Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
899s -
max time network
901s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/01/2025, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_8.11.0_x64_en-US.msi
Resource
win11-20241007-en
General
-
Target
JJSploit_8.11.0_x64_en-US.msi
-
Size
5.1MB
-
MD5
fe0b64b5c6ffe422676ae7216c2d38c9
-
SHA1
51350ac5ce079cbe741bd48d6462075b7c23adef
-
SHA256
f95043eed6a9f827ebd2e46493343a8f734378ecd6022975455ae01334c52749
-
SHA512
055ddc9f124ae2cab6ff2d1e1a6f927b088417beb1e813e09a791289ea1e5666c258d48d1ae7aa12ac5c7932cfed888524c89c1b2d01dfe7bee00cba5f6b5b56
-
SSDEEP
98304:ST4zeG7P2hdWkNAQGmtuNQmPan/7BYUlZ9dso1Y8Vk18urY46wGIrSv8m:ST4qG7P2hd7/IQNpdsojY8ur2Ir
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Blocklisted process makes network request 13 IoCs
flow pid Process 325 1464 rundll32.exe 338 1464 rundll32.exe 350 1464 rundll32.exe 362 1464 rundll32.exe 373 1464 rundll32.exe 385 1464 rundll32.exe 396 1464 rundll32.exe 407 1464 rundll32.exe 419 1464 rundll32.exe 430 1464 rundll32.exe 442 1464 rundll32.exe 453 1464 rundll32.exe 465 1464 rundll32.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 33 raw.githubusercontent.com 85 raw.githubusercontent.com -
Drops file in Program Files directory 22 IoCs
description ioc Process File created C:\Program Files\JJSploit\resources\luascripts\general\aimbot.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\teleportto.lua msiexec.exe File created C:\Program Files\JJSploit\JJSploit.exe msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\god.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\noclip.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\policeesp.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\beesim\autodig.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\energizegui.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\removewalls.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\criminalesp.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\tptool.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\chattroll.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\dab.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\levitate.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\magnetizeto.lua msiexec.exe File created C:\Program Files\JJSploit\Uninstall JJSploit.lnk msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\walkthrough.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\infinitejump.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\animations\jumpland.lua msiexec.exe File created C:\Program Files\JJSploit\resources\luascripts\general\fly.lua msiexec.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIEDEA.tmp msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File created C:\Windows\SystemTemp\~DFFB5F83BC14025F26.TMP msiexec.exe File opened for modification C:\Windows\Installer\{7136C1A1-44B0-43CC-886F-011EAFEC4123}\ProductIcon msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\7D65.tmp rundll32.exe File opened for modification C:\Windows\Installer\e57ec63.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{7136C1A1-44B0-43CC-886F-011EAFEC4123} msiexec.exe File created C:\Windows\Installer\{7136C1A1-44B0-43CC-886F-011EAFEC4123}\ProductIcon msiexec.exe File created C:\Windows\SystemTemp\~DFEF62B0D37DBC5E85.TMP msiexec.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\Installer\e57ec63.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF322282F3ED69E2B6.TMP msiexec.exe File created C:\Windows\Installer\e57ec65.msi msiexec.exe File created C:\Windows\SystemTemp\~DFBDE210150523A5AA.TMP msiexec.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe -
Executes dropped EXE 5 IoCs
pid Process 4956 JJSploit.exe 4228 BadRabbit.exe 4624 7D65.tmp 3068 BadRabbit.exe 1580 JJSploit.exe -
Loads dropped DLL 4 IoCs
pid Process 5000 MsiExec.exe 5000 MsiExec.exe 1464 rundll32.exe 1420 rundll32.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier msedge.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4116 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileCoAuth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe -
