Malware Analysis Report

2025-03-15 04:24

Sample ID 241025-3a44wawdme
Target u is cooked.bat
SHA256 1d2a32632d110052d6161d41d4df822f7fea963a62137afb957b6023f22d8121
Tags
discovery evasion spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1d2a32632d110052d6161d41d4df822f7fea963a62137afb957b6023f22d8121

Threat Level: Likely malicious

The file u is cooked.bat was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion spyware stealer

Sets file to hidden

Checks computer location settings

Reads user/profile data of web browsers

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Modifies registry class

Modifies Internet Explorer settings

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:19

Reported

2024-10-25 23:22

Platform

win7-20240708-en

Max time kernel

118s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\u is cooked.bat"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9C1E2E71-9327-11EF-A7C8-6EB28AAB65BF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5042fe723427db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000085ab07ca873e1441a741367a3f306c1b0000000002000000000010660000000100002000000078c098d40cfd7e45c3719fc6f84a57f6019d9a70968c405a064744a93e96b6de000000000e8000000002000020000000596953f782612da692ce5392e9c00c0f3521d1bdcf431e25c77224ea94cc54b72000000089448121e755b90fbf8e43698ccfad8da9a47a5e3739d54510946d51861a08db4000000037b54ac87f26f9fdd74ecb60d114a556f1adf09e302b34b27043816a99bb68923bc6bd540a455ad99f83621908a15c34e06bd55886000cb5a3189a74037dfd09 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000085ab07ca873e1441a741367a3f306c1b000000000200000000001066000000010000200000009049b12852db05b20c288dcb8b26acb3da0de358d86426b8a5d174094ae790ff000000000e8000000002000020000000d4b8dccb82ca0e53483383632e88d0e307a809174728fc372c50c1e1714859769000000070e1ad591e9c2f9dcc503bd0fbf90c564f0bb3cec770ae0cff090604c74fb3a715800dd225b17a56634b4137116a853764077bdc73390a9f613ea903bc81950a650d9ce30a4f9893c587290f4101a379f95908f3e6b9ee28b0d647825f535525fa9e6d3206a3f36e2088c46a534d1a75ab8609d3b122b45fd8959017ad1466b36a1b08057651937a8c9c837bb4cab117400000004c68d5d4f298d38b085672c2ac89ff56a9e8e22bb5544315ec2fb458ca9c6a1f0bbdbe9faa9955d82309b703a106e8ea2056f17e76df0f369e95d6b4f69c142f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436060248" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1452 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1452 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1452 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1452 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1452 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1452 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2108 wrote to memory of 1180 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2108 wrote to memory of 1180 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2108 wrote to memory of 1180 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2836 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2836 wrote to memory of 2756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1452 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2584 wrote to memory of 2608 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2584 wrote to memory of 2608 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2584 wrote to memory of 2608 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2712 wrote to memory of 2324 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2712 wrote to memory of 2324 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2712 wrote to memory of 2324 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1452 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1452 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1452 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1640 wrote to memory of 2128 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 2128 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 2128 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2884 wrote to memory of 2576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2884 wrote to memory of 2576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2884 wrote to memory of 2576 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2340 wrote to memory of 2864 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2340 wrote to memory of 2864 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2340 wrote to memory of 2864 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1452 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2916 wrote to memory of 2940 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2916 wrote to memory of 2940 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2916 wrote to memory of 2940 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1452 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1452 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1452 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1452 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1452 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1452 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\u is cooked.bat"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=Of9yvKINITg

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbx.vbs"

C:\Windows\system32\net.exe

net stop "wscsvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wscsvc"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2

C:\Windows\system32\net.exe

net stop "WerSvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WerSvc"

C:\Windows\system32\net.exe

net stop "MpsSvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "MpsSvc"

C:\Windows\system32\taskkill.exe

taskkill /f /t /im "FirewallControlPanel.exe"

C:\Windows\system32\net.exe

net stop "WPCSvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WPCSvc"

C:\Windows\system32\net.exe

net stop "wuauserv"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wuauserv"

C:\Windows\system32\net.exe

net stop "WSearch"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WSearch"

C:\Windows\system32\net.exe

net stop "WinDefend"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WinDefend"

C:\Windows\system32\taskkill.exe

taskkill /f /t /im "MSASCui.exe"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "START PAGE" /d "https://www.youtube.com/watch?v=Of9yvKINITg"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.180.3:80 o.pki.goog tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.147:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\msgbx.vbs

MD5 4a77c15fc780eed073b24b451dc79eb5
SHA1 14873939db8189fdce2c0ba26c8d500bab7f8e8c
SHA256 9ea1e56184a95613e661337e37df8634498daa34ed517f36fb63f3e8611b6607
SHA512 a665c88819c0280fd5ffb5122330899650f64afecc7dff5b28277a37b68482101390a2cf123c630a58cb8162a965d55c2f6f889fd2be60dba18b4a24fb2a5171

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\favicon[1].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

