Analysis
-
max time kernel
130s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 14:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/Ugc1iQiK#ywcAdLryJK_eMNuFeZimSvMI9XZhVhgL2vb9OJcQXKY
Resource
win10v2004-20250314-en
General
-
Target
https://mega.nz/file/Ugc1iQiK#ywcAdLryJK_eMNuFeZimSvMI9XZhVhgL2vb9OJcQXKY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
193.161.193.99:36206
onxityialltnltam
-
delay
1
-
install
true
-
install_file
Windows Defender.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x000300000002377c-959.dat family_stormkitty behavioral1/memory/788-968-0x0000000000890000-0x00000000008E6000-memory.dmp family_stormkitty -
Stormkitty family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0004000000023774-936.dat family_asyncrat -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/5176-931-0x0000000000E50000-0x0000000001E50000-memory.dmp net_reactor behavioral1/memory/5348-992-0x00000000001D0000-0x00000000011D0000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation Flash Counterfeit Bitcoin [FCB] Mode 8.8.8 Cracked By @techajen.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation pp.exe -
Executes dropped EXE 5 IoCs
pid Process 5176 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8 Cracked By @techajen.exe 4772 pp.exe 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe 788 stealer.exe 5656 Windows Defender.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/5348-1016-0x000000000F9B0000-0x000000000F9DA000-memory.dmp agile_net behavioral1/memory/5348-1018-0x000000000FA10000-0x000000000FA6A000-memory.dmp agile_net behavioral1/memory/5348-1034-0x0000000012730000-0x000000001287A000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 stealer.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 stealer.exe Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 stealer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
description ioc Process File created C:\ProgramData\EPFPAFGQ\FileGrabber\Desktop\desktop.ini stealer.exe File created C:\ProgramData\EPFPAFGQ\FileGrabber\Downloads\desktop.ini stealer.exe File created C:\ProgramData\EPFPAFGQ\FileGrabber\Pictures\desktop.ini stealer.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 250 api.ipify.org 251 ip-api.com 224 freegeoip.app 225 freegeoip.app 249 api.ipify.org -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\pt_PT\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\sl\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1414731918\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\te\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\uk\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\hu\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_2061045606\protocols.json msedge.exe File created C:\Program Files\msedge_url_fetcher_464_847058012\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\ja\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\pl\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\ro\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\eu\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\km\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\cs\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\nl\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\ta\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\si\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\mn\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\en_GB\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\bn\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\zh_CN\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\iw\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\gu\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1508174892\keys.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1508174892\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\page_embed_script.