Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/12/2024, 10:05
Static task
static1
General
-
Target
JJSploit_8.13.9.exe
-
Size
98KB
-
MD5
fe9d7b49dab665c66f2462ac58913202
-
SHA1
3fa3a12f014e2ca04972c6ea2cfb439662eef06f
-
SHA256
b5860aa704760ecaa8cb40c378c35dbd0c1d8b29d4d6b5eb9b97fad1dfff27b5
-
SHA512
bf6fe93ffdfcae97b480c975c0477f58157ac0551dd0c2db53f5452fbb5be23316bf0498350359447c13d9bcedfbaf44722af6edb6f8c4bad06780b2da956d9a
-
SSDEEP
3072:wVtPS5z1wveHYI9zcRgPS5z1wveHYI9SG6mz:wVA6ZICR36ZIx
Malware Config
Extracted
meduza
147.45.44.228
-
anti_dbg
true
-
anti_vm
true
-
build_name
424
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 5 IoCs
resource yara_rule behavioral1/memory/5080-15-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral1/memory/5080-18-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral1/memory/5080-17-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral1/memory/5080-19-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral1/memory/5080-54-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza -
Meduza family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1048 created 3316 1048 jjsploit.exe 52 -
A potential corporate email address has been identified in the URL: httpswww.youtube.com@Omnidevcbrd1
-
A potential corporate email address has been identified in the URL: httpswww.youtube.com@WeAreDevsExploitscbrd1
-
Executes dropped EXE 5 IoCs
pid Process 2112 cfg.exe 5080 cfg.exe 1048 jjsploit.exe 3668 JJSploit.exe 1176 JJSploit.exe -
Loads dropped DLL 5 IoCs
pid Process 1048 jjsploit.exe 1048 jjsploit.exe 1048 jjsploit.exe 1048 jjsploit.exe 1048 jjsploit.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 4 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 5080 2112 cfg.exe 84 -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x001900000002ab0a-144.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JJSploit_8.13.9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjsploit.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2520 cmd.exe 2008 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings control.exe Key created \Registry\User\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\NotificationData explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2008 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3948 explorer.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 5080 cfg.exe 5080 cfg.exe 1048 jjsploit.exe 1048 jjsploit.exe 1068 msedge.exe 1068 msedge.exe 2428 msedge.exe 2428 msedge.exe 2340 msedge.exe 2340 msedge.exe 2280 msedgewebview2.exe 2280 msedgewebview2.exe 244 identity_helper.exe 244 identity_helper.exe 6084 msedge.exe 6084 msedge.exe 6032 msedgewebview2.exe 6032 msedgewebview2.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3948 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 572 msedgewebview2.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 5848 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4484 JJSploit_8.13.9.exe Token: SeDebugPrivilege 5080 cfg.exe Token: SeImpersonatePrivilege 5080 cfg.exe Token: 33 3180 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3180 AUDIODG.EXE Token: SeShutdownPrivilege 1180 control.exe Token: SeCreatePagefilePrivilege 1180 control.exe Token: SeDebugPrivilege 4524 taskmgr.exe Token: SeSystemProfilePrivilege 4524 taskmgr.exe Token: SeCreateGlobalPrivilege 4524 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3668 JJSploit.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 572 msedgewebview2.exe 572 msedgewebview2.