MD5 e58e253436744e386cf91220e3cfefdd
SHA1 f0b9a0b87e09a1455886f769fd394c13f4ba3c22
SHA256 32b42e06233ef0cefeda005a5bcc44c51db8643c183246fbfb994a4c52ba41fe
SHA512 32ce7fdaeda432152f3e932b6da73003629b84ac9db5b7967608169c8ccb218e0a25877497e65f419fd1df609c273f142f83c09e0ce4e2358e4e56da61785b6b

C:\Users\Admin\AppData\Local\Temp\CabC063.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC066.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8944cda87659daf9b82da8d1d3ea3da
SHA1 dadbfea525a5719ac5430e379016bf7aa179e384
SHA256 41808aefe11af1646c969bbc25c19fa38b616b63db7b83be16f25372fd1d89d1
SHA512 bc64ed6ede7da5607cade30586be3ffc9db051d5ef8a2315bc8181e49a198803a8c14814ecf3320f9c99dd5e748597b4ebfc4a46df3cba1be67937f8c3f3c645

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d61be478c954f4165bf5c641db42a951
SHA1 42d261ae38b4035f3fe150332cd2fb6362aede49
SHA256 fd3e7a797ab7625840830b88089d8752207b0841e4aaf07a7111293c0f7585dd
SHA512 9d330cd047b7001d75b19a6e2d1b88e9b883e5cfdebc9a9c56c9ff7e798c76e17ab768a6b46d53dc7ad5f16aa9df272a7b631d07790a28e024d379f0d979e27a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d40f5cc7b18c6e47ad2b3d87dacfb42b
SHA1 2f41bd7bdd06248b717c558bd170b266d84c7a3b
SHA256 b52c10952bad6eaeed597237336344761dd0f5fc8aebeff3182f73a06995c308
SHA512 a52851774bcf05adebca4aaba58c994e41c1960357a24e4c8f675378e980df3e34c0b5f4c207ff505ff293a559131b142cda5c8d9bf79ddc53a678c5c6a61e90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a440640cbd763131f08911ce7240452b
SHA1 8a3abf112e4365b8b1226964a0fe6816574a91ad
SHA256 c50bcf43a7116f8f70241ddb59207b3c4af8140ac5b253aed186368903d1409d
SHA512 8792e89d8e6f98629b351c0382f091853d53d4c45223529957f20f23be35ffcd4f6b8c2ee01cff2b11b648564494fe3ad59b282613cfeb141db686e5b76ae995

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b5692db02dfe0cd7c794b32181f1b25
SHA1 e5d7b85f41c1a2f3eba8ab2c8cd98885862aaad6
SHA256 b6bff213458e1fbef93677555dd902bd8f4ab5b453915b7d9d23af05806271c3
SHA512 da8a68c498a98c9c0e63797e11dc19e558be379f4d9edd3e34efeb2b152ad18a5f3299d756529e51c845ccfcd2f0e04777906409ff304d44fd810893d6539ef0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f88102946cc0a08c7b65891e19fcdcbb
SHA1 de39198d26294623b9eb1d252d68e7e9d4bfaccc
SHA256 0d00de0beb650224e59e8d8a036fc6adf87d2526c5377adf9ecdac745103baaf
SHA512 fe95287a05097d59bdde1431bfc29a27461ae4707769fdb27dc53260c8909f2265cd84fdcbf5371d7087e952dc3ab1fd74b0de97e833d7292b9a250be3374afa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aae2a6c8767ae4334781341b9d72806e
SHA1 0df993cbc46d6cecd09945d9b94146e2fd0979bb
SHA256 f474f2702ff73518b0804aea0416d1ba3bc96b329b99ba34b571e808d79c5380
SHA512 867e7aacda9baa48d4b27558fa655a29f692e1260763c72235ef59b0f883b4a0e1335827133773c890102522ab645b3306f3b31e576e34778bec16880bad5c1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eeb29643242d52201e284751c52e6d66
SHA1 f9059568364ec0f45efcea7d1a5941a7a0cd056e
SHA256 20b771699dcb6b3e376b1a82e9eec363e33507abdeb7b978ca8eb09b0b4e4ed2
SHA512 7fb8aa8d0d0258be0f931088dd023ddeea7d8a57cf2139c1bcd54a11250bb9d97c454a4087721c04c0baa7fa6a9a6e23c056895a94a264a195f5e9c29c40a1c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfc8fbaeedf679b5a98d300334b70788
SHA1 7abd27d0b865d7eba86905b27707deb18117e4fe
SHA256 2b891f5d4a3f06925d6e73ad8ce0fb1f5f50470b0f616474d9879199a1bedbeb
SHA512 c1dc3c174d0b063fabe800ef246f1c62a0766719288f39d4c8c7cd9af9ec38dc90980fae6f432707662f14ab63c69f78c802ca1172150fe820b5ca9d03ee00c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 deadc6491d74537d7899b3239edfdeef
SHA1 c316fd0eba8c98b81b8c0c4b1985bc5e5f616bef
SHA256 8314898dd2e13261e3300e8f037efca0bf862c67e7c14ff7e805aa28cc4eb4b4
SHA512 120145527a01a28742f7eca80d50da1eeb7b1e451fcdd8d9f59eecde2ac489474a258f3ad9579485f94dcd165f0c67e4fa68e361d94ab9bad1b012c726430b0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ca5e7b5d3ab94023de05e1e90519b2c
SHA1 13a3f15ec7ee34b9d047c6812bb28b390a02068f
SHA256 ca265abb42082f1ae66039a0eef55dc25e1b9b9ff9c55c8ac80e89ff23eb48e5
SHA512 f818d043046898c4a4f22d1166120c4332118082488f14e92920b58b389d171636b86e521a24e1005e1497f8f67375ad1b7ba07086d6f8b4b66dec29038f9154

