Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
202s -
max time network
203s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/11/2024, 15:01
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.161.193.99:53757
hsaurcrgqwhjimnkbht
-
delay
1
-
install
true
-
install_file
Load.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Xmrig family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00030000000006a1-332.dat family_asyncrat -
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/4752-406-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4752-407-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4752-409-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4752-410-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4752-412-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4752-411-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/4752-413-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1972 powershell.exe 1916 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 5 IoCs
pid Process 4500 Loader.exe 4880 Loader.exe 2376 Load.exe 3324 Load.exe 3180 nnegaqupnsqi.exe -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4760 powercfg.exe 4296 powercfg.exe 2756 powercfg.exe 336 powercfg.exe 324 powercfg.exe 4700 powercfg.exe 2872 powercfg.exe 1112 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe Loader.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe nnegaqupnsqi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3180 set thread context of 4352 3180 nnegaqupnsqi.exe 166 PID 3180 set thread context of 4752 3180 nnegaqupnsqi.exe 171 -
resource yara_rule behavioral1/memory/4752-401-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-402-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-403-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-404-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-405-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-406-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-407-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-409-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-410-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-412-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-411-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/4752-413-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1952 sc.exe 4196 sc.exe 2484 sc.exe 1924 sc.exe 3192 sc.exe 1928 sc.exe 3748 sc.exe 2424 sc.exe 3720 sc.exe 4876 sc.exe 2676 sc.exe 3880 sc.exe 864 sc.exe 3564 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\7zOC4EF7699\Loader.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe:Zone.Identifier 7zFM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1880 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Nova.rar:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC4EF7699\Loader.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe:Zone.Identifier 7zFM.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4372 msedge.exe 4372 msedge.exe 4716 msedge.exe 4716 msedge.exe 3896 identity_helper.exe 3896 identity_helper.exe 1492 msedge.exe 1492 msedge.exe 240 msedge.exe 240 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 1340 msedge.exe 3660 7zFM.exe 3660 7zFM.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 2376 Load.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3324 Load.exe 3324 Load.exe 3324 Load.exe 4880 Loader.exe 1972 powershell.exe 1972 powershell.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe 4880 Loader.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3420 OpenWith.exe 3660 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: 33 1600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1600 AUDIODG.EXE Token: SeRestorePrivilege 3660 7zFM.exe Token: 35 3660 7zFM.exe Token: SeSecurityPrivilege 3660 7zFM.exe Token: SeSecurityPrivilege 3660 7zFM.exe Token: SeSecurityPrivilege 3660 7zFM.exe Token: SeDebugPrivilege 2376 Load.exe Token: SeDebugPrivilege 3324 Load.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeShutdownPrivilege 4760 powercfg.exe Token: SeCreatePagefilePrivilege 4760 powercfg.exe Token: SeShutdownPrivilege 2756 powercfg.exe Token: SeCreatePagefilePrivilege 2756 powercfg.exe Token: SeShutdownPrivilege 4296 powercfg.exe Token: SeCreatePagefilePrivilege 4296 powercfg.exe Token: SeShutdownPrivilege 336 powercfg.exe Token: SeCreatePagefilePrivilege 336 powercfg.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeShutdownPrivilege 4700 powercfg.exe Token: SeCreatePagefilePrivilege 4700 powercfg.exe Token: SeShutdownPrivilege 2872 powercfg.exe Token: SeCreatePagefilePrivilege 2872 powercfg.exe Token: SeShutdownPrivilege 324 powercfg.exe Token: SeCreatePagefilePrivilege 324 powercfg.exe Token: SeShutdownPrivilege 1112 powercfg.exe Token: SeCreatePagefilePrivilege 1112 powercfg.exe Token: SeLockMemoryPrivilege 4752 explorer.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe 3660 7zFM.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe 4716 msedge.exe -