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 1176 JJSploit.exe 5848 msedgewebview2.exe 5848 msedgewebview2.exe 3948 explorer.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 2428 msedge.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe 4524 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4068 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 2112 4484 JJSploit_8.13.9.exe 82 PID 4484 wrote to memory of 2112 4484 JJSploit_8.13.9.exe 82 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 2112 wrote to memory of 5080 2112 cfg.exe 84 PID 4484 wrote to memory of 1048 4484 JJSploit_8.13.9.exe 86 PID 4484 wrote to memory of 1048 4484 JJSploit_8.13.9.exe 86 PID 4484 wrote to memory of 1048 4484 JJSploit_8.13.9.exe 86 PID 5080 wrote to memory of 2520 5080 cfg.exe 87 PID 5080 wrote to memory of 2520 5080 cfg.exe 87 PID 2520 wrote to memory of 2008 2520 cmd.exe 89 PID 2520 wrote to memory of 2008 2520 cmd.exe 89 PID 1048 wrote to memory of 3668 1048 jjsploit.exe 90 PID 1048 wrote to memory of 3668 1048 jjsploit.exe 90 PID 3668 wrote to memory of 3360 3668 JJSploit.exe 91 PID 3668 wrote to memory of 3360 3668 JJSploit.exe 91 PID 3668 wrote to memory of 4844 3668 JJSploit.exe 92 PID 3668 wrote to memory of 4844 3668 JJSploit.exe 92 PID 3668 wrote to memory of 572 3668 JJSploit.exe 93 PID 3668 wrote to memory of 572 3668 JJSploit.exe 93 PID 572 wrote to memory of 228 572 msedgewebview2.exe 94 PID 572 wrote to memory of 228 572 msedgewebview2.exe 94 PID 4844 wrote to memory of 2428 4844 cmd.exe 95 PID 4844 wrote to memory of 2428 4844 cmd.exe 95 PID 2428 wrote to memory of 4640 2428 msedge.exe 98 PID 2428 wrote to memory of 4640 2428 msedge.exe 98 PID 3360 wrote to memory of 1200 3360 cmd.exe 100 PID 3360 wrote to memory of 1200 3360 cmd.exe 100 PID 1200 wrote to memory of 3756 1200 msedge.exe 101 PID 1200 wrote to memory of 3756 1200 msedge.exe 101 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 PID 2428 wrote to memory of 4596 2428 msedge.exe 102 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 cfg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\JJSploit_8.13.9.exe"C:\Users\Admin\AppData\Local\Temp\JJSploit_8.13.9.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\cfg.exe"C:\Users\Admin\AppData\Local\Temp\cfg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\cfg.exe"C:\Users\Admin\AppData\Local\Temp\cfg.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\cfg.exe"5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30006⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2008
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jjsploit.exe"C:\Users\Admin\AppData\Local\Temp\jjsploit.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
-
-
-
C:\Users\Admin\AppData\Local\JJSploit\JJSploit.exeC:\Users\Admin\AppData\Local\JJSploit\JJSploit.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\cmd.exe"cmd" /C start https://www.youtube.com/@Omnidev_3⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_4⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc9143cb8,0x7ffdc9143cc8,0x7ffdc9143cd85⤵PID:3756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,6908606357885577171,12873378074512035389,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:25⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,6908606357885577171,12873378074512035389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
-
-