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3878fb70efbfaec8150a68d7fb798b82
SHA1 6b97ed7ecfd80abdaebf95e9b19c5efc89e657c6
SHA256 e37c32735c3bdf27b81f5a5c4e84be4b823116997bc8be5b1d86eb84561604f6
SHA512 11f78444424efe2084f0d8a2b115e423945f95247df05b5d476065515f059c3aea69a520c4938eb56df256794b8d91240b51edbac9dcfa170e5a11adf511a500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7140fa4a4213bfbd2e4d711f357bccd
SHA1 1e871c87050253e0ab3e016166fa569eafa61d1e
SHA256 40dcd5e1b12250138a20c99ac5ad2c01afc619f0e6c746f280df3a7858626abb
SHA512 7e00c43f547535d8730a1cce4c9e5d71af1102d397e5f6d9de4daab91dc75ba6253c0166f30ce60e0468801ae45b8cd3ac71294d66614fbc9dad49c5e03b0f52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76ccb121682bfe3b5e1967280a17e4e9
SHA1 963c33f42e157fe5d479922de7da150d146d4a02
SHA256 f4afecf0f08c678761e0c75df865fc6b6a29b4b1daa780bd0721e874f81898ce
SHA512 69ba9c6828356ccf061a09bd08cd1bf5ea0cbccdb5e8bd45bca11e2732495e1260e36d3985cc875bcca9137b71eefa62bee846ed12e32de55a3a2c6881142dfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d00bb63471dacbb0d8dbaea81614cff
SHA1 ad27a2ed3ea29f0c1f742913e5e486938dcec78c
SHA256 d02fcc4e1900521d3786e4af512958c444c8e9290d9dc2cd986e90e1fae96629
SHA512 90ae4928cc5d1b8cb00ad10b004eab2e688957c1e0c0dbb46c76b629164bba8c2e9bdcead7c48a67b72d888ea64acf93e97211bf143fb61f7a9eb5f696bd1f41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ea27410f7ee940c018b5b3b311c3e8c
SHA1 416aae7eaa59a5da4dc95e15e1714dcb4984686f
SHA256 bbf3bc105b39c52694ce3cc372e3c2070514b53804d9bce70376bd226ceac15d
SHA512 78c98934a9a0d9313b1818e55b3742560959da85f57915d916a8cdabc1718b316e9d29a2ddd48408e6c40cc9d6e77063f594195c3239ee01f7e6c4070f77306b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef88685d09c7051abbd1e00521393c25
SHA1 c6307901517f0c48dd87ae1aa3f998a8c93d84d9
SHA256 e10bff0afc9eb092dc369af4828f6a48a747aa3b40c291afa0a60dcb0c4faccd
SHA512 d985f902e4610941caf8b4a2bcad41a6b03c6ab66502e861258d03e7666878afea7d56a1dc8ff67ad3d8f8ce0a30a7ac5f7938bd9e26956a6c04788daa7f6a07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 8391d313dd844fa407fa5d41b6da27f8
SHA1 13d4b2975a2b714759ca9a553132594236453631
SHA256 5a59b6ca5a787fa7dbe14fafb112a8c727edda19b6d0c494485319dd2b40ee55
SHA512 6198dac06eeac25bd1ea16afbd67f50e6eb4a9eafe38f2e44975a98e511ca8d301687ea733647531c4cb96544e579c09bebbc0df66945371b37f4c3d77f6501f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb8efa0dd6c01c2c68b7bf88ee16f84a
SHA1 b82dbc96a1eda99b3f8bdc721b87e477529a3a91
SHA256 1a0ddc51bc3c422735d2db0cebd63cc745e7edce2c3b4151f225663305ddbb4c
SHA512 259094e5d6e8b241381e95a66815bffd4de6a92267f6a986c6f9b6949596b901567daa4eea9dc30124873359844863aa46fe8df6efe5412b12c0828f44699ec2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a43afd2c6102c9bcc89d59091414358b
SHA1 c170a4c1ecb0cb78412258412f1d1d3c1924b6c4
SHA256 063679d37f8f8e4519c524723408dae62917fd5e99d051f2dd43bde6297b81aa
SHA512 fd5ca6e057d2696b2efd5259d4b7c81a380e1fc8ebfa3000a7589f1b062a3585329a6051d33e41f32404b25bca966fc19816ba9e9d0377a6d82ab265740c05c8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:19