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\lv\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\de\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\lo\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\it\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1414731918\LICENSE msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1508174892\LICENSE msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\fi\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\ms\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\cy\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\zu\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\hy\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\en_CA\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1508174892\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\offscreendocument_main.js msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\es_419\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\no\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\bg\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\kk\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\pt_BR\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\gl\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\ar\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\mr\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\th\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\en_US\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\ne\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\id\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1414731918\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\offscreendocument.html msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\da\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\tr\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\be\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\sw\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\en\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\az\messages.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping464_1912128887\_locales\fr\messages.json msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealer.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 stealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier stealer.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1832 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876453697126803" msedge.exe -
Modifies registry class 38 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = a2003100000000007c5afb721000464c415348437e3100008a0009000400efbe7c5afb727c5afb722e0000005737020000000b0000000000000000000000000000007dfb6c0046006c00610073006800200043006f0075006e007400650072006600650069007400200042006900740063006f0069006e0020005b004600430042005d0020004d006f0064006500200043007200610063006b0065006400000018000000 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-814918696-1585701690-3140955116-1000\{79E5BB7C-F883-42F9-B477-A46D2D674108} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2380 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 4772 pp.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 788 stealer.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe 5656 Windows Defender.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: 33 3352 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3352 AUDIODG.EXE Token: SeRestorePrivilege 5784 7zG.exe Token: 35 5784 7zG.exe Token: SeSecurityPrivilege 5784 7zG.exe Token: SeSecurityPrivilege 5784 7zG.exe Token: SeDebugPrivilege 4772 pp.exe Token: SeDebugPrivilege 788 stealer.exe Token: SeDebugPrivilege 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe Token: SeDebugPrivilege 5656 Windows Defender.