Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
29/03/2025, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
Idiot!.html
Resource
win10ltsc2021-20250314-en
General
-
Target
Idiot!.html
-
Size
1KB
-
MD5
76b5f578abab7155e4f98e50c6ca24d2
-
SHA1
76a3d945b025a5c5830020cd4b59c78c00458663
-
SHA256
5e75e3136044b5ae53de976f2cb2f21c08e3fedf680c6f82cbbf05f5c29ccf29
-
SHA512
70e1b6d6e2146792c1e3d67a36dbcf69e2d5ddd09519de2e3c66d132775e91c11d96b2ce22588b635f821882645cc5da0f87832c17d8b14cf10ffb0332dea514
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file 1 IoCs
flow pid Process 203 2280 msedge.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4B7C.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4B83.tmp WannaCry.EXE -
Executes dropped EXE 10 IoCs
pid Process 4556 WannaCry.EXE 2012 WannaCry.EXE 3648 taskdl.exe 2608 WannaCry.EXE 452 @[email protected] 4476 @[email protected] 4972 taskhsvc.exe 4748 taskdl.exe 568 taskse.exe 3896 @[email protected] -
Loads dropped DLL 7 IoCs
pid Process 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 4020 icacls.exe 5972 icacls.exe 1156 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bjknawszis249 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 202 raw.githubusercontent.com 203 raw.githubusercontent.com 164 camo.githubusercontent.com 165 camo.githubusercontent.com 166 camo.githubusercontent.com 201 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2423602651-1712563293-711691555-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\my\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\de\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ne\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\iw\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\128.png msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1045474302\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\be\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\hi\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\it\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_656006226\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1045474302\_metadata\verified_contents.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_396847058\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_192889418\deny_etld1_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\pt_PT\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ka\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\lv\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\am\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ur\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_192889418\deny_full_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\cs\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ko\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\en_US\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\az\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_656006226\protocols.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_396847058\LICENSE msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\km\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ml\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\af\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ta\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\sv\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ms\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\id\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_192889418\deny_domains.list msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\service_worker_bin_prod.js msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\pl\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\sr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\hy\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1045474302\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_192889418\manifest.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\kn\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ca\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\pa\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\en\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\hr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\et\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\zh_HK\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\pt_BR\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\eu\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\lo\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\cy\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ru\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\fi\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\bn\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\tr\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\zh_CN\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\zu\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\es\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_192889418\manifest.fingerprint msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\dasherSettingSchema.