Reported

2024-10-25 23:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\u is cooked.bat"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\reg.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\START PAGE = "https://www.youtube.com/watch?v=Of9yvKINITg" C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.txt\ = "htmlfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.dll C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C: C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows C:\Windows\system32\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.dll\ = "txtfile" C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C:\Windows\*.txt C:\Windows\system32\cmd.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 1968 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3520 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 3520 wrote to memory of 3268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 3520 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3520 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5036 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5036 wrote to memory of 1632 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3520 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3520 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2748 wrote to memory of 220 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2748 wrote to memory of 220 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 968 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\u is cooked.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=Of9yvKINITg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8157646f8,0x7ff815764708,0x7ff815764718

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbx.vbs"

C:\Windows\system32\net.exe

net stop "wscsvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wscsvc"

C:\Windows\system32\net.exe

net stop "WerSvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WerSvc"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\system32\net.exe

net stop "MpsSvc"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "MpsSvc"

C:\Windows\system32\taskkill.exe

taskkill /f /t /im "FirewallControlPanel.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1

C:\Windows\system32\net.exe

net stop "WPCSvc"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WPCSvc"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\net.exe

net stop "wuauserv"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wuauserv"

C:\Windows\system32\net.exe

net stop "WSearch"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WSearch"

C:\Windows\system32\net.exe

net stop "WinDefend"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WinDefend"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1

C:\Windows\system32\taskkill.exe

taskkill /f /t /im "MSASCui.exe"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "START PAGE" /d "https://www.youtube.com/watch?v=Of9yvKINITg"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4e4

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=Of9yvKINITg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8157646f8,0x7ff815764708,0x7ff815764718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\send1key.vbs"

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1

C:\Windows\system32\tskill.exe

tskill chrome.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\ftp.exe

ftp -s:a.dat

C:\Windows\system32\attrib.exe

attrib C:\Windows\*.html +h -s

C:\Windows\system32\attrib.exe

attrib C:\Windows\*.txt +h +s

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\send1key.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sendkey.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sendkey.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8158773605745359241,15743729899689387291,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4876 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr4---sn-aigl6nzs.googlevideo.com udp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 74.125.175.73:443 rr4---sn-aigl6nzs.googlevideo.com tcp
GB 74.125.175.73:443 rr4---sn-aigl6nzs.googlevideo.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.246:443 i.ytimg.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 rr3---sn-aigl6nzs.googlevideo.com udp
NL 173.194.69.84:443 accounts.google.com tcp
GB 74.125.175.72:443 rr3---sn-aigl6nzs.googlevideo.com udp
US 8.8.8.8:53 246.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 73.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 72.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-q4flrnee.googlevideo.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 209.85.165.198:443 rr1---sn-q4flrnee.googlevideo.com udp
GB 216.58.213.10:443 jnn-pa.googleapis.com tcp
GB 216.58.213.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 198.165.85.209.in-addr.arpa udp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com tcp
GB 216.58.212.196:443 www.google.com tcp
GB 142.250.178.14:443 play.google.com udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 216.58.212.206:443 youtube.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 74.125.175.73:443 rr4---sn-aigl6nzs.googlevideo.com udp
US 8.8.8.8:53 rr3---sn-5hneknee.googlevideo.com udp
NL 74.125.8.72:443 rr3---sn-5hneknee.googlevideo.com udp
US 8.8.8.8:53 72.8.125.74.in-addr.arpa udp
GB 142.250.180.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.180.14:443 consent.youtube.com tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 rr2---sn-q4fl6nsk.googlevideo.com udp
US 74.125.3.199:443 rr2---sn-q4fl6nsk.googlevideo.com udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 199.3.125.74.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
GB 216.58.212.206:443 youtube.com udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
GB 216.58.212.230:443 static.doubleclick.net tcp
US 8.8.8.8:53 230.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0486d6f8406d852dd805b66ff467692
SHA1 77ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256 c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

C:\Users\Admin\AppData\Local\Temp\msgbx.vbs

MD5 4a77c15fc780eed073b24b451dc79eb5
SHA1 14873939db8189fdce2c0ba26c8d500bab7f8e8c
SHA256 9ea1e56184a95613e661337e37df8634498daa34ed517f36fb63f3e8611b6607
SHA512 a665c88819c0280fd5ffb5122330899650f64afecc7dff5b28277a37b68482101390a2cf123c630a58cb8162a965d55c2f6f889fd2be60dba18b4a24fb2a5171