Suspicious use of SetWindowsHookEx 23 IoCs
pid Process 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 3420 OpenWith.exe 1572 OpenWith.exe 3324 Load.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4716 wrote to memory of 3872 4716 msedge.exe 77 PID 4716 wrote to memory of 3872 4716 msedge.exe 77 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 5068 4716 msedge.exe 78 PID 4716 wrote to memory of 4372 4716 msedge.exe 79 PID 4716 wrote to memory of 4372 4716 msedge.exe 79 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 PID 4716 wrote to memory of 2988 4716 msedge.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/IyIQFQgR#cI06edjpgHov5WQE9yKoPHxc0q-bMef6N4TK8Z3JDU41⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb11233cb8,0x7ffb11233cc8,0x7ffb11233cd82⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:22⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1720 /prefetch:82⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:12⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2500 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1340
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:972
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3000
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3420
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1572
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Nova.rar"1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe"2⤵
- Executes dropped EXE
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4880 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2096
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:4272
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:3192
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:3880
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:4196
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:336
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "KFUNOUIY"4⤵
- Launches sc.exe
PID:864
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "KFUNOUIY" binpath= "C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe" start= "auto"4⤵
- Launches sc.exe
PID:3564
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2484
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "KFUNOUIY"4⤵
- Launches sc.exe
PID:1928
-
-
-
C:\Users\Admin\AppData\Local\Temp\Load.exe"C:\Users\Admin\AppData\Local\Temp\Load.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit4⤵PID:2464
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp420B.tmp.bat""4⤵PID:1740
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:1880
-
-
C:\Users\Admin\AppData\Roaming\Load.exe"C:\Users\Admin\AppData\Roaming\Load.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3324
-
-
-
-
-
C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exeC:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3180 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2176
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:568
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3748
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4876
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1924
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2424
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2676
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:4352
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5d5254c028d9c532fa49408d730f742a5
SHA17e085754c1a0ec148f124951a9d2eecaf6b1c5f9
SHA256c848a01e456e27b673772754124b200dbb9292e17033a329b710ee46c130b19d
SHA5122284d550b87a93c3a53b934ee6f3093cc0ee6bde86d8b6136eb0c7703389222e04a813ef77acafa13e3050600c9a6d4d504f7666b45901beb88489079b61bdf4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD593a50223fd94909564afc2fc1e30476f
SHA111c7f32d37d18ace0e5d7da4a045ce847ce9fd5f
SHA25619830130f99cbb4c82123edd4772896ba303a76db2f5daef8ad0d604a7d65c02
SHA512ee49b7091144f0a24021c278aefd79726576c2ddfd008d49f5a6d5d6772699363d5f5cd9a206abac06a0a4f46a5d72e9e6470031464456af8b01f3d49d59583d
-
Filesize
6KB
MD537ae146732d1517361c0fefa41308064
