b5947
SHA512087a8ed537bfddfc3b17f1edd00b3b8bd64dc1529d5583e32d29cae03a5ffeac63acf73db054af28eb0b3c4a6d3000444acfcc738a15a5cb01eb46576b44656c
-
Filesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
Filesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5bd53acf7aa478b7ecda3b4e0e3b5a6ee
SHA1baa6d49b6908517655e3d8c5c3171aa94b3ebdee
SHA256f7813886e18a6b0cde047e36e22ba75685109552f815bf77b0789dd001a893e1
SHA512e7f1a229764414c11b60a55aa61824d871c205cb606528d33c8298f9d0615239070f539e602bbfaca16aca31b076102b677497856be614ce7571a02fcaa8f560
-
Filesize
1KB
MD5acd910c083c818688d6a49e0f87d112e
SHA1f9129ab58fd7c02c85c4e224f90f639a94736340
SHA2566442d371023a7d0f50495d7a953a3f0cc33765c5c1757bf91aa05ef07bb78904
SHA5123e636416417eabf3fdc8a11528e5732454990a17e66b0f2f3dec695cd5d5734a783b6e7036f6b13e69a4630eeb4dc53a958c480f78ac733280b9615fe748685d
-
Filesize
6KB
MD5b7413142b2fb4b489d1a64895a5ca247
SHA169f497f5b3a186c6c9a664fa2bfc3c093e87244d
SHA256715f40c3a9533cddc5e111b9df6e6d10ccdd1a13e0cad01656f002f7475d088a
SHA512be0f00faa6d4d2c753b247b82c80e397cb9cd61f51224b60e392571b2c7f8d7f2de0cacfe5e4ff81a83ab8b889de9352a429d3638dfb43265c9602efc3302649
-
Filesize
5KB
MD5357d14a6553f973f96ee72fb98a1e7e3
SHA17d26cc2e51978ce5d8f06a767b99037aadb99176
SHA25684825b4164775b261d6e4bdb2d1415d9aa9ab3849490943d79ed42a69f0f9998
SHA51247d2f9aed73515b94a8b3f94c338321bb18a33a446cb4b4caa1bd6b9825c5c3022217b06e01c916463567157dde81a5143a2b7e5100df5966afe8c69f4c34b84
-
Filesize
6KB
MD589e598b5260f9f173e98743340cd69d6
SHA1349119897f0d317c83ae377b54f10048c1be3f7d
SHA25689837358b3651f0c02b4521cc1755ed76c4b8edb1709883ff47cfb85821f5342
SHA5126d86a6a21dc2dbc050ddf19cd46e6c1346013ef4a44028645ae9fed1e0bb169081c17c004a6a0df264f7061bbcac2c303bdbd8703d618daffc595b9b10115529
-
Filesize
1KB
MD59393f6ef2858506f75bcf92cec4f446d
SHA146f73698f3d5d52868ffa932ac85015d95826b6a
SHA256755fdf53fc67287ecc7e59bb845bfef85b63337117b258a51b0d4493b37e2f59
SHA5129cc5d9107d5a6cfe2035f3c456c3ae881beb93369478611762d9765ba0e140fadba05a1db08d35e3a26378a461450bf4915089745acb82bf1ddd72f60b1e23c1
-
Filesize
872B
MD5e08c802f2beea71fb648c8ddc4ff27b4
SHA1517cf6a82094de7ff88e57cb5af713cc01aaefd5
SHA256580635f82ed8ed827176e7c8c4854349247bff5930da86d3f10c4d7a25b05a42
SHA51228a0edcf80bea87ee370f642f0ec7dcd983a00bd1f2c8926dd6f940502e9ed7b3f6e18c80419e1fb38d2afc306e6ee6f9b5a339652e3c97bbf9c2d6950e799a7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD570b4aa35fe9a42aa9d5a43eb3b2e15b2
SHA16b970a4ed3555656964257d4c31282b1fc1f16e6