\??\pipe\LOCAL\crashpad_1968_VYOJFHHYXKIKGFSQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc058ebc0f8181946a312f0be99ed79c
SHA1 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA512 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 acc43cb452254ad67ec2ce0567f26093
SHA1 e858aa31e24306af6273b88b5a751e0736830fb8
SHA256 bf13614fca0b869d8d05db53723a1682d25b44469a8970fae1c2b58ac42b7df0
SHA512 b6ecc451929035458d527581a267398f6b32090ac00b797156bb2522f397dfbb1966f085ad83dca38ff6d241a93a85629d63f995e20c6ffa81fc759009c27f04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c38b3596160de41dc2a4cf5e9c7affb8
SHA1 0f4b833a3546fdc68ab9ac47d4f8e5553970be0d
SHA256 4200140b392dcb46681560468c747e0568fd5095029acf8208a37f86f76407f9
SHA512 9ccb2ca600d3282e68f9a42818582ab1b7b2d94104138817b889711bebb2db186b13acfa0ac290ecac3511fe95a1b0cb429bc39b8abeab678478e43e3f8109e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8dcfcb6b806f4b62baa73b37693eebf0
SHA1 6d0ee57ab045ffafb51e548c7997a9f0ff743c1a
SHA256 f163f1ce5c208632ff3d62e6553ca12a41f660fd02b9ea9061d2e20feb68a5ae
SHA512 6fa54edfe8629c380fb91e04645bc3c86e0b5dbdab482e4b7ade0b7b27ad7ebac9e8891ee81b8c09702f19bf3b7991e41a8d9f70c51401fe09a281e1af7785be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7be5b2d54f2201d6ba5cde5681e82f5c
SHA1 15459dfc3a0cc66b6d9c9855653ba9af1f26e143
SHA256 58629b5f3958514f73627dc627dd5d3d43f695540044a0b2d325708ef0c699f7
SHA512 e4ba3cbfe39f36d2f8371d382ab10189ad2d75b1fad8f898c5bbdee6fb2fcc32d0293f8e3fb9501734cd35a576b7bc1f131b11c76ccf45fdfb1b8f74b3b34e8c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 67692c7f3daf137e4bb01af253d5772a
SHA1 f4ffc49745826b58d244df648f018de07f78c699
SHA256 b404b70237161ab5257b791868e7c8ec4ece47121804de03f78e738754057730
SHA512 65f6067abd748d41f28c09c2a48139c101d24472810ff37f70a083f6b9648278c9e4a6b1c10e9a6647a77012a3e9043f1368d117dc0c68eee14b6cfc4c051e9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fdbd3410049d7ae0d4eb2eb0a267f41f
SHA1 9e6527d00eb5e56e7aa356de287e0787b8ad91f2
SHA256 7fbbf878d64bbcec1e9904eae1bdc14975c63630297898e2f6331e2526d821c1
SHA512 b9cd738522d086c48bb8075be571ba2fc2e987130407fbf8403a2ada565eff8c6191bc3b9d22593590f690dbbf126835631cf88641a095802f0e63a20a48da18

C:\Users\Admin\AppData\Local\Temp\Web Data

MD5 d9f3a549453b94ec3a081feb24927cd7
SHA1 1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8
SHA256 ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73
SHA512 f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

C:\Users\Admin\AppData\Local\Temp\a.dat

MD5 7590d4cadf912e6855a5e3f2f2037116
SHA1 17a671871bd262abd9797c091273c2b0e38212cd
SHA256 a8b57d702e7cd0c247af8f8a35bd7bc2d362952ebf0d56eed59de4d65846108e
SHA512 209bc190f7f2e7655bb9953318148a78fc8b1e1fe7094b20e0be15376469d0bcc9a8315fac4e1352275fc0104110ab5d076b1ee7ef9f398cdbcd04f22ba19d52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 5b2794cca772c8591df9150079b213d0
SHA1 6e0222788c3a7d1729f4ff2641c01e4a1980ea66
SHA256 85508d7752c68b2ca505006e10ae9b4b41dd2deeb79b9e005604c3446420540d
SHA512 c61a06c576fae45e90e37c8d0c6ab10de8037df52844301b48bb4c444704cbf131166e489803d8a99c0159d54856cf00c7d94e7537002fe6bcc20e975c3c8401

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8790caf33b094aa5e2b984e06b91c1f7
SHA1 466ee8c51ab56b7c959f3d9dc56a1d0f8ac8c4b5
SHA256 3df3f03d287f678c5dbaad1b575c05581d3506e2a4936b534aa40c900407e436
SHA512 7bc2e54a4f21771fb8b24de0289b260bcbede1aeb60f55eb5ffec618c9c0fbed73eb346040beb5723dc8dd530ae16feecee5179a2bda306b1b8e967625fcdbae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3648c1cdc0eb3217f3d712b90c44b843
SHA1 6decf7f313c2dd7cac42d646b8b5fe30fa19ef99
SHA256 326b2216691b4cd074f9fbc2a4471ddb37e7a9b1ee6a16ae5eab914047a2b924
SHA512 e1b35e00db48f439ca47667dc658bf733b3d26c5465a56f3b55475e839f288cc83aeac7653567576e016ab5fc481f232f69cb3884e11f8596a46340aa76a2c21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 c2fbaa49cc6fda4308690f6f8cf8e5ee
SHA1 91312f7c2a69cc10601b67032b7350f46f119880
SHA256 83102b38a7b6bd0387ab681b994ee5e4bb5e94645efd6e7cd8435578a74958a1
SHA512 e305af90971ddf47c77b55445626dfabb83a420c46cc8c3f52cea1388e7746a91a2af0d5d6224bfb862c5914ca72c91ce80441d4cdbdfa8504f1b93f922d699d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f760.TMP