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fe04b3d77c703a960000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fe04b3d70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fe04b3d7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfe04b3d7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fe04b3d700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 31 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA\1A1C63170B44CC3488F610E1FACE1432 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\ProductIcon = "C:\\Windows\\Installer\\{7136C1A1-44B0-43CC-886F-011EAFEC4123}\\ProductIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A1C63170B44CC3488F610E1FACE1432\MainProgram msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A1C63170B44CC3488F610E1FACE1432 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A1C63170B44CC3488F610E1FACE1432\External msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\Version = "134938624" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A1C63170B44CC3488F610E1FACE1432\ShortcutsFeature = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1A1C63170B44CC3488F610E1FACE1432\Environment = "MainProgram" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\Language = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1B5BE67603097495AB20AEE6179D01CA msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\ProductName = "JJSploit" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\PackageCode = "E65E3B24852C218408C1893713A723EE" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList\PackageName = "JJSploit_8.11.0_x64_en-US.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1A1C63170B44CC3488F610E1FACE1432\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 113617.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1916 schtasks.exe 2924 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2948 WINWORD.EXE 2948 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 4740 msedge.exe 4740 msedge.exe 3592 msedge.exe 3592 msedge.exe 2448 msiexec.exe 2448 msiexec.exe 4260 msedgewebview2.exe 4260 msedgewebview2.exe 1620 msedge.exe 1620 msedge.exe 3964 msedge.exe 3964 msedge.exe 3928 identity_helper.exe 3928 identity_helper.exe 4736 msedge.exe 4736 msedge.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2428 msedge.exe 2428 msedge.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 1464 rundll32.exe 4624 7D65.tmp 4624 7D65.tmp 4624 7D65.tmp 4624 7D65.tmp 4624 7D65.tmp 4624 7D65.tmp 4624 7D65.tmp 1420 rundll32.exe 1420 rundll32.exe 4988 taskmgr.exe 4988 taskmgr.exe 4988 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 1964 msedgewebview2.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 2336 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4116 msiexec.exe Token: SeIncreaseQuotaPrivilege 4116 msiexec.exe Token: SeSecurityPrivilege 2448 msiexec.exe Token: SeCreateTokenPrivilege 4116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4116 msiexec.exe Token: SeLockMemoryPrivilege 4116 msiexec.exe Token: SeIncreaseQuotaPrivilege 4116 msiexec.exe Token: SeMachineAccountPrivilege 4116 msiexec.exe Token: SeTcbPrivilege 4116 msiexec.exe Token: SeSecurityPrivilege 4116 msiexec.exe Token: SeTakeOwnershipPrivilege 4116 msiexec.exe Token: SeLoadDriverPrivilege 4116 msiexec.exe Token: SeSystemProfilePrivilege 4116 msiexec.exe Token: SeSystemtimePrivilege 4116 msiexec.exe Token: SeProfSingleProcessPrivilege 4116 msiexec.exe Token: SeIncBasePriorityPrivilege 4116 msiexec.exe Token: SeCreatePagefilePrivilege 4116 msiexec.exe Token: SeCreatePermanentPrivilege 4116 msiexec.exe Token: SeBackupPrivilege 4116 msiexec.exe Token: SeRestorePrivilege 4116 msiexec.exe Token: SeShutdownPrivilege 4116 msiexec.exe Token: SeDebugPrivilege 4116 msiexec.exe Token: SeAuditPrivilege 4116 msiexec.exe Token: SeSystemEnvironmentPrivilege 4116 msiexec.exe Token: SeChangeNotifyPrivilege 4116 msiexec.exe Token: SeRemoteShutdownPrivilege 4116 msiexec.exe Token: SeUndockPrivilege 4116 msiexec.exe Token: SeSyncAgentPrivilege 4116 msiexec.exe Token: SeEnableDelegationPrivilege 4116 msiexec.exe Token: SeManageVolumePrivilege 4116 msiexec.exe Token: SeImpersonatePrivilege 4116 msiexec.exe Token: SeCreateGlobalPrivilege 4116 msiexec.exe Token: SeCreateTokenPrivilege 4116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4116 msiexec.exe Token: SeLockMemoryPrivilege 4116 msiexec.exe Token: SeIncreaseQuotaPrivilege 4116 msiexec.exe Token: SeMachineAccountPrivilege 4116 msiexec.exe Token: SeTcbPrivilege 4116 msiexec.exe Token: SeSecurityPrivilege 4116 msiexec.exe Token: SeTakeOwnershipPrivilege 4116 msiexec.exe Token: SeLoadDriverPrivilege 4116 msiexec.exe