SHA2564618a0e6967a06e61311c6b36ae95bc9f2969fdd4e8248d525db677587135ccf
SHA512ab28e1ec5ba5cdd9d779c7ea77cf8bb4cd6281bc587fa5d7fb5ed669cfcb6657aee730dc41a47a9e8d061e534d1f4d7acb6042faa32551c3ee8d4e2a7277c8d1
-
Filesize
10KB
MD55ca29acfb704b70e940fbf8ce416eb5c
SHA110b916bf7dc5f2f35cba145c5604379c20fb966f
SHA25674206bfec90b51896e336bbf092e9376dcb4a4622f88ba14eb0fccfcf178dd60
SHA512b39e6b4836c7b82f085b9e41c84ef09b116ce36144e63908e53eb9cdc602be277c6ea2cce7a5b72814ae27dd28f0da5db2294d4fa6340ed6997fd9fca569219f
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
2KB
MD5fd76266c8088a4dca45414c36c7e9523
SHA16b19bf2904a0e3b479032e101476b49ed3ae144a
SHA256f853dddb0f9f1b74b72bccdb5191c28e18d466b5dbc205f7741a24391375cd6f
SHA5123cd49395368e279ac9a63315583d3804aa89ec8bb6112754973451a7ea7b68140598699b30eef1b0e94c3286d1e6254e2063188282f7e6a18f1349877adeb072
-
Filesize
671B
MD5d4e987817d2e5d6ed2c12633d6f11101
SHA13f38430a028f9e3cb66c152e302b3586512dd9c4
SHA2565549670ef8837c6e3c4e496c1ea2063670618249d4151dea4d07d48ab456690c
SHA512b84fef88f0128b46f1e2f9c5dff2cb620ee885bed6c90dcf4a5dc51c77bea492c92b8084d8dc8b4277b47b2493a2d9d3f348c6e229bf3da9041ef90e0fd8b6c4
-
Filesize
388B
MD55f9737f03289963a6d7a71efab0813c4
SHA1ba22dfae8d365cbf8014a630f23f1d8574b5cf85
SHA256a767894a68ebc490cb5ab2b7b04dd12b7465553ce7ba7e41e1ea45f1eaef5275
SHA5125f4fb691e6da90e8e0872378a7b78cbd1acbf2bd75d19d65f17bf5b1cea95047d66b79fd1173703fcfef42cfc116ca629b9b37e355e44155e8f3b98f2d916a2a
-
Filesize
341B
MD5a91417f7c55510155771f1f644dd6c7e
SHA141bdb69c5baca73f49231d5b5f77975b79e55bdf
SHA256729f7540887cf32a5d4e1968a284c46cf904752821c734bd970ecd30a848477a
SHA512f786699c1ab9d7c74dd9eb9d76a76728980b29e84999a166a47b7ee102d8e545901ed0fcb30331712490a36de2d726115b661ad3900cdc2bfcfc601d00b76b07
-
Filesize
60KB
MD5d604c29940864c64b4752d31e2deb465
SHA1c1698ea4e5d1ba1c9b78973556f97e8f6dbbdef3
SHA256da0233f5e5e9a34e8dd4f6911444ca1f3e29bb9cbd958a9f4508ac7d72ccd55d
SHA51289a4a14574ba19fe319c766add0111feeb4320c08bf75f55a898d9acc783d5a862a6433758a413cc719b9179dcf873f1c850d1084851b8fc37aa1e3deabfcf54
-
Filesize
122KB
MD587a43b15969dc083a0d7e2ef73ee4dd1
SHA1657c7ff7e3f325bcbc88db9499b12c636d564a5f
SHA256cf830a2d66d3ffe51341de9e62c939b2bb68583afbc926ddc7818c3a71e80ebb
SHA5128a02d24f5dab33cdaf768bca0d7a1e3ea75ad515747ccca8ee9f7ffc6f93e8f392ab377f7c2efa5d79cc0b599750fd591358a557f074f3ce9170283ab5b786a1
-
Filesize
58KB
MD5bcb0ac4822de8aeb86ea8a83cd74d7ca
SHA18e2b702450f91dde3c085d902c09dd265368112e