MD5 8f60e2ecddb1a4048c01762ee87f9c32
SHA1 09d5810e3446d8c7ca4f50ba4eac015f0f101d72
SHA256 fb537b8a2de2b9cea5a71f218d6355af19ff0ca01fedfa7b5557905adef460a7
SHA512 fc7a617c72f0e8f0e42afb6e19a66e6ad8b4f49448a3c7ab4547aed3ef39fb63c6928f63a458d70c8a5f1f1da8f16ab6b47c9880450a7f58a244866fd02beb61

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\df5292a9-3697-4abd-9b99-bbf83cd1266d\index-dir\the-real-index

MD5 d9f9665ed1c3b23ebd35f8d7a4d31ef3
SHA1 e66b8bf51f25729925c967d19d6af960d8a592a5
SHA256 4ade86861636dea9dd6ca903cca31c9d84138767db46d23c68eeee565b15ca84
SHA512 3843756f5e03c1b50c7904e35ab9a46280a394faefd5bfba87bc5bf56130bcd7a04c0bca1339ea7c06f7f3f24db891f9e5ab55a0abff835d905122f6a805f505

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\df5292a9-3697-4abd-9b99-bbf83cd1266d\index-dir\the-real-index~RFe5802ca.TMP

MD5 2146c5a7f2584aac1187a13183c3974c
SHA1 13e23f5063cbf3adcebce2c18c8f8ff269965edc
SHA256 07f27b1c5ffa7279cb0b410b83750a6f5b193bfadbe3fc6691ea7593480d957d
SHA512 c58dd3344aa16a6be65f2912b10a359eab530b4b2e2a21659234b7e0368491cd0b5ae17928792a7bfe04a7b42dea98254f025372fd4c19ec6390c340e7bf54ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5809cf.TMP

MD5 4aa55c7e1e7e1b6aa8db6d08f01ac242
SHA1 e65c8df887e4f863554122904d2ab7f4fe598a98
SHA256 62cdd0c36060bc4c440e4749bc8793aed5c414f9b6423d7999326d92280aed69
SHA512 633194bd3f1368f06d9065a356b85e69e1d1046f95ba74bcec38bb2a4528d2f1b286441d0f30a093d257a4f575e081e55dafb3b1aa4132584c659bfc44371f2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a828ade8ff3e7ca98bf535b120d97f4f
SHA1 540cd0c8a60174704732b4613d65a0c460b16014
SHA256 f02ca1c79d19c156e2bbca678a148ce04cabd903ef313ef415559d4ae9df9ab8
SHA512 3488ff0616657706e253dc0cf0bc6d32717745ea5238bf194e6b593b60c99bfbaa95c6d80b252ba51411e5da54f5ba8b07fe56d41bf3a2a6fc772611214be7ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 778ca3ed38e51e5d4967cd21efbdd007
SHA1 06e62821512a5b73931e237e35501f7722f0dbf4
SHA256 b7e1bfadb8d9c061f17a7234df012df7842ab1aa8fb6f9579fa3f0a3b4a75bc0
SHA512 5f6f02099ca8079305fb7e7f43ae4344d522271fe30379c0854d6a81b7d8adf408a50a4b799b5f52e6ed162ba6ce7fe97e24a2b9719df780e75683d3aa103d09

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 bc2ae26fad1e628d27e06461fa6d33bc
SHA1 8e0a7a19a884ac94a441caa37bfb2ce7244978c4
SHA256 74ec376187f07a60503495a779a67c682dfbe183bf62835896404cfd57bf176d
SHA512 e8c69b29d3e9f14528ccaa24a0f6e1f749a9d562790ceab2b67d6e3bfbdf68e42f278a7a5e9ca0c5f169df605ad49d30e4f3a1405060767b2ed9931a26e2df56

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 f2ad3626dc3266239a6dc6dc577adc3d
SHA1 51f048e1e76bae1ee0ceec0ec51dd2accf7e6adc
SHA256 579d47e85073862ca7ca94a72e9b66f1b1c316ca1a2b3584059024719d7bc285
SHA512 591a90bf39df41b6f3ab5cc2713f23ec44d0e0a661fb3512080416042444cf8df98b34a9388b90d81619c516e1014ceb441fbbc1e2f4222f9499c2f3a00ae235