Token: SeSystemProfilePrivilege 4116 msiexec.exe Token: SeSystemtimePrivilege 4116 msiexec.exe Token: SeProfSingleProcessPrivilege 4116 msiexec.exe Token: SeIncBasePriorityPrivilege 4116 msiexec.exe Token: SeCreatePagefilePrivilege 4116 msiexec.exe Token: SeCreatePermanentPrivilege 4116 msiexec.exe Token: SeBackupPrivilege 4116 msiexec.exe Token: SeRestorePrivilege 4116 msiexec.exe Token: SeShutdownPrivilege 4116 msiexec.exe Token: SeDebugPrivilege 4116 msiexec.exe Token: SeAuditPrivilege 4116 msiexec.exe Token: SeSystemEnvironmentPrivilege 4116 msiexec.exe Token: SeChangeNotifyPrivilege 4116 msiexec.exe Token: SeRemoteShutdownPrivilege 4116 msiexec.exe Token: SeUndockPrivilege 4116 msiexec.exe Token: SeSyncAgentPrivilege 4116 msiexec.exe Token: SeEnableDelegationPrivilege 4116 msiexec.exe Token: SeManageVolumePrivilege 4116 msiexec.exe Token: SeImpersonatePrivilege 4116 msiexec.exe Token: SeCreateGlobalPrivilege 4116 msiexec.exe Token: SeCreateTokenPrivilege 4116 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4116 msiexec.exe Token: SeLockMemoryPrivilege 4116 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4116 msiexec.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4116 msiexec.exe 4956 JJSploit.exe 1964 msedgewebview2.exe 1964 msedgewebview2.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 4740 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 1620 msedge.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE 2948 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 5000 2448 msiexec.exe 81 PID 2448 wrote to memory of 5000 2448 msiexec.exe 81 PID 2448 wrote to memory of 5000 2448 msiexec.exe 81 PID 4740 wrote to memory of 4748 4740 msedge.exe 85 PID 4740 wrote to memory of 4748 4740 msedge.exe 85 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 4108 4740 msedge.exe 86 PID 4740 wrote to memory of 1948 4740 msedge.exe 87 PID 4740 wrote to memory of 1948 4740 msedge.exe 87 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 PID 4740 wrote to memory of 692 4740 msedge.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_8.11.0_x64_en-US.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4116
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AA6FD87E44806D0631DBBA1B1E4481EE C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Program Files\JJSploit\JJSploit.exe"C:\Program Files\JJSploit\JJSploit.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4956 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=4956.388.23553180100492608834⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1964 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x114,0x7ffc4b7c3cb8,0x7ffc4b7c3cc8,0x7ffc4b7c3cd85⤵PID:1104
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1820,14396412720108111677,8206357795915422369,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:25⤵PID:4208
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,14396412720108111677,8206357795915422369,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1932 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,14396412720108111677,8206357795915422369,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2372 /prefetch:85⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1820,14396412720108111677,8206357795915422369,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:15⤵PID:3728
-
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4260
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc4b7c3cb8,0x7ffc4b7c3cc8,0x7ffc4b7c3cd82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:82⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:12⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,5785564146204634042,5949706485008930421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3604
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1816
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1672
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffc4b7c3cb8,0x7ffc4b7c3cc8,0x7ffc4b7c3cd82⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:22⤵PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵PID:3948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5700 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:2752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5944 /prefetch:82⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6864 /prefetch:82⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,12938734904801500259,18086728106558120411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Drops file in Windows directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4228 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- System Location Discovery: System Language Discovery