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\ar\messages.json msedge.exe File created C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3160_1797308834\_locales\vi\messages.json msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877522715589426" msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2423602651-1712563293-711691555-1000\{51EA7154-25C7-4D30-990C-59C6762DF422} msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2940 reg.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4460 msedge.exe 4460 msedge.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4972 taskhsvc.exe 4520 WMIC.exe 4520 WMIC.exe 4520 WMIC.exe 4520 WMIC.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4520 WMIC.exe Token: SeSecurityPrivilege 4520 WMIC.exe Token: SeTakeOwnershipPrivilege 4520 WMIC.exe Token: SeLoadDriverPrivilege 4520 WMIC.exe Token: SeSystemProfilePrivilege 4520 WMIC.exe Token: SeSystemtimePrivilege 4520 WMIC.exe Token: SeProfSingleProcessPrivilege 4520 WMIC.exe Token: SeIncBasePriorityPrivilege 4520 WMIC.exe Token: SeCreatePagefilePrivilege 4520 WMIC.exe Token: SeBackupPrivilege 4520 WMIC.exe Token: SeRestorePrivilege 4520 WMIC.exe Token: SeShutdownPrivilege 4520 WMIC.exe Token: SeDebugPrivilege 4520 WMIC.exe Token: SeSystemEnvironmentPrivilege 4520 WMIC.exe Token: SeRemoteShutdownPrivilege 4520 WMIC.exe Token: SeUndockPrivilege 4520 WMIC.exe Token: SeManageVolumePrivilege 4520 WMIC.exe Token: 33 4520 WMIC.exe Token: 34 4520 WMIC.exe Token: 35 4520 WMIC.exe Token: 36 4520 WMIC.exe Token: SeIncreaseQuotaPrivilege 4520 WMIC.exe Token: SeSecurityPrivilege 4520 WMIC.exe Token: SeTakeOwnershipPrivilege 4520 WMIC.exe Token: SeLoadDriverPrivilege 4520 WMIC.exe Token: SeSystemProfilePrivilege 4520 WMIC.exe Token: SeSystemtimePrivilege 4520 WMIC.exe Token: SeProfSingleProcessPrivilege 4520 WMIC.exe Token: SeIncBasePriorityPrivilege 4520 WMIC.exe Token: SeCreatePagefilePrivilege 4520 WMIC.exe Token: SeBackupPrivilege 4520 WMIC.exe Token: SeRestorePrivilege 4520 WMIC.exe Token: SeShutdownPrivilege 4520 WMIC.exe Token: SeDebugPrivilege 4520 WMIC.exe Token: SeSystemEnvironmentPrivilege 4520 WMIC.exe Token: SeRemoteShutdownPrivilege 4520 WMIC.exe Token: SeUndockPrivilege 4520 WMIC.exe Token: SeManageVolumePrivilege 4520 WMIC.exe Token: 33 4520 WMIC.exe Token: 34 4520 WMIC.exe Token: 35 4520 WMIC.exe Token: 36 4520 WMIC.exe Token: SeBackupPrivilege 2396 vssvc.exe Token: SeRestorePrivilege 2396 vssvc.exe Token: SeAuditPrivilege 2396 vssvc.exe Token: SeTcbPrivilege 568 taskse.exe Token: SeTcbPrivilege 568 taskse.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe 3160 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 452 @[email protected] 452 @[email protected] 4476 @[email protected] 4476 @[email protected] 3896 @[email protected] 3896 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3160 wrote to memory of 4324 3160 msedge.exe 81 PID 3160 wrote to memory of 4324 3160 msedge.exe 81 PID 3160 wrote to memory of 2280 3160 msedge.exe 82 PID 3160 wrote to memory of 2280 3160 msedge.exe 82 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 3496 3160 msedge.exe 83 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 PID 3160 wrote to memory of 1184 3160 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 5680 attrib.exe 2352 attrib.exe 2404 attrib.exe 5752 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Idiot!.html1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x278,0x7ffd1e56f208,0x7ffd1e56f214,0x7ffd1e56f2202⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1884,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Downloads MZ/PE file
PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:22⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2560,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:82⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5096 /prefetch:82⤵PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=4812 /prefetch:82⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5512,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:82⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5776,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:82⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:82⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6012,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:82⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:82⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5632,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:82⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:82⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6120,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=4852,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=3572,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=3592,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=4328,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6556,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:82⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6032,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=5620,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:82⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6888,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=6840,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=6816,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6712 /prefetch:12⤵PID:6036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6884,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:12⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6792,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7084 /prefetch:12⤵PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6988,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:82⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6564,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:82⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6564,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7388 /prefetch:82⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7052,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7288 /prefetch:82⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7396,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7392 /prefetch:12⤵PID:784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=7436,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7680 /prefetch:12⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=7636,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7820 /prefetch:12⤵PID:5712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8104,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=8116 /prefetch:82⤵PID:4488
-
-
C:\Users\Admin\Downloads\WannaCry.EXE"C:\Users\Admin\Downloads\WannaCry.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5680
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4020
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 150811743278785.bat3⤵
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
- System Location Discovery: System Language Discovery
PID:5100
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5752
-
-
C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs3⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Users\Admin\Downloads\@[email protected]4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4476 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
PID:3632 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4748
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3896
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bjknawszis249" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f3⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bjknawszis249" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2940
-
-
-
-
C:\Users\Admin\Downloads\WannaCry.EXE"C:\Users\Admin\Downloads\WannaCry.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2352
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5972
-
-
-
C:\Users\Admin\Downloads\WannaCry.EXE"C:\Users\Admin\Downloads\WannaCry.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2404
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1156
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7420,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=8360 /prefetch:82⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7060,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7116,i,5160362370203612449,12946948197898184449,262144 --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:82⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:5752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:4044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:5764
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\tasksche.exe"1⤵PID:1772
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD59a1d48286ce97f5ce9bb99ff9b214ed5
SHA1f185dae5f66c2d622bd1fefeaa30223f737a67e7
SHA2560cf61088061592d94572c01fc6e6009cca561f2c3fdaacf76b6895964ad6e7a9
SHA512d1125f928650766c4fa2f12e614cd2f6de47b650cd56e8770e91cedff4edd03bea4229c9962dfc4778c2e55a7e39a959fb61cc16f4689830c157c93dd6934e0a
-
Filesize
67KB
MD5cc63ec5f8962041727f3a20d6a278329
SHA16cbeee84f8f648f6c2484e8934b189ba76eaeb81
SHA25689a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1
SHA512107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877
-
Filesize
366KB
MD5e6940bda64389c1fa2ae8e1727abe131
SHA11568647e5acd7835321d847024df3ffdf629e547
SHA256eef5dd06cf622fb43ea42872bc616d956de98a3335861af84d35dbaf2ab32699
SHA51291c07e84e5188336464ae9939bfc974d26b0c55d19542527bdcd3e9cac56d8c07655dc921acaa487ed993977a22a0f128dc3c6111273273ff1f637b20bb56fb6
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
7KB
MD51fb95834cb99c75238f91b1b5bb57bec
SHA1e5ede7e91f4479976019e360caf537a72d1c8b50
SHA256e7c8febba8ec72c5bf422bd76a074568104c41bbf601c3103ef731e4b7a52e18
SHA512ae41095fb2fedd5fa1b06aa3729f2ae5f4b6d293fd9306bbb2b0d223b90ac8b5b8dba1b51fdf43260efb8061d54c5cfbbf717f361e2cf01e9f4482f3440ba2a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe592ddc.TMP
Filesize3KB
MD5d193b9e7995d34c262ca8fc5599dfc99
SHA1d8b1cad9e0893afabdfdc950b8c08eddf1410cd0
SHA256a092821e69c5ddab66dfacc38e3ba6e2ef965462cc56df43eab1d5eb0f83e5aa
SHA5120740ee1a8701cf955ffa7a9475090ec81b154fa4b8e95e7fa9fd3b2b81afcc7e5ed16b2c3aa133cd7b0477846a679ff97d36fafe7c0dc48d28665f0c9fa1dac6
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
3KB
MD54c6175f529d93b74c36361bbd9f6c0f5
SHA14b68bd05d656308c96ab5a62ee334e793218ea34