C:\Windows\system32\cmd.exe"cmd" /C start https://www.youtube.com/@WeAreDevsExploits3⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@WeAreDevsExploits4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc9143cb8,0x7ffdc9143cc8,0x7ffdc9143cd85⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:25⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:85⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:15⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:15⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:15⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:15⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:15⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:15⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:15⤵PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5848 /prefetch:85⤵PID:5156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:15⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:15⤵PID:6012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:15⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1471033158751014404,7155831661310222350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:15⤵PID:576
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3668.2612.27155680325367745233⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffdc9143cb8,0x7ffdc9143cc8,0x7ffdc9143cd84⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1692,9078170086828757108,14829813954679393978,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:24⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,9078170086828757108,14829813954679393978,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2160 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1692,9078170086828757108,14829813954679393978,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1796 /prefetch:84⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1692,9078170086828757108,14829813954679393978,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:14⤵PID:5528
-
-
-
-
C:\Users\Admin\AppData\Local\JJSploit\JJSploit.exe"C:\Users\Admin\AppData\Local\JJSploit\JJSploit.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1176 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1176.5596.86466741189272822133⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5848 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1c8,0x7ffdc9143cb8,0x7ffdc9143cc8,0x7ffdc9143cd84⤵PID:5628
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1776,16887473428012943946,3448836878748740754,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:24⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,16887473428012943946,3448836878748740754,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2032 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:6032
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1776,16887473428012943946,3448836878748740754,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2604 /prefetch:84⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1776,16887473428012943946,3448836878748740754,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:14⤵PID:3436
-
-
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools2⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3000
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1580
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2976
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x000000000000046C1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1664
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:5344
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4068