SHA2565eafebd52fbf6d0e8abd0cc9bf42d36e5b6e4d85b8ebe59f61c9f2d6dccc65e4
SHA512b73647a59eeb92f95c4d7519432ce40ce9014b292b9eb1ed6a809cca30864527c2c827fe49c285bb69984f33469704424edca526f9dff05a6244b33424df01d1
-
Filesize
1.2MB
MD58f6a3b2b1af3a4aacd8df1734d250cfe
SHA1505b3bd8e936cb5d8999c1b319951ffebab335c9
SHA2566581eeab9fd116662b4ca73f6ef00fb96e0505d01cfb446ee4b32bbdeefe1361
SHA512c1b5f845c005a1a586080e9da9744e30c7f3eda1e3aaba9c351768f7dea802e9f39d0227772413756ab63914ae4a2514e6ce52c494a91e92c3a1f08badb40264
-
Filesize
151B
MD5f59801d5c49713770bdb2f14eff34e2f
SHA191090652460c3a197cfad74d2d3c16947d023d63
SHA2563382484b5a6a04d05500e7622da37c1ffaef3a1343395942bc7802bf2a19b53f
SHA512c1c3a78f86e7938afbe391f0e03065b04375207704e419fe77bf0810d1e740c3ef8926c878884ad81b429ec41e126813a68844f600e124f5fa8d28ef17b4b7bc
-
Filesize
13.1MB
MD51c723b3b9420e04cb8845af8b62a37fa
SHA13331a0f04c851194405eb9a9ff49c76bfa3d4db0
SHA2566831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29
SHA51241f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae
-
Filesize
1.2MB
MD5cbc127fb8db087485068044b966c76e8
SHA1d02451bd20b77664ce27d39313e218ab9a9fdbf9
SHA256c5704419b3eec34fb133cf2509d12492febdcb8831efa1ab014edeac83f538d9
SHA512200ee39287f056b504cc23beb1b301a88b183a3806b023d936a2d44a31bbfd08854f6776082d4f7e2232c3d2f606cd5d8229591ecdc86a2bbcfd970a1ee33d41
-
Filesize
17KB
MD5289624a46bb7ec6d91d5b099343b7f24
SHA12b0aab828ddb252baf4ed99994f716d136cd7948
SHA256b93b0cb2bb965f5758cb0c699fbc827a64712d6f248aaf810cde5fa5ef3227eb
SHA5128c77696fe1c897f56ea3afdecf67ad1128274815942cd4c73d30bf0a44dd1a690d8c2f4b0be08e604853084e5515020c2e913d6e044f9801b6223c1912eec8f8
-
Filesize
38KB
MD5a62eeca905717738a4355dc5009d0fc6
SHA1dd4cc0d3f203d395dfdc26834fc890e181d33382
SHA256d13f7fd44f38136dae1cdf147ba9b673e698f77c0a644ccd3c12e3a71818a0cd
SHA51247ffac6dc37dac4276579cd668fd2524ab1591b594032adbeb609d442f3a28235a2d185c66d8b78b6827ac51d62d97bdc3dffc3ffbaa70cf13d4d5f1dc5f16c2
-
Filesize
58KB
MD587815289b110cf33af8af1decf9ff2e9
SHA109024f9ec9464f56b7e6c61bdd31d7044bdf4795
SHA256a97ea879e2b51972aa0ba46a19ad4363d876ac035502a2ed2df27db522bc6ac4
SHA5128d9024507fa83f578b375c86f38970177313ec3dd9fae794b6e7f739e84fa047a9ef56bf190f6f131d0c7c5e280e729208848b152b3ca492a54af2b18e70f5dc
-
Filesize
483KB
MD57907845316bdbd32200b82944d752d9c
SHA11e5c37db25964c5dd05f4dce392533a838a722a9
SHA2564e3baea3d98c479951f9ea02e588a3b98b1975055c1dfdf67af4de6e7b41e476