PID:3600
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2022834770 && exit"4⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2022834770 && exit"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2924
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:27:004⤵
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:27:005⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1916
-
-
-
C:\Windows\7D65.tmp"C:\Windows\7D65.tmp" \\.\pipe\{2C156552-CEC4-436F-A30B-6B74842FEB60}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4624
-
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Drops file in Windows directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2540
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4948
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:5080
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:4040
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1064
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConnectPush.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2948
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E81⤵PID:2384
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4284
-
C:\Program Files\JJSploit\JJSploit.exe"C:\Program Files\JJSploit\JJSploit.exe"1⤵
- Executes dropped EXE
PID:1580 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1580.2900.83859836669741255812⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2336 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1d0,0x7ffc4b7c3cb8,0x7ffc4b7c3cc8,0x7ffc4b7c3cd83⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1780,636891067866809902,2313960625826809378,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:23⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,636891067866809902,2313960625826809378,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2040 /prefetch:33⤵PID:3424
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1780,636891067866809902,2313960625826809378,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2400 /prefetch:83⤵PID:3592
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1780,636891067866809902,2313960625826809378,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.11.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:13⤵PID:3264
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4616
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Subvert Trust Controls
1SIP and Trust Provider Hijacking
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5cb251d2d3fa0d553505249b31000fba7
SHA1f16512736caddad8c31cb62f7882b6ee00a031c6
SHA256e6287c45d9628e3b9dff02ace56ec9f18d67f5b48e050c777db18ca43110f0de
SHA512c59171204c9883b1f4a7d8e8753a3bab00d467ed8a312065a40a594159ce16f26b74c955177588eff50c6dacebe0b7ad48f262b6f281e54c69eb774daa0d73cd
-
Filesize
10.2MB
MD5387cb1cf5d2a1b6d290668dafb9e5fd5
SHA18880abe381733b964b98862429ed295d1ca4d372
SHA2567e0b809ff367fa2045916a3ddff33f56c2b92698d11ce4fb766499d58a833bbe
SHA512954c37577f9ba98dec8be9d6ef0e567c428b9c894d0755f4c6e14a5e8d11789a54ed3d7fce1e2c3c77d80946e47f6ba642c9f0d915486d5a346cf1d6e7c002c6
-
Filesize
1KB
MD51a8cc95b1dfb82bf1982940dd74e13d3
SHA13c82273795de9322ee576cbbde34a4572ab14391
SHA2568f55a552ca6855b14d649afe5b61d04f6d7d0fd8db860ff79cd2e89b53d6156a
SHA5125be3ba8a7f32121e213c33dc7c01d37c6d51e23293883521f39b02dad87d65bbd3d14b59c3abffd1ceaa73b78b8603d6afe59293df090868021df4ecbca45a1c
-
Filesize
1KB
MD59c1d863c94e68dfb0cbff45fe0996801
SHA173d57d058fb099ab359895fbab7f630761c0944b
SHA25607071db85264a64ca04cedd7ad352c7b17a41c0eacdbc3604df090821a890124
SHA512e019a0be82c0a250caa02750050bae9b1e23012e3d8900fb42b05f0bc82079863bac88d17e33eb841dc770e0c2c9912483246767df71b8b5afb5f710575861f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize471B
MD5f4e0eb3db619fa6dd8c605fe151cc750
SHA1b48dbad22ff7b0cdd0d42638829d57b17e39b22a
SHA2562cca4164f37cd36575f188c9bef8d84f5d28deed572cada4bea78e120b771f02
SHA512832a679bef70e6fd83b0135539fe139e4d3dd7d3936ca228e1df4780ecd0a556b4edf16ff0a423644436ecd157b121a78d5e884ffbe6ebb875461c267472d650
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
Filesize420B
MD50043e19cd442e548788861832b661278