SHA17a69c482dc601a2f0f3770c3e77a059333ac63a7
SHA256194763e10aa92b58e13845ea5639b5e154eb6a8bb08f3e6a0df2318a36980de8
SHA51210f72776f4757419b50e9128a94ba09320935a78b74880ddffe207ac28532b858486e3899df73d443ccf5763a9b69df84552fa7845e1c815ca2970adca27b298
-
Filesize
6KB
MD531c4ab723ff819e83ef389e09e2c84e1
SHA14543e02259632f0e454ce441b4a8e30c83529b23
SHA2565629cc134e059d1540175f846dff27b0ebfa57fed71420ace7980f205044b832
SHA51291f5374af75a76b98617e2ff386f826b8fcda46a6095e67e4db3fde2851a5f0d89d83d47cbd68e95532fdae5ba7ae9f6604150cd3b97a816b97c366fb7a16eb2
-
Filesize
6KB
MD5fb09ce0f69ed83b64398b71536e2ee8c
SHA1c151cc6001747707b05aacd98cdf743e2f9b3a26
SHA2566baa6d4edffd91b3a72ea30467b0bc784a3e6af2b066623dd58dde8a18e53f6b
SHA512c629a05162045d096ebc2f2f0df05f62fc8747e8ab9b76d097f8371fde543df966513b5c4806b33c2d460de400b25d9032aeff772bf26edca44dcd398a855a26
-
Filesize
5KB
MD52b91488d542a81ad15bd568bdd5c9173
SHA1bfcd739fd8d2bf59550bcc5092339641da1c76ec
SHA25644dfbee2091b15b0d0a4020c89df033711754d2a2f23b94f5bf809b1b67ae232
SHA512d434ff741a01708e5025032f54d76cb3fdd7891a53da29048afce6f9a2d6606df8998e3651f322b1c933267ff616dd176c6b9a1bcb1b06528f3beb7acbc11a0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD591777781574284962d8e967fd54fb62c
SHA12c90e0950d5950d395cbce2af7c5e69240ddd9b3
SHA256bce7600abe5e9cf3f6992e742e9c4434923477bdd6a2f822672f92c622172dae
SHA512a164e803363c5d7d8d4bd0c31b20a6a0e718af3e4d313d01b7c0fd243958488ca0971dd05ff278524754fd6444f356dc4f8caee0386be71b3e8294c223a92f24
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583d14.TMP
Filesize48B
MD58b98c438666e49a91dbd7b041119b708
SHA1aa150aac30d128032f5b18c7c4b200e2c4faf879
SHA2566e7cef4d6fd71f072868fb8620a6a941746cdf7372bd7d2a33fe803085ae5f4f
SHA512d879b0dd1a629ecc386cea2619b5a500e31dc2a57a52da31419b3baf93102cd6c27468baccf870dfa58c99334dc3a1ecf270e6ab3697f117da3af8a76ec24a39
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dcb1594ec84770b2b8b8c85be8a412cd
SHA1d8d60fb3dd6edae915775c02fb63e5ea340d9a5d
SHA256e519140f8cabbaecaa721f8e4c169db8ae508ddc13f7622238e2f51e6153a604
SHA51237c9aa05f7e33a6abf1bf474eff9b3b4b2f3cb741976dfc0c5e602212fa5abb1a9abd2fc3d2acb2e03e6f64a4cb5f9b05ec938a3a8cb51b2c3909836d3d62a2c
-
Filesize
11KB
MD569e75a1e7dc22c51b73e362060d9a87a
SHA1955d403ecef864d2a459d85d5d97199cc73475be
SHA256806c6f3833c292da64c878a5a5453a7e14aa1845cb402e5380ddd3a4dde2f104
SHA512fb57919e18d722f2d4d83dc96fa02acbb01be519a633bfdb5ef23d5a013ae4f49c5cee59e5072c2ca6c0968d9ac732ed1adef3222dc72c2054f5f55d8dcb00a8
-
Filesize
10KB
MD5243aac74208b1c941448a6e4ed086774
SHA1f4e7e31e9435d8edf25f16f9e1523956d489f925
SHA2569995fcf01ec5ef600ee547164075bfb6e14bb04c41235cfdafb8f59e2881a509
SHA512eb76a8a94c2a681b4bf1510f9c9e4a576aebb3cfeb36407747b3d135faadbe43f317fd0e7087f892ec2e31779452248c5e7a660c0d5b53f2cd352d0efb5a1ae1
-
Filesize
2.1MB
MD5a07c79f9e2dd72f3b884928ee384344e
SHA188df6b54a3e53a501b09b32de2def406820879fa
SHA25635c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61
SHA512cdb6957a1e59b053fdd8f0d43d9b1ba575da2140c5d2c547b87e8a5b1199f2d071f66152ade3cfdb5294903cf42f395a948b28ea87aef9d9aa6eacdeaffdd1fd
-
Filesize
74KB
MD54fc5086bcb8939429aea99f7322e619b
SHA18d3bd7d005710a8ae0bd0143d18b437be20018d7
SHA256e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd
SHA51204e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2
-
Filesize
2.5MB
MD535c54b6a9227ccb7149698254dc8dd52
SHA133433b0716128f7c887d7929ec50fab495e45f38
SHA256db7744a5e7567b151e15c6159b03eb71974233db90716b38d7bb726fd61798e4
SHA512492de363f0252005a303b7b169721f8536d131bbca71ef37bae59b4b17427dda869c14eea72fd3ed69efc0a3b19b9c3b18e7d6ada1721fbf9b0ce3bfaa57cc12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
148B
MD51a68bc4f7b643e389ac36caa688f2759
SHA19751f4790ee85d43d742f4a4766c43344352bb50
SHA2563557cecad070ac93bd90dc0772d624869ee0c6d61912e0888efe3242909686aa
SHA512b0545a4e38552a268614266bbcf16f5e215b184aa0edab4c745ccd578849c9046351b0edafd0cb09a88ad547c8d511cc36f8d5d78d9096d1e03fbf4b1dcf62aa
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
2.1MB
MD550ee1cf21948c6015354e9c1a94ca5db
SHA1f2f6fb19a2db75d2d5515fd3a20c66eb8f3e6d42
SHA2568fe639c3cbdcb49a5246f85ce136f14c8c0ad5150c6e38b5eb66eced9d4c4329
SHA51246c8a6e2818972ec363b5905838e05828a87b10c7991ae5124c485ccf625da0cff4985d675bbda08a9eccf1fc1027c5db0a22f8e99c732f7593f66c68f3654dc
-
Filesize
52B
MD5dfcb8dc1e74a5f6f8845bcdf1e3dee6c
SHA1ba515dc430c8634db4900a72e99d76135145d154
SHA256161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67
SHA512c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d