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:5688
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3948 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.5MB
MD5e59012474c711e0db071950d859bac42
SHA12a1839c61829b70874aaecd41d76a03b8c6cb5dc
SHA2565bd65131cad50c58ae916818d54abe44c014854db770aa71a9933293939ad576
SHA51261e94c2949d9f08d2ce37dbe5687cc8ff68b274e2ee56d530870a977773a1e04ac58bca4f550887790f0d31534d862cdc869a90621c03ebf030cf73b41fd5774
-
Filesize
311B
MD584095feb496d351b9c80e926938f9ca8
SHA1d8ac99f45d8420698809521a4c1a30e954f118da
SHA2561ee333036765e94b9f6975a2cfb6a799c42b3357078b424753f6aa61b225e54b
SHA512347ef12c4f1849a5455014413097ea6d7a6406b36027da4734afad736a5581c6068dd4878aeab02843abbc1e1cfdb37f34c167b4886c8644ad8778e592393e10
-
Filesize
4.5MB
MD5a9c1f7ca15c65c139bc9d4bf57df2e1e
SHA11b1377139a6b289d43a6b1161cd1089ffc817cf9
SHA25603ec9292dcdfda520638490e11baeefff5ab1b6eb22feb90a22fc771272ce116
SHA51297f8745dba6330c196de9b822638bfe7f74a86bdcb6726f4bd1d3d917de54f9abcb05163c42255173eac3bde995f0d611af718dbcc0de432b67666bed0c0b073
-
Filesize
802KB
MD551b0d5f42a82f6fa8739b403e9b8b81c
SHA175968c157628bb7aca9b5f2331f7a0c9a1d28865
SHA2560bda7daeb4040c722b8c287dfd2307c9b8228576db1dbbbaac901c35cc8dc62b
SHA51294fba90ad7bcf190079089dcc3af97c598c016eb359fe4d2ea439b5fbcd4a5489ab4422652223926aae64002beef1368d5b95874f68a2e5bc4971b4f9604d814
-
Filesize
74KB
MD5fcbc4b016ca7164b57d332d4012f3b85
SHA1b1f8ca1824216100edba1bf52c4a953335e277fd
SHA25611a861694c2a3cce1e14020ffd46aef7dbcee861763203c5aebe8f4fa1cfba3b
SHA5125b5569ab94108f535345d6b71c105222daebbe34d2132ff1f03df84151c3b7488f0f6cda7bb054694bbc58234e709a6069bfdd9239076395b4a823f2d8848b3a
-
Filesize
46KB
MD5249a5f6ca047df2a2f802782696c7f80
SHA16a1d96be0f497d689fb55de70284af83cac61f52
SHA2562828e3014c3283caeb1b00d14145a42f4e347e7f547b40634540394892265671
SHA512d2d0b6ba2ec95c33609d98788e5a4cce382d93721ea5dea61cde3f4c065b06530a0b01ae4909f7883a81d55529a36cb6a5820aa2afc320b5761f6f59a3a45f1f
-
Filesize
638KB
MD521dfe873f6ed38f2f713ecd43ad1ba41
SHA17648cb043587da0e85743f9da8dca8be621ccdf0
SHA2562a2d63c48b6b3ac7768231ade30122c94a0a33e62e5d2725e11c95b3194aa997
SHA51267b4f976f3511387ce2a4743e2281ac88533bd204d4e07a5c6751f0ec30a3463dfabcda18103a632541ec2a8b7b937806121e21e44959411c39106e22b739919
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize696B
MD54ca1a1c53760ee186ee24aeec5b428a1
SHA1d269d1f39238f948b7ab2f045bbabd530d30f2cb
SHA256698321d309b74b5022aa1f5b748eb5339c2ae3f4339d04f30b59b0480280bd4f
SHA512f7787f20ea89ce7819e454b25d64f8aad66d6c042197776f4969e28adf69a8ea75af299f8e9e2235ee489e76f162fa972c31f1e4c5542268b731c05471a166a9
-
Filesize
3KB
MD598cd7dc3b08e4d0fae62f197a13a6645
SHA11a8620247793bdf6a81fcae6de7657aff34c13a3
SHA2569b4818216142cadfd46425f42aa337ac95182d0aab67f83f098007ef131a5ede
SHA5121cba5e63c7ec9629a683e691f1989fe1ce222b6bcd24d4d8311f9296a82e3f80d2f10264bfc179b1e75e5dd388dd7ed5b1405bdd4f4118978b29824a52640c1f
-
Filesize
7KB
MD5c4435363b5ee72c55bd8d5b09ebf7243
SHA1d2d4b4e84887135055f26fd39b3b7576d4f5980e
SHA2563821a0b15b8e0a29256eaffc659e45b44d2b9deb7b29a00795c41e07bf845abd
SHA5121e6c93a5df1851f8a8d2ba5daa36897728d22ad50e23bd85414c311fa09b938276baf42eadfd6942789c514e141f796a59b442239c18e353c1b87c9c766ff179
-
Filesize
5KB
MD5df8a8b9ebb99ff5a0d35a7a37ad80a57
SHA1173de0906baabe7fba0885f3f4da57c9d20cee3c
SHA2565b08282ec39145df5ea4dd131f557c0acf68b4e9f3a7635d8d66454f4b1252ab
SHA512ec5ab45a2e266493e9c5db5fc1c1bcbb0d0cfe91dc356d80d3a73c4afea6978e5e7b6b508f28134ee179ac504039b4b7a86cbba0c0c5f3660799925ed1185aa8