SHA1e289a4254f0edac8ac0227cac6ec6a856a7d0351
SHA25623e62b79ecf942123c0beb3b9a62c9d24032d9e929a179bdd49144d5f70891dc
SHA512d33b082f93c1356b24220a231d57fac4e94d886ebe238a2b3fd12f38ad931fa5a22db245e0dc4c243f60b6768cfdc6316647a480679f80b421a589aa5bd1730b
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
152B
MD581bb1a727cbf56e80a19587e57fbbbba
SHA14edd0f1d8259f5c72b9cf38b8f740ce3272e2b6c
SHA25617e3bc382e0c64ff1b67515d88b832ec9213063dffb17ee33ab1305a9f1d0b4f
SHA51278b9936137034f4a2b7235e73848ab970614626061b0cb3d3953442637739874ce6839b9f3601d78f3e01f00e944846aa413fcd3b7dc9a9841aba20ad87684f1
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2414cf67-16d9-444d-a154-bfdebd4724e2.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5ca23ea897f86d9361addb2673c272eee
SHA1a6412471c668ee877f6cc2d9b2c298ffcbf366f1
SHA256110e67d85da51e41239cb578ea37cde894d1b76920926c54351005c6bc001534
SHA512defd538694d4ceab9c58d3845a15e131dfa4338f6ecf7364aecd5416e92bb2ae6f87b39ebe1e3da7926cf19973a27a6808170e3475a1fb18e293a68614781c08
-
Filesize
264KB
MD5310555002d70e78a69d8a96ba69c7949
SHA1b035aad909a1341e52b0ad24b3111d891974c6ae
SHA256081dac10d64fd3daa24a041b6241ae0b84e2f815da42ecc0aca997bbc9f8d186
SHA5121a426904ddaa636aa9980f529d1ad8b8fb83d900d520e1aaa9bb955ac1834395295c5eb1584a47493a5a0e7a52ea7504947e51ebb65281eff689f5c35982cd86
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5305b8062141dad6035b9422e2a594c54
SHA170269dca7531f1d6138eb0378f148a4aebfe6096
SHA256813633199937c59a9a38e72930692f120548654067c0442a83b8871bbe897297
SHA5128705f695008380a03dbb66d94e2dff4cfd9a9d4daf1d26d20913d4b77b1847e4fe004107351419534b2fd6f2902e335d194437e0392f0648d950ac0b267bc70b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5abb9dec9ac55cf5c05e07ef194ebe281
SHA111989afa7c6a9b2118776e25e126ed24c2f03fd0
SHA2562326142a420939371daeed196718cf69a93998b2afe714f2fb3f4b96140ef34a
SHA5127c8440bbac209471044ff2e6c924f5af4315e96955b4ec1d957936642a4ba8d99135aecb73be6c3f9ea5e6a1639adaaa28a5074787ea12d1479d5a921cdaa1eb
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
331B
MD5cd8a172bd8fec48224ecd24cfd6c8bd1
SHA1cefbb5a3aade979425e3cd08fa2f46c615f5332d
SHA256543f6740996400c8055306ce66e185e2e79896df2e50f893ae6dfaeab3ba2565
SHA512d14ec7785fa07fa47ddce9def92a2ae13066cd50a4c83456ebc59215ec150777772af017ae589f7a89e6f8af0e418364b217198734cc09fecfd34a619caf6361
-
Filesize
1024B
MD59c9343c63a0890df166a42f3db194a26
SHA1d3096ceb4aadf50b360b2b5eb147bf6df9e7e9e4
SHA2563877bedd617c1c2a976fdd96fe20154fb409f5a646ca517005c79abebe861e4b
SHA5122002d5284d6ef855536db875a71c2f743c159c38b6d40946ce146a1b5424f9941bdf5549b05d95cc3842ee91b5c1b09bcfb60bd76c7dfb1328139286d43d344b
-
Filesize
941B
MD5aee07f9a6d4efcc4c702aa0df7f9fd44
SHA1a7a48a177ed56e5bb98c893f0c8255fca26b3f88
SHA2560dd9f185a9439afbce9e58335797bb665a8af43cbddbfc32f19379abb36d7df5
SHA51230943d29d7f5c6f8fa38a0394207dd03f16179e522cec267628d9004b64d5a426471413725548580518d2e10a00916f0dc828aea166d1fdf530b9fb33e32f16a
-
Filesize
1024B
MD51efa3944ae87c45cc7ac1535b87a94cd
SHA1b11b9b6fc2910f7954bf268bf19cc14480a7e11b
SHA256a3c7b168ea8f8374f53661841246468f450dd1368533f75f60ce4c53bf45d42e
SHA512188a2934240a6b7e07695aafd4860e9fb7ea2750f2fc6867734c904bcd57bdbb40996cbe0481d3b037df8338c849fc21b04d6db8356cd64b3138a7598f9afafb
-
Filesize
5KB
MD54f786d63e125f8865ac16f650db2ab1a
SHA13efa30af4130164926a702a77e7dba64dd65c261
SHA256243675106473840dcd6b4fb9a613e8444037f2422c6bb45732c55dd843b95ba1
SHA512802e7631a27df462181b5eac4c3630f55d27bb3d1b1db22278f8f0f1477b991b8e3f3a59e006efc02cd5a94588a71f06598d6cdd9675d9a095541140fe07947f
-
Filesize
5KB
MD5f6972533e9ef2a156cc37ba6242d60a8
SHA1448c95f2b2482942bfb87ee48e0e4b7d4c4ec7ae
SHA25665fb613797bee0c93a5f2c852b4b411f5fe68950c464b54a92c8a8a5a53183a0
SHA512e6b4524fea80023108166f85073293704680ec6b30658228bb2ae6073c8460efc1a9ba78bc4f1b740c3c19b24b8087efec0b8d103435b0404d41bf4c0003f885
-
Filesize
5KB
MD552eed6c900a146dbcc8611a1192ba4b0
SHA1030a02de8effc1fa39a237ff2bc674961f0f2edd
SHA256c6f54c55de70f1aa2b301fd7d6eeab43031d1d07985635aa132c7ed4f90193db
SHA5124dd08b23d24167c3b9537510143f07419a7fc4d65baac20cba9bd213b864b46270975e580ca8612301a242935f464ea0f9533956fcac5eda759cf1f4de9f72c1
-
Filesize
6KB
MD57164086588b3e466b3a0e3031fa91f95
SHA1ec32bb1215489ae40d397bb736b4ab29bd74c8ba
SHA2566d3dcd7c7e1b6cef264af7c6303d5de2429fcd52a9c874bddb24a6d58f3ee7f2
SHA5128b25389c87537a78ba1d0971711c456103e7e88cca5c8c53842c5c12ffb53bcf668bf5024d79669e1c9fd3f73d17f2c192925511b927dd6826ce0596dcff19e2