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 5c623ebddc3fbea46e0f64090c04f9c1
SHA1 5b68d1734bbc41aa26c370251b2892ef71dfd085
SHA256 0a89f6ea0409af6627e965c23c87f06ffd78a9c45135bada5d864e2c5dd9fd50
SHA512 167aec7e8ddb4cebafb0f944ec84ba78a834aa9ae4af1a024aca05c7aec38be0e685f0ca6b95927e118b8a6dd7fccf900f54af14039d44f1062e511347b4009c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 8eff0b8045fd1959e117f85654ae7770
SHA1 227fee13ceb7c410b5c0bb8000258b6643cb6255
SHA256 89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571
SHA512 2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 bd9a0ea80362180badfabf5853ac7ed7
SHA1 79380cddbc9ab6107a3d776d924d291a78165611
SHA256 54b047637d7bcef8e2c8cec942a7369d8b5dc68578620950e71fd437551d53b3
SHA512 63005f37be247c5b2ed018579afe21f1eedc6ac80ebed49408002c7e2f15ad3533d00b275ced87af5a33ff4c0845a79a450b181b1b5f4d21f49ad2f655438b9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 33fff7fb6a016023c955ee8b15e6555b
SHA1 cc9bb7c769f9a4bc6153e49e71ce6992cd053401
SHA256 63bbca6e2eff30a0dd9170127b02028449a9156c53787478bf96b907bab1875b
SHA512 590a5900b0e8729c09137aeae9a15e92058efaf23028ff46a8354edeacba748ad95037d84ff27dc3f035c23d219a1f91034efcffc7aaa6278b280a18198ae40d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 a61066562af27d41deea62da22ea8ed5
SHA1 ec99ffb625ed5c04f45aea983e8516e42c5e5447
SHA256 5dcb86b48794560b49f0c08844df3588a934b3bfa2c6b51b531ea05d5b12bb32
SHA512 8b8071497209803f10ac5e2e591b2c58f71200f1427268caed1df0aad7c29b15fda51f67e844f2d1b865fa561df670547a7ad75e2990e9a4271d1d836c8cef3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 49563ed57a097ddd0565873f1b62492b
SHA1 3134f982615bc63d14394067cd288f36d0e9809c
SHA256 679a97a0448d8e19a9058c35c2e6f98306735e996d43befd884d62797d17b097
SHA512 7f49dd2d3b32a6350fd0754c9f17c89d19af3b561f1cde19697a03fe42859f73ba4952341cbcbda71b844b9cdb574b5fbf64fe180178420ad126501933a78b87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 da97446dc90337d14601d5bc04590b06
SHA1 a63a32ce3467f3d23e3b61d80d7516a9f41cfecd
SHA256 8acb4be1bef051b394e403ee913445686d0a43e840120bc096f29ab3cbe519af
SHA512 af2159505e96d151b9aa181ad27044e1fd720aa0b011b5752c59a0c68898c02310ab688cd01b2b4f7c9516d498a1ef3522af05b8c064b6e3a27511fdd3154a94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e583a425-0e2b-4dd6-adaa-203df3f48f9a\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 115c2d84727b41da5e9b4394887a8c40
SHA1 44f495a7f32620e51acca2e78f7e0615cb305781
SHA256 ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6
SHA512 00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 2d0cbcd956062756b83ea9217d94f686
SHA1 aedc241a33897a78f90830ee9293a7c0fd274e0e
SHA256 4670bfac0aeaec7193ce6e3f3de25773077a438da5f7098844bf91f8184c65b2
SHA512 92edce017aaf90e51811d8d3522cc278110e35fed457ea982a3d3e560a42970d6692a1a8963d11f3ba90253a1a0e222d8818b984e3ff31f46d0cdd6e0d013124

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 c83e4437a53d7f849f9d32df3d6b68f3
SHA1 fabea5ad92ed3e2431659b02e7624df30d0c6bbc
SHA256 d9bada3a44bb2ffa66dec5cc781cafc9ef17ed876cd9b0c5f7ef18228b63cebb
SHA512 c2ca1630f7229dd2dec37e0722f769dd94fd115eefa8eeba40f9bb09e4fdab7cc7d15f3deea23f50911feae22bae96341a5baca20b59c7982caf7a91a51e152f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 350fef14b9432c8888714f9d69ba79fb
SHA1 f02876195e3b3628384124d63cbcb3606a06996d
SHA256 dbb362d29b9b4111e7722bae880e8a79ef8efe96db4cdf7869195f5cd0066fc5
SHA512 8fab4f3151a81a2cf0465aaf245d507da97c230eeb86dd6e9cee798e4d8d953aedb2e7e4cc004fdc8a5f7e8af0ded27aeefb4c626ad61c95f38572e13d49d419

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 51ada20f3d9b2e10bf253625b6d3e93c
SHA1 33ae5c605995bae21738b607de2e6ada6c36f947
SHA256 cf059862ab8406773d991f3fbbfc8ac5da8333cb3f0ea9735718a0ceb0e3bb41
SHA512 aaedf597d8ca4bbaf6f44a621b60b08aa699b788ed2b938b32044715d692b3e5536db1293e237b1fc904a87fe9f8e2121eb8f4a31c93b2e596e190762aeaca18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 0e02211f2a75623c0af1e004f9f2b5c9
SHA1 784138b06f0ceda465a9a002f66f56c16e4415a6
SHA256 ab7132d53e28bf1813013a5f1527e08e36050acbedb9b5de240bddf89d894385
SHA512 d9bacba07742c3583bb1dc6a5320c748c042ee99193fceabf69219983a4f4ccb68bcfc68e2d2b70949b0c818fc748e1be696f9fc46c7473d783599b11c5e3466