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 5784 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4312 OpenWith.exe 4312 OpenWith.exe 4312 OpenWith.exe 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe 5656 Windows Defender.exe 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe 5348 Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 464 wrote to memory of 5624 464 msedge.exe 86 PID 464 wrote to memory of 5624 464 msedge.exe 86 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 640 464 msedge.exe 88 PID 464 wrote to memory of 640 464 msedge.exe 88 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 5180 464 msedge.exe 87 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 PID 464 wrote to memory of 2692 464 msedge.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 stealer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 stealer.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/Ugc1iQiK#ywcAdLryJK_eMNuFeZimSvMI9XZhVhgL2vb9OJcQXKY1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ff9919cf208,0x7ff9919cf214,0x7ff9919cf2202⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:22⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1700,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:32⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2452,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:82⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3492,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:12⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4840,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=4796 /prefetch:82⤵PID:672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=5268,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5560,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:82⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5564,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:82⤵PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6248,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:82⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6448,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:82⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6448,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:82⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:82⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6420,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:82⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6164,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:82⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:82⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6656,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=6840 /prefetch:82⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7016,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=7044 /prefetch:82⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=7032,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:12⤵PID:2004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7288,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:82⤵PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6352,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:82⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6944,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=7632 /prefetch:82⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=764,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=7856 /prefetch:82⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7160,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:82⤵PID:372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7732,i,18280421564402097146,13613930484485399208,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:82⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:5860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:5680