-
Filesize
5KB
MD5fc618402e4dc5b392cae94d620e4be8f
SHA1fa26bd92d0ead73ab870a09479abf493e7cbb16c
SHA256e23e209c7cdcddeb04ee0afd977bef7655b958fc2316e4e8cf03835437f179b5
SHA51226c734d1d75b245e992f85ee1292fffec8c0d7ead972c86ff7ed49fc528d6a31d0796358411071fa29d4f0d93dbf7efc919b69293c20c4e65bef82b8d7ed85c0
-
Filesize
5KB
MD587193244c4780c8777e9994a22f2e9a6
SHA131b446d2cec5d04808ab87e6d975f3ff6e622f9e
SHA25629436b665d959bc3cf462371b9125c53e7317c9da1983a1fce271ffc8a44b348
SHA51263dddb4f2b3580276a792ee448c0585e63629a4b6ff5404dd802f9be5278946ee812a0d3e3bd937bb596e0e318ec9cd9bf8b938261dbf18998c3986715e319c6
-
Filesize
6KB
MD5a28eb926a33da9c3966aa885fd1afbe6
SHA1638491dc854133762793bf3375c82e53416ef00f
SHA256838e4da28b665993fd1a67d4dd8463059ea16a26784b2f068a90d7a1bc60410d
SHA5121244f36cee981b343b8b564818ddb817269712bd74a978373589c174856a655d4e6539aa0d1eaea10b041c2ae4861ffb9ec240463d8d92b18b30c30038e85d4e
-
Filesize
5KB
MD50a238b80a1ce940c29851d1d7dd812d7
SHA16842ad420c0d38c0462450d128397a373b3927df
SHA256f57780eb11ce964e81b2232f5e39cc994f321f4dacb9a9f63ea8773b535f1410
SHA5129564ca742ea2d10f24f14db556eda97fb839da4af658b8cca7b55c69d090a84757a55eb7490c1ede03499a1d3bf02c54a44d8da9d95bc79a0da7c8b168d2c4d4
-
Filesize
6KB
MD5eec63794b7b8ca679b50b5888abf9dde
SHA175db80bb514f796983e3519da748b16fbf15ba13
SHA25698a0e240fcbbae11dadb21c9d4e155a02b60a8d9d54e0c6d2d0d4ab262bdca52
SHA51255662f81a70342e9e71feac60aa1d526b37d3bcb1454fc9caba81e394f480414bb97c8f05a90f85b2739b54afd8bd3d3899941557adc1368970eef2839e5e28b
-
Filesize
7KB
MD5b096692e257f3ae84901752ed597982b
SHA12570b75c4356c371f872a2c924f90306c19401e7
SHA2560ce8e3f42233b38a8dd9ae0727a27e6e95765db6dbdcca5d5ccc81abb0613a01
SHA512261d93ae414ad9c183612550bdb50b92974c6fbf59f5137f3cb294a4f3d71944d640d9b87cf9765ad3a2294259d07be593f6e2556da02fda3fb3b220548f8204
-
Filesize
327B
MD5a66efaa590a0d16b1874a35836ba0a4b
SHA1bb750c61e162420271f89a90f2b58f43587680e1
SHA256b9ab1ed7609e2254b7d4fb655b57b21b2be601646c4ff0b207c411e8bdd9e654
SHA5122b1ea0c798b69b360ab1546d14fccf7d5f9cb224b31bc8430cdb956c8cc570a086e4cfa10e6a843292deb862f4161dfc9b9abbc44afe397ff0ec9563646ff7a5
-
Filesize
319B
MD5b0d8186744000239cf7366ab06e9154d
SHA16a48dbb76ac99ae361bb72c4d17aee72e1f519fa
SHA2565b3ae60dd68dac6146e1553e1f2bd4f3ae3e26785acfac8a13a9d0ec1980ebcb
SHA512e511d60f28269e40fe5abb5d1d47754213855149acc658e69eb41a30cc0cb4dc855e09a19cb6b1be6b9342b657c3b4f6963f816c0af530902163d31013ffcb0f
-
Filesize
1KB
MD5ca9fee388092b5eaae9bc28d62daa3a8
SHA1f05d63e041f832f0bd406936b8c3bfb392ccf182
SHA25643276ec02d81dcc7e62db7e815781507d3f7679e4229fee8cdbc0fd2133f93c5
SHA5129eb0d6ee6b51b743c5619cf23b1eedd6ebdb0293e9dd26d3c7ebf5425e22e4d96e0eb9d8b5064e41fa8321a02c1a2c1c3c89451a4312d083d6e8e716e2a2d5e7
-
Filesize
1KB
MD51893f58ecc84d09eaeed418dbdf9c9c0
SHA1782a1f0f3c199743f77391a884b0743e200f93ba
SHA25694391a3dc6c69d219fdb298dcd62f60000a92178a17ec67f3bd5b91bd5badbda
SHA512c32aa8344e9327146bfc2615ab64d3d6a85325908982e75da6eb9132cc5745a286fa47d6ca494bb9f7c257948d624e00ced051fefac910e58fa28be94164c92b
-
Filesize
347B
MD5acde3f22edae3ee771103feac23c3ef8
SHA148441727dd5eb8153b13f61de447aced824c87d7
SHA256f874d49a50bb7f610bcbf84f7672f851109dddd28bbfcc4dc4a812d0a894134f
SHA5126acf85734b07285c2778d6df6c49f8c67b9d5f2b818e7d2efdd6f267280b48bca927f52f305918b8c3ac1a7f9949e91138ee00e23b1596e7996ac9f33a48514b
-
Filesize
323B
MD515fa7c6f00c4c17f47ab82c8ffbca748
SHA1b381e6a3c935bada521b4c3801629e95bd942965
SHA256dc3e3105966ff03dd26daa0ec2764fd41d13a5f705a6dd1867382b2962562ca9
SHA512a83f6be14fed1bdd1cda800a371173bff3eafdf1e73b8645d96450f463d0f1ac5de2f104323903195893ea9213d82f513cbc4e74c4532f85cc8f5fe6576bb889
-
Filesize
1KB
MD5d1d9458c2959054f3ee6cf8ce5b90f2d
SHA126e695591b9e839a3d7668b6b13efaba956ef437
SHA256d2447b5d4aa3dd2b4190f1ef4143709d11e7ed0b12fe4f4acce2b0262d72be57
SHA512adbe063e55fa12cd09ab915fa80164ca1f231185220eeeb7d93fe5e7a27d76f3ad5a2257a026e756abc418bc2da652b8af9bcf5950251797381606fbb1e4d5d4
-
Filesize
1KB
MD569c0fd14bcc4a793eadb398100a1d33f
SHA1ff4f810e6e6c3cd83a7bd743526deb75c2a53d26
SHA25689eb3483a75a9a1f17defa91f1cf03f931ec6ca3659963f09f8c52e590a44d3e
SHA51275f701f08fc9f9721cc47966ef4a098422a2d46a1e9f34625d4a7dc2c75c8e3aaae7b1be908442d1e27382716af5190b05c440bd07c3ca76561f2b0a31e53624
-
Filesize
1KB
MD5073c4495967cba858e13749c923ddcb8
SHA14dbee98a82330f81b90238b19c6bf8c83ce918de
SHA256c8b75aefcf0853de505c03e344b299809df31940cc9cd5f47a6d243ad51cbe71