-
Filesize
6KB
MD5ecaa5275c3f8115f08457a51316503d7
SHA1f4df6455db32d7b8ea8c679e71a23659ebb95ca5
SHA256811b23db940b7a28a0b6612315550160439c91eae2b7b3689735af28801a8c70
SHA512f85c152294f859cac5847424ff339b554790357fbe737f2e37416ae34ceff6e335c896fcfe2cabec4e07ccfe8d6e6b1cd211214bed07ee99a8b98e35a2e529d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\57c68ec3-e0b2-4f40-a429-f5f67a9de2bb\index-dir\the-real-index
Filesize624B
MD5c36d0541d8e8407278f41bdcfb106a9d
SHA16457d2a7a8669859a5d851a6c2de7c543286cdf6
SHA256e4fb3fc246324c553d14020b24f7250c8658c3c44b573f0dc2eb6e1bfc63eb08
SHA512784b794273789a31c3a63dbadee5d9adf24a850ab9368a7e6fd367231c00f3bf023f32381d3a3954b65cd2f3da98485fc10003dd71baee1332c48598ec9f1c3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\57c68ec3-e0b2-4f40-a429-f5f67a9de2bb\index-dir\the-real-index~RFe582a86.TMP
Filesize48B
MD5ec27773510531bd7acde4615a2e18cc3
SHA18ced88d88e1e4beefb0c5bc77fb15e4926282812
SHA2564ae95b729e4e39f2b318ee56581aa495d0ac226b7f79dc03adbcba337cd2671d
SHA512006a7d1054513c613bebfed2645620a869a442faed49d32be6dd9634d4d0394c8cad08dbb98d7441439795cbc56eb89623ec8016d0223c4955fe14b61183d95f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\63cf2a5b-b23e-4b5e-b56e-de595d68aac7\index-dir\the-real-index
Filesize2KB
MD59d346a2f4131d816592326cd90604ff7
SHA10b2cda22ca455a3c4dcd4fa3ff6880c5c21f6e8c
SHA25685837894a03c7d1d03de8fa23093bf5cb7caab97c6ae010a723028bf3d7c729c
SHA512e05ef910622d439af81abf5fa11b5568206d3aabd878ba16b2cf8e481237d9e7a3bf411a8e379c5bef8c06cd80203d56faa8fa145a5b5dc08249b68e458b073b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\63cf2a5b-b23e-4b5e-b56e-de595d68aac7\index-dir\the-real-index~RFe582a86.TMP
Filesize48B
MD5ea8c6f6027ded0ffa3397207e27164d9
SHA135fad11e75466a62ac3ff9e6db78ad0c5e2fff6c
SHA25634ce0a9fe2cc1ea47e63ae7dcc1ecd3b437d17aee3f461d420579df03820b2cd
SHA51217fd7f06482c8d3f9b609e489b65efb70a8ceb38f127e928abba04d77a78761909ec4ad5351e471223a5e1797098127de9da930574ec6ec1c99e5eaf29e8fa96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD52c0de6b3b854360ba0208ca57d35b4e7
SHA10bf28e46da37e185edc7d51b9e0c5c357339b7b0
SHA256166d549227ac166684b4c4c99534acb6206563845049030d307818d94624437c
SHA51223977df66df1ac2f5b205044fa596a8cb3b4ee4f46a68f62e3c14b3d129ca57d74b1ecf0042aef873f0fe83e4bba18efbf5061d5a21247626775d8dfd5e40f97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize155B
MD5e37760b5531536ad830484221981fc9d
SHA131b134b3b8ddc0c7cad0d8654d3f883ce210aa1f
SHA25633b3d6975d7402c2776cf8bfde03733405244d392af92e05647caa0d02c686c0
SHA51279811054781dbee0b56276cd0e5fa81bca3cced4df8c5715e89bb68e2f1f5c9e8eb1fe37ee9afc70ab82e3cd6ec51512c48f361440b7e42f82bd730eb10a8dc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize153B
MD5b33b663746af0732eeb94c35350fad7c
SHA1c9a151310858f072d0c580c57b65646c865dcc56
SHA256aa0607cd2a284b0f2b7648148e3f73997bb893345ba2cbb232e40a4025fbebf7
SHA512ad557d50e4f8dc7e26af825372efb3bc020921963a4c3d27f824a1ab6834ca026751bcfe75f292059a1a264fbd5820f08857670469923b268fc6f691c7931a7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD54a60e0f5742ecb2659e89b19f5a6b4f8
SHA1498d63e48b587c39e9a079e3e487ed6b95d48554
SHA256213223f459f1f21976e3c48b77cf6fded8ab612e4e342feda67f678002aa3c87
SHA5127902ab0c68d18c8a695fe0e0024e958994f84ac22bf1baa1ed57c07b252c3093de6d1825c438a40cf6cb9b6388209489d2ddb1a3450fa5ef29f30b4f9b69136a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD53ee2fc0e3fb15bf69700dd41a4016927
SHA14ad8cceec63b46b13c77d13a81d4aa00f397d30a