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x484 0x4201⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4312
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5312
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Flash Counterfeit Bitcoin [FCB] Mode Cracked\" -spe -an -ai#7zMap28817:150:7zEvent77091⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5784
-
C:\Users\Admin\Downloads\Flash Counterfeit Bitcoin [FCB] Mode Cracked\Flash Counterfeit Bitcoin [FCB] Mode 8.8.8 Cracked By @techajen.exe"C:\Users\Admin\Downloads\Flash Counterfeit Bitcoin [FCB] Mode Cracked\Flash Counterfeit Bitcoin [FCB] Mode 8.8.8 Cracked By @techajen.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5176 -
C:\Users\Admin\AppData\Roaming\pp.exe"C:\Users\Admin\AppData\Roaming\pp.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit3⤵PID:5892
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp.bat""3⤵PID:2024
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1832
-
-
C:\Users\Admin\AppData\Roaming\Windows Defender.exe"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5656
-
-
-
-
C:\Users\Admin\AppData\Roaming\Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe"C:\Users\Admin\AppData\Roaming\Flash Counterfeit Bitcoin [FCB] Mode 8.8.8.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5348
-
-
C:\Users\Admin\AppData\Roaming\stealer.exe"C:\Users\Admin\AppData\Roaming\stealer.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:788
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
79B
MD57f4b594a35d631af0e37fea02df71e72
SHA1f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57
SHA256530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1
SHA512bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360
-
Filesize
66B
MD5496b05677135db1c74d82f948538c21c
SHA1e736e675ca5195b5fc16e59fb7de582437fb9f9a
SHA256df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7
SHA5128bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c
-
Filesize
134B
MD5049c307f30407da557545d34db8ced16
SHA1f10b86ebfe8d30d0dc36210939ca7fa7a819d494
SHA256c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54
SHA51214f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
742KB
MD5b13eee391d9c933e514bd9a67213d3ba
SHA13e4c2d6072fc6e8607bd8e5c14694597d9c2add4
SHA2560638c742b61f079f272fcf9834c4088e6ca3ad8957d8d7397d8554f8fd8b89cf
SHA512b739d736f3185bd88c67728badacb6e589fa87164c05ba3316716db947816980d648d3355972ece0faff119b065c3d5aefc78d278257898dacaf772be3744635
-
Filesize
602KB
MD5c8c828b39207ae9f02ff875ef916567a
SHA17eae75e18f9ac2440fd0f71115a486f0fe77e3a9
SHA256833d4a44ba29d92a04e670cc66c891e566a84b8d769c318b0de71f2533b77028
SHA512faf396c7b30647a656fee9affe58755dc6c59784e725073cd48fcbd82aaacca2f4e6f65e76f033882827d8d076c9fd56fe153bdbdcdbb660e53e31de76ee490b
-
Filesize
1.2MB
MD58474af3d5d26063c8d1da06952b3076e
SHA124fc93ad5166e0f761a8f260a11fed7e8c18125f
SHA256232c1c7ea30328f11ea77740f9c5a9ed4237be94089d2a39efaae52b26c724cf
SHA51209fd77546487f0ff69ee3d5edd037cf19e6e37c81fca2ee3a51c269b801115160a0ce8c88af777dab935c192a80b399be46e0e942a1f4cb96846188c457868f7
-
Filesize
382KB
MD5fb9324f1ba6e16d3ac9eba7f36bf7917
SHA1a6c78a085239f54dbf6328fa133496ad68911fc9
SHA2565f73960a9ed5a7d3b9aa20411a78496f0defde0b5de29937d0211eb17d8b55a0
SHA512e8724c82b80e6de1decbca68ba163bee768c7210fa6e44ece806ad9049fca39575eefba753afe76db865e6c3faa319fd0fc931cb3563d414680ac6dc9cf3f4ca
-
Filesize
424KB
MD5edad8709b4a2414456c296ff62219bbb
SHA18b52b8a74561fdb1050f4f656fdd89bea14e20df
SHA2569ba3724f2c077fe2e389548ad8992ec427bffe0775513784060e3eeab6e6feff
SHA512c1cf950ab798fc65bd81758894b994c7121257c065519263b8b3033ef2ee0c3b9dfa80b329ae065fe8afcd5d2f35df777194edb4e6023d036b45934f83ef7c62
-
Filesize
362KB
MD5e96432ac643772ea17bfdbd0cc3202b3
SHA1317d16a16c44b2c50e511bee6ea5526b9ac0f971
SHA256209d731df351bff912edbb979621ea2fe624b5f8b9e6d8f62a2e3fe15d332a27