SHA512d2eb283e695a1acc2a2f64d94612f89333a9bcc98aa86027bd68834a076844186686b79b89e0d786e74d57e8e1b5bf379eee5f4ca9056c6a3a6d2d8a3d933452
-
Filesize
538B
MD5274ea035d55de7efc6219d5048d464b6
SHA17ff787297ea6251c3b0cbc89fe03d116c1746e6e
SHA2569efcc27d9dc40fc374feaa0b488405245ab9517c7fbe7116132ed10fa1c9a898
SHA512facbeea3f6d34aaa7ab0004576322823dc6e8079a8ea7ec534acf23771c2578f5a0dd5f5d2cf9c3dcce42d64ed6e93650970664f5f3837c6343b5730b3e9cabf
-
Filesize
1KB
MD5f661340608e907602008cd4752bdc362
SHA1e853c3c75351d2ab1cf1ae0ba0dc516bdea35ec4
SHA256b29f815e8738226ba29e9c0a2ada2c64cfaed87920834cb79afc005e8fb68315
SHA5123e4e47ac09708ecad2621f17756e8a0e62b13f8a1fac54f628448e3578ff3cc566e5694b8e33e590ec4b2ba891e84ff62874047bd47e6d12b657edd84823d862
-
Filesize
538B
MD572631dbc3b0acdd983c3e0803ccb89e4
SHA19c801f2e543422bd754ce4734e49b47307624d62
SHA256fd603a5f5d6c054a959a9c6887811a4471aa1ec03a2ad6b727885366fdaa3534
SHA512ff1ac99a145fb1a40fd8f0c9c681b756bb967531453a79b92757ff496ae583e186810c81f12c00f574ef15ef722accb9ee72fbd7d83a742fff431329ea3d302a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f9e7fd1c-da79-4d4d-9c5c-83aa50602fd1.tmp
Filesize180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
44KB
MD5304d6755cac28721fc1e964b65575924
SHA1b02ce9db5931f0125dc7363a991d8177f6e93cd3
SHA2566c293e4ce7b19b18f940c725fa15bd72b41d47fca49a91c2f6867f0f42491759
SHA51268322f49616b35e83fb7a99f1c4d71bf70bf52d0d90e453d4db2f4cd7fcc871d4cc60c35a1906079868783e59774e63f1ea8211f20b1c5473107948b778e45cf
-
Filesize
322B
MD5dbffe9c8dd6e38ecf2ecd5f154dfe2a4
SHA1f876a598438da820ba95580c92432091d27ea98f
SHA256b98f1d1ed65672140fae75dace23312d01d1c5995cda48c435e01545b0acb118
SHA512452c71375d5db69b531cbe338567acf3a838290ed2b7824132fc3af5199e024d6f16834f95e08629cb4c4e1a1c4a473aed9ad682bf0710a4715d9732a38d02ac
-
Filesize
340B
MD54502f420c9ff743a4e668d7a2b35bc2a
SHA10189f94c8efa4248d8d901049eb74b36a84d9beb
SHA2560d397ea2d4c4fea0f81ede08f52a7d3b0c9e8ef222506d587efbd379ac4edc7c
SHA51260de1c27fec2e17a2bdc3de83efc8649ebeda7257af0f63fb6e7444c33adc38758c8f7481ecc29907f654c2eb49bfaa8fa75d411430c74dd9e80ea0cbdadb007
-
Filesize
44KB
MD583a8535033f5fa982e011a0fb7827cf7
SHA110c34183dc6d008244dbdfcdf1b6163106f60a19
SHA256da292adb06931e490ab3937cf002c053cd1c3e9f6299e3f1620ac593bfb0b054
SHA512c9efb6e1bf65e3d08245ba7e67c9d2881256465725ab06de2e72d6b9da81f351492263094abfae4adeabab380e78945a81affbcf685418d6b4546baf951d9746
-
Filesize
264KB
MD525f7a18e92f487aab763bd494f7a8d1f
SHA1055a9c5ca09359c41011adeabd13cb12bd220311
SHA25632e149c5cbe8b9d7a0842db49d9e820d1660d164dfe26f093676e7e99f9bce96
SHA512f633cd6ac0e5c1e763df15bafaf094d8531b724737c8bcc2678fbc2c2d37cd6cdec043a5e61ae42e5566bc7fcc8658f04babced27b30ac5768467aa2f9befdc6
-
Filesize
4.0MB
MD5d2f556bc43588e3f0211c2fcd936c10f
SHA1e17cc2316e76d111fb94228fcfefdbefb12e9091
SHA2560ef23912d1ba671c7c919c2734fd32cf7c8c5a1cdcc8d4fa4e9bc95149f25be1
SHA512455e23a53e2da49d322b9a4470fb69d38db733b7fe14037f1370f118910ed4102b2949d022e787f03e7c7fedd218ed74d84dcae8ede0b64f9de46ee3623757bb
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
11KB
MD5eae28cb904158d7e554abfbfdc541613
SHA15b3baad9c25df3a1c413b6ec00dd3b3eb23db04a
SHA2560aed55946fe66b83618d965a43e5616d1ace998ce74ad7fb792c498b1613590a
SHA5124dc0869908f58b1714e0cc626d3e09e6103be6acdbe336e1c1d930e1d32f7efde4bdab1d2c7d7e02bc6f435db0effef7dc9127709b49dceecf5096b64548a812
-
Filesize
10KB
MD580c19d083c80f982994a85d026a33e3c
SHA10a3223e3a3c594e2cfc7e43e94e5471d325c3819
SHA2569393579b8111d4c2001d8e6f8aa205439c698402527f440f3ba07b9b9e48101c
SHA512a23e7d94d10e6f5a2e72fa28d1ed637f2f836bb763789cd3eb3bcf4b62ee1ad3f87578bbde366d59f7bfbe4f85c52b3982890549d5e46bd6762cf1bad54305e8
-
Filesize
11KB
MD57cff4486d35cad388381edec0d98a4c6
SHA110e842fefd9cf807ac50bd3f6ba03c0e5ce60034
SHA256972472758228f73e8a664a6bfe6af5ecc9cfd1bb0e3f24d7acbd6f2ab7c2fac8
SHA5129b01d2b1a5c15b2701d04a40a913f69a50bc8bad1f1ff2ec28287e708cdfc643a198bd022e6f934257949a7e6eb58480d735a2197157d5bf31ff3a1808c405a5
-
Filesize
11KB
MD5f8f313b59ffd07bb14530f7189147bc4
SHA1ef8dc457c95abfe054450459d7bb14eb05f5e4ee
SHA256bcc8469f112de5ab1d355e1674585daee6f2ab64ac14840a68e764b132926512
SHA5122d31e468294c7af6d97c2916b7b8f710385ab764941fb4ded7754146064647b6206856127761fb19a1e54b903d6dbb3e92187e6b530d0c39d7cb88ab022acd89
-
Filesize
11KB
MD5fb38e33c6d23a29e9e6134966663fd1b
SHA1606098ecb2d9bd50e9e00b2474c7013be0a9ded3