SHA25662b6f3a36fea6dd6e55ff416088f7b8129582db30eef458528138efb8e56bf3a
SHA512999dbdaadb94e0b77a92730c14333a9e4f9d15e14488702d94fd7f5db547663e5670aacb1e18b56cfc7d6631f977d4f57f347484ed700ba38f6cbc99a1b4eb3a
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD57929d496bf4233148484aa579c3afd60
SHA1168938290897ce26307b32c9e2b4c1493f7abe8d
SHA2566b5c604196d69da407418ad3e29517cdca9f229754cfbf11cc9b507ba2dac214
SHA512f214349ef224b3e156fda18e2add8c735032aefd5e44cb6209439cc37fb43119571b3d940ceabf0c086a6a782acae1c6954f7a06bef92fdf6db4cbd2e48f8794
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582a86.TMP
Filesize48B
MD578f1734708286d648af7a670951ce368
SHA16e23375cbf0afd45798093020c1745493ce4c4a0
SHA2569d3dc1fc4cdf23bc549c97a5508977b33234c75ed257cdca23aa6fe1b6ba0220
SHA512cd62cac58fa99c7be0ca0feff3ebf498ead5a36a1118528a6feaf7ce36b8b1251151d3b3aaa2139ae8c2e5cec0fca0bd0ce6fae38dccbf026f909a307e452575
-
Filesize
706B
MD5896a0b8722f15e807c50fdf4cdef53dc
SHA18bf1a77abf0104bdc3d9fb11defaa839171eca1c
SHA256789cde0fbb8661de60309b13bde61f732128e0ff55e91140fc13590fb24326ac
SHA51220850320f7ed0e62212a5fe59cf4713fc13c47a9f2d4a3725763096487d50dbb20eda056c3b30365ddc64ca7bd887b98abdac7f01ddc1465e69c9bbdec97d543
-
Filesize
539B
MD506468b44c69200b36667ccb8970a9cde
SHA1a319d4da100921153e19c17991a2e6e3fbebaeba
SHA2562ffc3bc879f3009a6eb2d541781668064bcabbc9e9188d3fcb4ca7d36ea41301
SHA51232ff65484f957e4496204cfcabf3206998bdfcb3829cbacd8b84b9e1a61d16bf61fb942425ea7a0cb5019014bdbd2da875c0d7c647e56daabcdda438813b11c2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD579d2bd27e8f03a0afdea81148163b024
SHA181e5b441846668ec569f3db7c4f831e5192ece2f
SHA25600b177ac80617c525e26aad732edb2a71e9e5d13fb74f1c8289540a85f2ac424
SHA51207ea882cc1eb5f55e6bf85d610490322330bde7f58ff55d1d9927442c771dbe411c66246bb519881d6cb85cba18c27354bd447815117ac4001ab574447d90b79
-
Filesize
10KB
MD57c176feabf38c6ddb2bf33c6b38c0b45
SHA1498c41ac620b93b4e0441b7e1422885eeabf0058
SHA256eee225c1dd69493e727bef2203ce491ea585390f2bfa302b789279f6358eb00a
SHA5123a5f87debdddd1196d3883766f36f5d93569e356aa7405bf1f63e2b784f0608eaa78563fef0065e0ae9403cd7c53a6ac29731146ad107a67e7d85a82fec9207f
-
Filesize
10KB
MD5b9564f02187c74d176b4bc217528d49c
SHA1c02df80992e94154c76ee117e9acca219ec81c3b
SHA2562ad870c1cc85be960cd2290e306106650bb75a520826ed1f7ddac7a1fb08a04f
SHA512ad4092d2fd78abefd5846240d275f27889efa05cc1e48718750ab3d6a536dcbefcba340300582e89e8c8a0c979a6fc56635d1d014a78fd83bfb31203db4adcb3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\fb676f46-09a3-4521-b920-d17ee1af0ad2.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5f24fe7c14f9218ff3d8b52153b2711b5
SHA1a7820f3643c6484aee7d2e3a33a53750c4a92647
SHA2566ca7e0bf19f39e8a61c1fbbb68632a026f582f225b56d42124ff84db3a3d7598
SHA5127fe07b07f8f5f2915a2a352008491fa268530de47b0d90beb3f1a3295ad8bc499813c15d024952612b7466fbe83f569242052cc6d7e13ce920e96b57f21882f5
-
Filesize
3.1MB
MD58edff3f58df24723f285aa113ba3da4b
SHA1d9ffc44beab78fcf6910e6a55d9b888183967e05
SHA25682c1101855adff990a1a5e6dcf6bdc32103088007b1f5f1ea52d8e765fbb3ad3
SHA512a4b66616ee05f8eb2bf9bb091d3eb0d960fd3eadab3efde6b5121ff1eac90da888e7582a7f409b00ff0aa2642d490d71a4d0ca12705116691db16130e08dfe9d
-
Filesize
5.7MB
MD587bece829aec9cd170070742f5cc2db7
SHA10a5d48a24e730dec327f08dfe86f79cc7991563e
SHA25688a19d3e027158e8c66d5068303532a0d56a700f718db80aa97e5e44f39bf4a4
SHA512198c80d4b430a38ac597ff9023128cdbc9d2891097beef239721c330c75a412c0bdb87a4bfb0609db94f320655f3df1fab7d885843c0af40687e46ddcc88c9d1
-