SHA512b88237e0a1d1ae80feb18b4a7430c7c951ea44c402ac69c7aa0fd9e4cd1cd9a59b10a2220563d2ff74ebb21070d4927ffbfaf26de214818249ccde4840859254
-
Filesize
183KB
MD5e563c4c899c6be3a6291f88b5da81862
SHA1a73500c6b30f18f83d30288c836a617f4cbcbbe7
SHA25690dd1874f46ec8b0609e754c9db86bc5d7dabfe243b0f7c1d3f90decf787f8d8
SHA51248424161d83b40c71f61ca5bce865fd148d57432b52d499f3a1f42b109c3459c509b6e22e637b7a19d307f9fb97fe32576b60d1fb32f3e47965c13956f85685a
-
Filesize
381KB
MD5d0e044b3e1cf83984a8ec251ed1b7224
SHA1cc1300bc5ed452ad70c432c1537e36fb17602d11
SHA256ebfbb144f2e8852e99ca9152b2d8f4d7299494add8969f0b19acd45c4c566033
SHA512fd1332d43753ff4c8cf1b914d32f20c64285c1f667a37ea2d09d404cf5fe75d8da6ea000a5c0774e86b9e2df1218a9e5494c26f0300cbe0b961a9c50a016cfc1
-
Filesize
344KB
MD5394bf413bb5e544462a858c81b328819
SHA108c171ba72dd3a7a614a97bea0f9926769e76fd3
SHA2563cdfa223f13772eed81192572305027d1d7c62e2590e44befd62c242b5e23688
SHA5127f5c873128769279100e348e2cda5a15178102dd83bf89073f5b70e90225f11f6e13d40e7d705e4e5ff1497d184d7036bd583ee200938d63862cc6660c6a38ef
-
Filesize
259KB
MD549efe1ea2643483839127577ad19cf2a
SHA113228242152b233c219f814b5d02f762b8ca245f
SHA256a526486ec5699423820204c0185fbfe6800bae8050d75959a1608f0a3f8bbaf6
SHA51200d4e9fa725e4f98a32ff0201b7cba441df5d5eaaa054c99d77de71f2ebf5a13a0116769223801f63c80d6353dbb5c147c938ec8e745b94aa916638cc3f6bca0
-
Filesize
278KB
MD5c3cfae5717dcb07ab33d7d072a0ce2e4
SHA1505f5a33e5b54d1196beb68d6dc622d4a629ab74
SHA25601a009d15d5f06ebac927d121d412ff7635345aa8050049c1ec549fac620a01f
SHA512d1935aa29511859d78c92bcf30f01b2f5782d19cea7a51a37cf57b4b62228e31052cae6c67a1c0e3196067756236eafb3ee2a99a92f494ef97c19b3161ed6ada
-
Filesize
4KB
MD5e7241ba549c9e20a5536e8248ddcdd10
SHA1f227968b8109037d131681940419b3e3670d53f3
SHA2565115cd03b434c4d46080d2e3d8d3209f2670722bd8de1747f5bcedc73566af56
SHA512c8fb6c24fbd8d0f5bd6045d0fc6a610a031c364f8b9c04431c49703d4b952a1f32fe2d98fedc1ddf4c20f71abbb93c7aa0e9a680765015458b2eb03b10d8c12a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json
Filesize3KB
MD5f9fd82b572ef4ce41a3d1075acc52d22
SHA1fdded5eef95391be440cc15f84ded0480c0141e3
SHA2565f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6
SHA51217084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339
-
Filesize
280B
MD560d40d2b37759323c10800b75df359b8
SHA1f5890e7d8fc1976fe036fea293832d2e9968c05c
SHA256c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0
SHA5120c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5a2b21db56d32318056ed7a5f2c315e99
SHA188433eae0bf5721b5f2c8c953e063f92943e69dd
SHA256384331bbfca7b6d501ee5bf947dfeabccf3cccd25d078a532b0eb1434175fe02
SHA5125c280223c956dc61ba80629c7858f167bcd6b6d60af400b1bb9e2dcda0e22cf36127e64beeaaf289626c5ceb998d4edc981d351c76bdd315e5b56004142f61a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57a8f2.TMP
Filesize3KB
MD53ba807272c096e5710fcdd4dd0fc741b
SHA1ae6ede519d83757491965f04475cd7c5bfda29fb
SHA2563301bfd655cec798a5e809f7c76bd514a507970348c6f3727da35b0b9aecb30d
SHA51213165c16838da7961da32bfbc02345a992ba358680520bfb2e81e9886f800c7153e0606d7623258ba757ac3aee8c0512e3baedf9b283f46a3fca7d386e02bd6a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
3.5MB
MD573042824b6349549f072afaeaac8caa7
SHA1da083926974f7e97d1eb46a6a8b8b7f50254ace0
SHA2563c8450d2544f6a80a3613dadd66ab72383b2373391731c498e7418180820838e
SHA5126d943cbaa076bce5f95d4586159c30b2756a28aef4ba449c2c2e7e21cda683de9b8efa0f6fae9dfe61e5c7f8140b564752fe233d09ca11f4680949c35a8fe673
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
192KB
MD5327607222887b3981aee64e367aaccb4
SHA148afd30c723cae6a102ba827ebe8adbdfb04230b
SHA2561824c94ae762a5b549c1745e59f36b30e222df398f03760cb036cba1120cfa24
SHA512e982ea7c1efcb27de0e0ca703c99c74753f838d69348ea29937c3939f63c306c925d322ebd6c1e15a642e4647f611bcd7606c5502cdad5af3605282a61d48714
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log