SHA25676853f3e0769212a3dd259578b3695bd1956de26e2bb088bce0c1490000c86e9
SHA512c0ba823dce8aa57b1ddb4638310bb12c392ceee64c9e3e839ed90b7cb9c21ef88d870381f38d082657b97c4f49df0159972e0c702ddc808b28384774a327783c
-
Filesize
11KB
MD5a9412d848a6ea36ddddc4f69a33d77aa
SHA155e0e95c7a551999b3c2a1ae5c8645878b285497
SHA256fa5ce4bc70b3254fc270c36a1bc81e027a9c53fb59cee2c90be27dbff65e84ad
SHA51221743591ac0f26a31f20959a4acb509290bcddc28b88114e76243042ed7fd548219d5ed7ee726f58632c7070e9f87b3d581e42a5385d51c9f279d6701801fccf
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5B
MD5313ca6eb28f25ea171e83eb8717d9f86
SHA1539848667855ed4a3bb474a0569e8d7ab4950d6e
SHA256746e213db7d64aba70854b5268abd4d331e455f53e021f981e1a131c5c082853
SHA5125877e180d8753f03a99a88a1c1c65b8fc3478eae18928c1714c2986a3530335a642b2f675681995c40525939f7121dabf0b204f5a10448e26f25d57e2e5abb87
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e78da698-628d-413e-9f00-6a014f287ca2.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
234KB
MD58edc1557e9fc7f25f89ad384d01bcec4
SHA198e64d7f92b8254fe3f258e3238b9e0f033b5a9c
SHA25678860e15e474cc2af7ad6e499a8971b6b8197afb8e49a1b9eaaa392e4378f3a5
SHA512d26c9dce3c3d17583ffb5dbcd3989f93b096a7f64a37a2701a474c1bf4b8c8b1e922c352d33f24e411f1c793e1b4af11a3aec1de489087d481b1b636df2050cd
-
Filesize
132KB
MD5cfbb8568bd3711a97e6124c56fcfa8d9
SHA1d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA2567f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04
-
Filesize
152B
MD565456f05e96ba4a4617433d01f477ca2
SHA1b7d986efe42b83bedcbc3f2ae5551ebc747fabea
SHA256ed82140223bf4eed199dede332ea0dcfc2840a3196b077335bef6e5e884f78eb
SHA512b611ae02bda869fdfeeb3d595abfe489be012aec32c1f366f7ab68fa26ed0c35c3747341ad068018b140fdc4b6804e11592ea87fd47c0df02f3d67fb0ead8587
-
Filesize
152B
MD587bfe67599f325691423565b116259d4
SHA15a86aaaea9e3b9389c94fc394690d2a190d33456
SHA2567e2b2e291f5d0cda09d34aeb9ff481dc50264a55249ede832b8e68c91ced18d6
SHA5121fd4aa8739162e6284b58b9510a35be98d7966299961205e62ed98455d7eac890ae6650beaeb210e728a88b248706e6bbe5a46c0e9ed2f814bf9758f1aafb8f0
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
3KB
MD5bdc2c7cfc3ef385ab078b998217cd2de
SHA130a4269acf116ec0b6f2494042627ffabb5cdb6c
SHA2562125c7817c05b0e48b5fc22cbaf9e4068f82cd47f5db78c05b668a59de6f5f40
SHA5128b9f5a8d7c564014afdb3200fb95dd301e7b28768a11464a292364a799604272ca898a356617e276cce6e1205b0a44e52fc5bb33daaa5324297f0adb5bfdf9b8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5e56494456fa5fe0f5a8d7346164081a5
SHA1fa5db548f1e7a5eb1ebcafe5f947a04e13259e4e
SHA25632015dcdfda4068cfb141971dc6716dc37227c8177216890fa986dad850c21e6
SHA512102f0cd8319caba7bdb0184d2924c959ca0f543a98a1f8f95485c42ec1a41ad9876e388845ac6b3ef7a5236de5d455a95ffee79ef67a3c91a2bca1a9766283bd
-
Filesize
2KB
MD55aadbb180969d57bd9b254767c9a8a2b
SHA1a7552599e9ec85d9b906d09a8b831d21f64a1b6c
SHA256da3eae9c7fe5b02104b40628de3d443b11bb0396d552a9d46ce15844249d6c83
SHA51278029715529f970208ed609a379e3765b4dc3133f9f9558ab5cbbe29b70c69bbaea5165bfa2af56e3aa59aa2f37d89c25cb51fa005af5621a3d1e7e601444613
-
Filesize
372B
MD52722ddbfc653362a579bd28875e83990
SHA13acaf48aad890cb53f0e273f804ef34624072d25
SHA25682a42d952c3afa040c077a7b5579b3bcaaedf25a8e8f94c069c520bc99cfda24
SHA5125300ddb72e9683428810ef6db07145a0e28df55cb0633f96f9861b2f92747f94d7d55b0633c029bf43dba59eda442a891596e6ec2cf86fbc2521ac3913906b8d
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
5.1MB
MD5fe0b64b5c6ffe422676ae7216c2d38c9
SHA151350ac5ce079cbe741bd48d6462075b7c23adef
SHA256f95043eed6a9f827ebd2e46493343a8f734378ecd6022975455ae01334c52749
SHA512055ddc9f124ae2cab6ff2d1e1a6f927b088417beb1e813e09a791289ea1e5666c258d48d1ae7aa12ac5c7932cfed888524c89c1b2d01dfe7bee00cba5f6b5b56
-
Filesize
24.6MB
MD5f80668f47620555915e5faeef8505a45
SHA1fa66b297fbe89d217a378b1919ae7adec37cdb36
SHA25623a80e032cedb4f3e5d4848d68bf5185aea57b64ec2c14235f7ff47675251ef6
SHA512a1386c046435e871d9188e7f4ca731573eb4ad5890759455ed774b69c69075bca76f2e3acc9b98ec97a7b9d32615d1ae24bd18e5e1fb53eed185e8ab35cb412a
-
\??\Volume{d7b304fe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2adf6389-77b2-4998-9aa1-4a9e5a501788}_OnDiskSnapshotProp
Filesize6KB
MD577faba8158c3eac76b315816f19b9f42
SHA175ec076659b510155e0e5710bd608cc33f719acd
SHA2569b4128cc49013cdabef3b2ebbbdbd9648257dc96d02653a673f98713706f86ca
SHA512cf5c590a289668a1a0b9921d6db5c0940fbf3d38de9f2a6cfd483f2e4dc602f1a2fb4eb3fc6d871dcffbb281908a600ddbbc486fbd6a4290d6d990ba9e426052