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 87c556b79f7e4f43adc220ab7f593b2a
SHA1 160ad501f5f6587b55be4a6132278accc890d3ae
SHA256 617d291323eb8b07c5494bc567114c4f265cc2b83ea772cf15d797e7586fdd4f
SHA512 45fc0b4ee8c6c3b45caedea461106985d940d2669eb5bd57f6f874de939180170b6e171748d37d8796a9d43d43b92b2bac2deea44853daa99b9a2158d7cd40ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 18bda474de1a19aa8ed1c15955430c72
SHA1 a2139505849311c4818a01c366daf592acdf5b20
SHA256 2a487f748729af492105bce93dd1b7303949e5aeaefe54a14151e8e418c27967
SHA512 97557dac7fc36cac81540476d34c68ebc464703ba6c9883e2869c3b9e4e0bf837488a17da05172235b54ecc81c1c5ea368021099b83c35bd070e9b1b4982b6b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\df5292a9-3697-4abd-9b99-bbf83cd1266d\index-dir\the-real-index

MD5 9345d8842a53d2dc74cd79912e759841
SHA1 78f2fda7d2713ce0faeadda4742965c322ea3a98
SHA256 c18bfd7a5f75a27f15a56a0a406ce45eb5a61d0825642a51ce4f4e014dca12f0
SHA512 5c74c4bd5747fb09978212b193466b14af66d9e8006403ec15f876f78e54347fcff45949081bbf6e8d81f9c81723931fa79abdc20ba84084973e2ad52f8dd52e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1f53cd4793f3a9f68de45b64bdcbb241
SHA1 152b1507e49d55fa249c46599fb8e9f3931285cc
SHA256 618c9584bfcf719c934efaf2c0c32cbe9edd7501d9d55c16d1a600b65bd94f85
SHA512 9ab673685d884b7e10132dcb7c9f8e1a8b6b8416e56cdd87f9f75927e3df329f87f412bc4969de12ea692f884028f0c2d1a4e56c9f108d35cd0149f2d43b8105

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ef1618c5-a106-43da-9df3-e1397ee227d9\index-dir\the-real-index

MD5 790f7e177f57d1918ab067f956f50b78
SHA1 2055626178a034bd4b30367adc6dcf2beed93518
SHA256 846539dcef9aae855dd88c6f9fea3eecb731ff129f838f94db49eebd3708239f
SHA512 a8c114980a62f2f650d5328c3ad219f8bb0a83b3f1db2f733501a3204fdaf60cd774464f2d964d284d46f4c179e9096050d4ce402a78bde2ccb43f47badcf18b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ef1618c5-a106-43da-9df3-e1397ee227d9\index-dir\the-real-index~RFe5885f4.TMP

MD5 3302906977b434280ad23d85048a8a89
SHA1 2d9576c9c6350b785d135ae78e6f5251b6fdcbf5
SHA256 8a212305f489a016a20ebacdfb4cd49adf59a25b5831700d050a7fe6e1f7dcee
SHA512 b949e8205b0f219394b83223d6c120830360a978493f6fb83788349cc36daebe6a89c2df8c80cc96a1cde7fd1aa51d47c02e8298767f4bca3b2c5513e128c6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 c26aa64ee8ef0692f723d2f2bb43cfa0
SHA1 a3c56d291cc6f1778425d248a4ac330b7f4f1a34
SHA256 290ed0ef22d39b1bdd9e06313420b3d864fa77d1798a341a3be56edd143fbed2
SHA512 4c9178a270815d7b855957a04ad2ff86e0592586856e5d6d6e688c7308b6d2bd8adcad13e8aa4a1eb6aed82c8c5aefbebeceaada31a7db768b0cbe3228ed5134

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 0cabb2dcb63dc5b415d16810d023cd43
SHA1 c0b03efce45a757d8d753d58b9e009e2d5fd6e46
SHA256 c362d9296515fa316ea82ae0e175e04bb9279590a3fd4bbe506951549efde9ba
SHA512 4f5b32da3f4bc35707fdc2fdf335acdca6c83413399d2ce3621ebc0a1214f16d7a85eac5912f65e70263d709887195ebbd3df702472dacc27469795a96da099f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cc7b95f79e3c18a6e702cd8a7df8deb5
SHA1 698e01c0af7aae896134abcd178239d294122e16
SHA256 ec873f279159212cd757558e9ca8d6b68d46a2153f9bd89b62bb2f10b6b0727d
SHA512 82a0f8327988e1cfca8854de62d4f758ea2047996fb6c625bc854ceda0f445ab0f09c51a56b545ad35fdfef8474d52c5ab8e299e7958ad908e5bea4f7336f426

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 19ee54e58db86db16543a437d56be4c0
SHA1 0542c5c43ddb18139e55aab2b3def1cd655b97ec
SHA256 5e3d6905fb9f142d606e9e85293daa46ba5104fcd6c15676c58d41f6ee6f4ffb
SHA512 88ae9555f71328563cd8d79afeb705a303559adeb8e242f8b739d1286a5a3a5b432f02ea20660a50887356747a509ff4a1984e5502fd01f1cec996ec036aa1ee