SHA51272a64fab025928d60174d067990c35caa3bb6dadacf9c66e5629ee466016bc8495e71bed218e502f6bde61623e0819485459f25f3f82836e632a52727335c0a0
-
Filesize
302B
MD58837818893ce61b6730dd8a83d625890
SHA1a9d71d6d6d0c262d41a60b6733fb23cd7b8c7614
SHA256cc6d0f847fde710096b01abf905c037594ff4afae6e68a8b6af0cc59543e29bb
SHA5126f17d46098e3c56070ced4171d4c3a0785463d92db5f703b56b250ab8615bcb6e504d4c5a74d05308a62ea36ae31bc29850187943b54add2b50422fb03125516
-
Filesize
8.8MB
MD5570d35aabee1887f7f6ab3f0a1e76984
SHA1ae989563c3be21ee9043690dcaac3a426859d083
SHA256fa24bc7bc366f2ad579d57a691fb0d10d868e501221df0c32a98e705d2d61e43
SHA5129b68a8acacba451bbf028656c181fae29c5bcaed6a7ff4c1fc26ab708b62ca4be7bba9c777c598926d23331570617d20a0ce439f014461eccd8c3f595d21a54f
-
Filesize
51KB
MD5230970ec5286b34a6b2cda9afdd28368
SHA1e3198d3d3b51d245a62a0dc955f2b1449608a295
SHA2563cdafc944b48d45a0d5dc068652486a970124ebe1379a7a04e5cf1dcf05c37c8
SHA51252912b6b2ba55c540316fcfc6f45d68771d1c22ddf4eb09c2cc15fb8ddd214812c18fd75cd61b561c29f660e2bf20290a101b85da1e0bbf8dfbf90b791892b57
-
Filesize
58KB
MD5b561c360c46744f55be79a25e1844e3c
SHA1ed0f7eb00b4f1ae6cf92ad75e5701014f3d03d56
SHA256d1094e91960ded15444c6f50756adc451a7c0b495b2ea28319b7184ba96236f7
SHA5120a3a75d08f1d7afcd7a476fc71157983e04b0c26b00ace4d505aa644e5da3e242dd0f6afdb3c93f29ba0b08d2702d0e96b49acba4ed260330068b13f93973e9f
-
Filesize
74KB
MD591a0740cfb043e1f4d8461f8cbe2ff19
SHA192e1ad31c34c4102e5cb2cc69f3793b2a1d5304e
SHA256dcaabfd6955d3fec26a86217d1b1ab7e979c301d498473e4d885145ce031fc3b
SHA512c60067655e5f191708af9b25382869e3ce65cd3ea2d6cac70f8cae4132942cfd6a8aa9dde1e2b7f3f12997d6d7411e21dc73ab4cd83ec555d74b82b86778a613
-
Filesize
93B
MD526ec8d73e3f6c1e196cc6e3713b9a89f
SHA1cb2266f3ecfef4d59bd12d7f117c2327eb9c55fa
SHA256ed588fa361979f7f9c6dbb4e6a1ae6e075f2db8d79ea6ca2007ba8e3423671b0
SHA5122b3ad279f1cdc2a5b05073116c71d79e190bfa407da09d8268d56ac2a0c4cc0c31161a251686ac67468d0ba329c302a301c542c22744d9e3a3f5e7ffd2b51195
-
Filesize
25.6MB
MD5247a35851fdee53a1696715d67bd0905
SHA1d2e86020e1d48e527e81e550f06c651328bd58a4
SHA2565dd4ea169cabf9226f54bb53e63ea6a1b5880a0d1222242aee378efb6255b57d
SHA512a173801aaef4fab608d99b52223b5b2400d69b91edcbf33c21fcb47bd832eef9d771dfd36da350a502a371ed1739c869a7c2b4dca456c93f2feed9ac9c647c7c
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
381KB
MD535a27d088cd5be278629fae37d464182
SHA1d5a291fadead1f2a0cf35082012fe6f4bf22a3ab
SHA2564a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69
SHA512eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e