Filesize
7KB
MD5d070f3275df715bf3708beff2c6c307d
SHA193d3725801e07303e9727c4369e19fd139e69023
SHA25642dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7
SHA512fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
29KB
MD58def0196223484f8aed4106148dd3f08
SHA1e0fc0951deb0e5e741df10328f95c7d6678ad3aa
SHA256c0f2b928bc4c81cc5ca30a8932a6dc8cd617dd016679c057e23355fe732b2333
SHA5129ffa66181bce5aa5210da0fe5edc6c80aa9e46e2bd1fafd840f468965f4d06bc03f9a77e04b975ffc9f25c886c274196e3fedae6cfb57f366ef39f1e31e1ada7
-
Filesize
2KB
MD53a2ddf8cdcde3dcd2edb235ccc656c10
SHA157e333b57b781b92518b3aa18ac41f9b9824eee4
SHA256c7b786cf32ea05d99c211503413470e66808f958b058d740b34ca39ef47a2af2
SHA512e83543ad61ec7ebb5428203a649edef88a30e45835f37b1d33a9c69089c088e8859b69c5d6a210c55d3656a5d258f786ca71eb5938627bb1b25bd4f93aba5fa8
-
Filesize
152B
MD545286d28a9a14198ef7e1e3e1a125b02
SHA11250bdc0beb90dfdc39684e326a1373619a6c1de
SHA25658a33745e60068e507fd45d6cceb98bd5eb1433c8be0966ff8daf35f0f921a64
SHA51260ac23b0089e628bc633dc71219c82c0d43d4180b27963535cd61f1282607a20d1a8f126dc60cc2b943d652d7c0e9cb48073694858e8306919ef78f260725777
-
Filesize
152B
MD50ae92558477818299615c3bb12f00286
SHA1026e2ba450bcfc0b3182f0bcde435b9cad3ac1b1
SHA25616b1b33c15842da9becf6a2e2d82d4bff9e8b7a9475d5c1e37de6fa935d04ec0
SHA5125dee49a4cf707ab47a060fb8a37d504def1b0297cff669a7ea8d2853fdb404f15215cb284ef12f86478494f45870cd689f9efc811065088e7e076069aae1e01a
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\6776b808-2591-4a4c-9c78-2f0b2e462992.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\7c92bbd4-f8c9-4ec6-a07e-3a73eff69811.tmp
Filesize61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
3KB
MD580866b9a483d195e3d7ccf68ef3837ad
SHA1f5ff53c45b580d4521c261598dddd186576cd0a8
SHA2562b2b415a3fe190157476e4aa11654cfdde1e85783e68bee0446fceb27e1d8c28
SHA512647f5403c7bf0cea730e4a4d450012723da79ca401cc06858ff7114f780d2fad52d9cfeafa68890ac2971a2d25c271b1f62a07f6435a6396b2eed55027f74b8a
-
Filesize
3KB
MD544ba65cb989d7ef8637a4b9a7454383b
SHA167f6dc9ff05604dcd19ab03cd3b2a021560f4620
SHA25601c9b2443d23595bf765bd799cecc3bf6e852faac90d6f53c8e0f37fdbe1cd96
SHA512b2b6b70616b5d2f0df0b744b86dc243aba381d33f5d947564f3597b9f56cce4bf807070e5cd2224054bc6f517688715a58123a7310de443cec2beaec9423c568
-
Filesize
8KB
MD54d41d51a03fbeebfe7f37f1f943d1314
SHA1e631a31a604a30ecc43b9524170afdcdb1ad0db5
SHA25687d4e7e592ced746542c46fb714a3d28eca7335785406db450f084d819ed55af
SHA5126c68a669a715abc520d77cabb064ddb21c5bb367fecd742d4ae0dfce9e81823f1e2853b2141f93a62529f607726e8bcbb861826cce806512250ef74487a776a4
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
2KB
MD5f33a1a521da7c243905ef90246a73802
SHA12900a289ddc189756331e04b3e977453bde62751
SHA2569472634766ecb9baa533ee457e648102c037e015371fa3705713f8b1b342c667
SHA5128a64ce74397665dbadc0b2bac51c8b3e879d0d48aa94d87b8786de418db4d8793bfe12f5078b53689f55a6e79f7cc66888c4cceb6f8ed0c66ba348d932c51906
-
Filesize
256KB
MD53162784c0e60882c6903cd045bdf30b8
SHA17fd8f2e6342a9162db6427d75ca8788e29b513cc
SHA25627857612d757f0e96bcb8319255ff69f51fa897f9de4ebd0c479f797680e1b6e
SHA5124ab259ee4a255c8e275e53c2a89421bb7eee89e493af754038689d356706635b8d461bdae648e4ef96e43fa846d2dc0a1eb8087804e96399708455b5dd4e2802
-
Filesize
54B
MD541dea3a16884a8a050f599c1b3d3dbf5
SHA10d1893892dd3a5211b8dc4b66efae5d3f2c82689
SHA256e14fda8dd813d96cdeb51cff4e4a5c8dc636b72b7fb075902d88ab587bf19466
SHA5122c2a88c7d0fa9f32893449d5d8ae0d148793974c0e9f979be1221dce3b7c86a0bc02f3575bd5d2010e0fad20fb9730f707cdddd99fa922b8de67d9f1e7529cb2