Filesize8KB
MD5b448d485375dd9c61bcd20b8c60a5271
SHA1b52ccc8880f13a62c366a25bd7ac03d51a9a1155
SHA256382f966525dec64add1cf817845fe0a86929bdb88677858f692b7af07900f8ba
SHA512c6b38388b39091e063a1a153fef4a646d4fce9f441ba57d06c485ab10f277cbb01e050e154a86f40589a7d778256b94071c3b0e7eae3b11ea6cc93491a232ae5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG
Filesize375B
MD549fb4ca2c2c51f5a0fb85a0112d6e109
SHA1a2acdcc03ec3b211a84584c5eb625b6bee793afd
SHA2566f57e53b3ddd2f0fb8465f3b472d4c000736b89c37ad123996562755e94c7820
SHA512f8c3dd07ae927f304417a36c81651aba114b8864d6cc0f6a53aa634989d64f86d5530376366e9741221f09b51b6af5fbbadc000e42d52bcebe24a716732fa980
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG
Filesize375B
MD58713883448c634f6e4f2303f697a7e8d
SHA1425798e1cc1a9f3dc4e19ed8cab9bddb5813932d
SHA2567067dd7a80964f12f93e939187b9647500c634607890bab2a4bfdc899119076d
SHA51264c3f7ca5e51b227d99931620ded2a5111699e6ab0e8162c7dc267f07164c23de2c40c3ad995040832fcd16b59795cbbcd6d19e296dd13ce90082dc3d88c1dec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG
Filesize375B
MD50ab332394b4475e50004e2764cea4095
SHA12b4ad7625fdc23cd38d94a04522390a1298d6738
SHA256de67e4fd042f44ddb28af7ac7302ac3409767e50be397d392b94bb03ae0ce601
SHA512b98a4a0b9830ca5309079e3ad0101a67e44543d9bafa5759907cca3a9a2d2807ee8af47bba5581a46e4752db1fd0c155ab11a2d40f77b868d41ad778cb6e6b16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize335B
MD5ffb1a9e8a3c05b4c51e2a575880b5128
SHA1bc0cd0a73c85387129e61d132f688e5a70b34f8e
SHA25631f034a02fae8d0a357b682d108d88772a2c8de1ab2559356790274b94b9c3b2
SHA512f530c29883f8c9888bdc072cba2f61c9f5cf355cd0c7e2afa113cb42e9018f7a58051e1146fdecb08698a2d8dcee4fa0039a4ace06591cb2913d1820bb7ede7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
2KB
MD5f92456bd433cfee792593f07d90dbde6
SHA1624857f49d606a891df1f30e0932b4257ce00d28
SHA25609720b003441bc3b488ecb04e1b1733f308232bb1d47089dad351044ff148b7f
SHA512e70858d86b803272070bfb1683000cab07c1c15b7df8a6ebf537909a13e017d0175da8410da5572151a84aa494bfb50be6bc432168d3e0a40ed6e35ff5ae1463
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD52c6907e7e7a7e0115c194f2f71fb984e
SHA13d2122f139739df84249fdb9ca583802c11e0162
SHA2562711c3fb9e42e755b521b1e1d5caa3efe77797fe7ce8891d7038add156c7a1bb
SHA51255bb7a58791d5e13a587bd657ab4a1647c9037d3e5c56dca4eb663b8ee14cf1cf2a9af9dcdcb298f24a5848eaa112c3c4db32604a9f2395996fd3be51e5f8df8
-
Filesize
16KB
MD5323ec888a908409118a84345515a6cf6
SHA17cae1418669c4cfe462f5ba0a4ca4457fd87870c
SHA2565005881c41a80c0fbde6a88833ef3442b9c6ce601b4ca95c64b7c8b4a1524196
SHA512c5cb2ac5e288ad9e24d51ad1a0a9133baf404a14788a5d639c8e090c72a779b327a109c582f3c245010b7228e21fd4f0805ce7773a816db0357964b644871097
-
Filesize
36KB
MD55d7ae0883def23cc9fb9283e2e5819fa
SHA1f7ce50778716a8f497822d772aab41dccbe66b4b
SHA25670659805c35dbdf4183c7bfd07618826c0554d921d98d0d3f37b2bd9d6cfa80b
SHA51260d180ba43778f8c03b51037e391b4e86470e5d1d88adb78a66b04361061cb582bf5ad5cdc57e7b5a63dfe290ce1e2e2ffdf89a3c214043ecf1e3c9d40413ef5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5fc4a2098f7f04340477ba76241458688
SHA102c0183a2d9261fa3f97cce359a398a107472676
SHA256026c2ff31d84a1e21f6b900e335ef4a1cf27c3883fe332c52deb53565e209c51
SHA5124123cf5b9c30f43bbadf10cd87f70bf904d4a0ad9f0cd768e5bfaed17b5b4ac6da6a713e156ab066702802b57f7873799ca09bcd607b4a796a47d2f61090991d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ad38.TMP
Filesize48B
MD51864387406105bfa61eeedd8a95f2a23
SHA131851492a8a46d7be8211cecce382ea4a6353a9e
SHA25638fd8c29b77c28f51373de087bb77654a71ad7259ad27675a11bb2902e2b408e
SHA5121b3fe0ace129d2640d424f96819de973ca0af6a609c628bdcc10af46f5431274772e86fe4a0b0359fd7db8443aede61b2592df6025b5451ec4d7c1838d1e95d0
-
Filesize
22KB
MD5a2e2dfd0d52253fa5cb398299d5caa86
SHA1f5289ca93dfb3a49358145ecc3d36b9750f34e2a
SHA256509a0607da3fdbe887d634f6d8fc2dced5afd7672bda5472842462810bcaa1ef
SHA5126410945d2a2f3f14bff4561da01efd264aadd7fa0395fc449b6735bef28fc817a2174c00c0d7e7653ffa766621c9498d6bd6cd477b1bfd850050c18fcc10d8a3
-
Filesize
228KB
MD57096c41a36f0d91faca76bd044e24436
SHA1ea200e2c965e2d075119c360285add353f49b0fb
SHA256c9b34b1e1179e6298a30af46e1855b8f7f8250a2cd535200f4bfcba0c658dd8d
SHA512bed846be6c3c579874943658ce39513146e9b72db2a552781848f56f258debe1718f64ee0c4b93590fcc6c7958618201b22bc47f2676a7b6bc088c049abdf439
-
Filesize
469B
MD58bdc0f54e8e4c4db93b6d539f293acc6
SHA1db9fbbc9eea6fbb12dfc4d04eff82215053cc11a
SHA256e4fc2bacb31028ac4c21bd7fd6b4de425792c4597d69b7e80a4cdc0c1f28a9db
SHA51202fb11c6e47e7aa81a4707445441c1a2f86088ff0dae949c57700040914a17dad25f719d72c1a63fe44865f9269e836b60c657732b0cff96f70116080a31c2be
-
Filesize
23KB
MD5edbfdc4ffa3f732e30478b2449ab3313
SHA1c789728d4b33d6af2e968e4bc73d201eeca83560
SHA25604703b35e6ef88a9682cdd7f0e78846a6f0341e867e1ad0fd04536e1ab868495
SHA51280473db5a3c3f78116ad7fa8da6b75a1950c001b28c050c76df12d93f3ec8c0f906fc83a586ed725fba3d61171f9e0e9f6725eb918c41b31e6a26086b4cd6e78
-
Filesize
904B
MD5c98dc28217d27502b4021f53a11f5d93
SHA1b61d9fc9a636f2b717d523fc1500a14b8c86ecbf
SHA256a3990ae11df328464a4f4fd9fa8af7dde379ff18709dd64d4908446b2f628fcf
SHA512b569ee9b3d94c519e1c8f569044902f698fa8331ac3248ffed9ce9e1ca445a701cac290326cf6910576c70ff25805fa429773745ec99611ca64ba30cfbfe7609
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
54KB
MD5c8cdee8217376289a0416b53eac5dcf2
SHA1c000d26b25b307b1f15f489ed146def4edc90fc5
SHA2562ccb1c7539194062c69f167c247c38d01a139227cf52891934538666da41ba24
SHA51293747af61f7412e6bd8ee72f142da952729b96a0c6704acf99d996adf6c019e84d6118fae7ea814256c515557686a83a6c47b4c1418dd344e264dced99124327
-
Filesize
40KB
MD5e6e08a01bd5abd17558ca011396395ba
SHA1875f412ad66c25fbc262f3383fc2dd34ad32ed88
SHA25630dc68130b90e398c600f294d3e19f7ac49081e055f0ca4275b1572711e7b4d8
SHA51225cfe939abf2efeaf88ce8fe42980663828b58a8404ba785ab0b167fd4d4188177273ad5a4d013281f11627f99d9b98b070633af3ded49379f3bcf99e24c2835
-
Filesize
40KB
MD5fd43c5350ec01d614c5b1016738cd428
SHA1d4388ee23fd575a29815bab9758edcf2f1ca5f53
SHA256366b6a4eb7fb4daff8047a0dadd4d535f0f3c26d9f27d3e0d5fe316349471a44
SHA5128bf2c9b794a24cab5a8c9a08ad38e85dd1dc9f67d8746f62229bf7cb12ba7d36d6f4e64d794b002e702dbeaf21e8a8de470bf5991cd3e80b6168e55c97d95f75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json
Filesize6KB
MD5bef4f9f856321c6dccb47a61f605e823
SHA18e60af5b17ed70db0505d7e1647a8bc9f7612939
SHA256fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5
SHA512bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5be2fc683d675afe1e748023cf0ca16eb
SHA178365f5c807db64a2b08f6bba46d24337bfb0302
SHA256aecfd25953c06f74b316a01cfeac0c9e508d6a7467698512de9fd4957042d8dc
SHA51268603150a06f4063aae605908942ca9a92d4b1581177e3186ffbfd91c6e700ff92adf630742787b2395abfce576e2594a361addf4314650c6fe789fa606a8736
-
Filesize
160B
MD5d4f08d8df4b1be8b614e10c6dd3f3e8b
SHA18015b98880db9eae289c56cfd10ff7acbb025f31
SHA25646f11aa9c80089f875d8de31a48cf37b58d83264d04a0e50c35dab8dc4f5d4c2
SHA5122a562e1bb7e90c811c8e99fcc23b5ea065686e0009da1c017643e80372934e98a18f7c4b543c8adf0113f5990ee0f9b645bcaa7e57600bb101edb3f7fad317a1
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
81KB
MD5f8e0fd7944c6e634545ff8974a49c932
SHA128d73c6adfad60b25c0b5700a5d55c12a8696312
SHA25658e3eef5559df8076a192c95fd98ec6abc46b92c15bd18082143a101b9065e8f
SHA512bd44657132c39bf35ed533d928d9b6de02c2f6e7103aee7da40bafd4a8877a0efb579737441998112802bdfc579ea534bba32c563b36e12fb167ef9cf8aeed69
-
Filesize
320KB
MD51ebefdaa01e3287f88823a726a0f9337
SHA1b1b0330843043cd11d4b44f6b2f0cec5218b1a73
SHA256e70634ea12703200bd3b29f10f91cd4442cea4aa6fc947050f96f52f9feddf28
SHA512a76b91da272dfa9e6e2b795fa5370943050e395ff3a91cf4d796adcb9ea24976d4d6616b2bc1038a489bb2ac5154d9a3219b813d3e9b54889c4c66320b6db5cb