SHA2565020994e656491ee18da2a729e7cb100cd90d3e1806f9e467749ab8130bd29bd
SHA512e3ca1a8f5417151c765b41c8da2d303788ee2b9e56a5434a3ee46a5115530d5e4a5b1d82934ba7bc9b4b2d6b2c6ca8988041a1f768ca901eaa956da54aad3b5d
-
Filesize
5KB
MD50b97323deefa07f2722a2c2128956d18
SHA1681193ed121153ac2da3d8edee1017275fc52d4c
SHA256556e442396f6b1b920b8670be1fe14e107705c49dcfa4aa45d1ee063a34ea784
SHA51298884753297431574483004e38818962d9a7d3f7b6b637fbd13bbe77b9d0c6588b99f22f8eccbd47bd736304338025a0df71433971a44b63a30c87eb8f8df4a4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
210B
MD59ac4224d29f2487efa907274838f6676
SHA1af78acc19f594eb06ab3bf7a28789dd81fb42276
SHA2562d011a28b3879d4cb458acf2b716075edeeed3fb7f5361f634d6585c53b9b139
SHA5123bba1983b83b544f85a26082c271b6d30f0605288e638fd73dcffaaca0f2f68e23d1137971f25a29f2eaea691c4598ab3a69395dc47e3c508a353c0cebe6b103
-
Filesize
211B
MD5d4fa1de13a00b2534144ab38ee01609b
SHA106c1dd6c7ab17c5351eb52d2f44761a3b46871a7
SHA2566d54e163f2016cc1992581c2b3337433c3e9bc2c90cefc8d2e07552d09d3bb71
SHA5123a12511b256e20579d4d334d5d5ddcbcb8394ac6b89c013f44ca98fa1558fb9bb03feade78849c27a33b36730ddace68daf9871519ddf339c5423f8e7052dfc2
-
Filesize
16KB
MD581e6cded78a86ca6dc8d455aebb40833
SHA19256b74dcf0078cc5c50b71eb56c38add731c9da
SHA256028fed10426323ba3daf0f5c9e9d467de6970a6c588cb986459cb33833ee2cba
SHA5125cbc0a603c9521fa840bc59034014a58393704926c6688cb14f19d4d671dc682ea65966c2c045fe8ef43e55f7374ceabac320de26e096f20cca01fec08d3e91d
-
Filesize
18KB
MD5a1f8c0084a677dc25f462e773f65f64d
SHA1fcfa8777674e4881048a2e6fed5dfecf8edfa6d2
SHA256118cb41c4d86eef0053f204d79714b4b72bb748d0182f4606361d553e8eaea13
SHA5120c5df93134d3abff75ce67fd5ebfbb115d4eed55c340f39fb065db6ca9537eedddff77e37b644c5363d704e096e1450273e419c98ce5322eec261024d99c9107
-
Filesize
18KB
MD559723f3c6bf66b4b7cb341af60633fcb
SHA124da33152f611fe2aeea6c3cce01111a15ee57b3
SHA2567bdfc36abb48e0d95669a312cd37cc788c4d855213450f8c162f423ec78b3387
SHA512d088749d017426591357992b4ef2ca0185440cdf87894fe040ec27439f594667376629c4fa446afd23c9f2a58477c4984d232db2e146bc136f633014cfa4845c
-
Filesize
18KB
MD526a3210bcea6cde4144699a1ee7671df
SHA178d7c079845377f83876dcde8d2b10f9f15c339e
SHA2565e80f83bca943e760c7763ae7fb79bb8a3fc743ea9cfd0d5e1629f4e652cfd70
SHA51256de0515bb2147a6a3178dc494bd70e08e5dfc7bf0609d45d17c75b3fa1cbcb8824035666e2d636d4bd4b52fe670e2609583af1c7ce98ccc8f68d2da9ac4a838
-
Filesize
36KB
MD5007b4fba68a08ec928a95218487f7c14
SHA1e9ce1e80020f6847bd46cda51d51bc0b0d61c6f9
SHA2562a9d7a088fd1bc1fdf08e92618ef86de015723e05b10defd6a26951e112edec2
SHA512bd5ddb36d14d84b2ffdcf097992594d8f46488cf2adeba0c9b728d28457cd1abb54071283b7d55fad094b193a5709d75bcad0ed698580c3d518e54e9c2290b6f
-
Filesize
22KB
MD5cc589a0153cba9d1d07907d65cc283fe
SHA10dc1efc1240bde37960f4549964b9f99b0c7bc58
SHA256ef7a0103038380ee57ed5737d8a6a1b552c38e4947bed8b1319356cf1d868ead
SHA512ba4745edbbe761900ab43284f53c4ef28f0c4b961cfcdd62362555fb79549e260de21953afe830d93b9c1d4b964ae799bfb9ac621f389a1e7e4e40a9b6a5f532
-
Filesize
900B
MD52424f3a65bc941767c41908340d99fbb
SHA1aef0fd39cf4f0b4ec14b4de93839ffc5748468cf
SHA256e4c7f301e855c8d3433c52ed9445f0db65bf539d6152971d7cdd861e12fd7356
SHA512c54fad811fa9312629d8ef5ff1dc47e8395570c7250c0726e958e4202094a077e320968ac45289389507dcdff1a89c73960dd6e5a2a45b1a298bc280691f3842
-
Filesize
23KB
MD5e926f9f059d15028782a54dd61debc51
SHA1f2071423a435c1423e6ed0d3b8dde67a54f47219
SHA256a72b2ff0661f109e680f4bb2c0c5620082522f321abaa955169bfb10ca461519
SHA512ca23003ad86f51c9848e42e25b7e97c7805bb7ae8859cc65fc07f7db11e75f015c27e8ee2eec67bbcec82e4ca39ff9c29c1c409627cf10861ecc510f5654a23d
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\b59029f4-2613-4235-8519-b1055e5635ab.tmp
Filesize467B
MD510e8a5b228f636548065c6c3b770faab
SHA174639f265aff49c1ac753b9b5be5e579cdfad8eb
SHA256a6dd07d90dd265839661c1639a1b159358afdf19094e49472f3ccfd70244ffd4
SHA51237739c17e40c9bb2ea445864fb6bbe52308bbb66ea707a3b6ad43a1ff6866baf8d7b9ac1ab0e7bb8a72506772d39c6ac995219889ec054b553edc33b212f728c
-
Filesize
54KB
MD5e93976dbd36a52b6205f5c7ef8ed0f94
SHA1fd71c13f3797ea831b619ebf4044ab026a0fdb5b
SHA256913febd65d066a1e299141f7b63c41490408e8162dbec1fcfd6f19de3590ada7
SHA512eea759d34dd452861c1bff3f96e606a62b04e62661842d3d64ef20a6164b69cc24a3e5a413685fb1c9ef75f7abdfe88f3c3d5347be2fbc8307434013f45b0bfd
-
Filesize
54KB
MD508e00cec93b10a08539d16d2a0df9101
SHA1a6aaa198080036589426e6141067e23aa5820b3e
SHA25693a03bfcf863576431efa976e14a823f7f4faab91f29c4fba8d3ee5f84970445
SHA5124df637dfa889310b367d9e70632772bfc2d2cdc877e4a21334bc58fc409c46ea8beacae019cd91b17ad2a9c5e2d8dc5251fb99995663842860df1f2fa7006189
-
Filesize
54KB
MD5ce8591cc3146f3eb9e6deefe109b73ce
SHA1ef11aa2a883dc9dabe767917c63c40a6838347c9
SHA2565b3ab264dfa65d5e259b35590c18077f22d566e991b6c9e5ee107be3cad9c010
SHA5129c4db10280b7acb4301e8b77341d68c2d34ba894ea1fc5cd47d96fc084f60027d936dc944e91ae5cd3de48c73f312f3442786699929ac74c554eab85784fd4e1
-
Filesize
40KB
MD5435418b6a8f5eadc29415a11581d5027
SHA1cd09fab7eb074e0dcdeb84135da6b11d454504eb
SHA256571df1b23507635492c2cf508dfb3314b19bd862490f6b99f840f74358c0c496
SHA512f964c74a5beaf7fa1c60486756c1d7128b273b417b2d3129400cec74d080c2e940a23dd0b1b80bba72d018d479841f427c8f2e9b71116837be2460c080ec82ab
-
Filesize
40KB
MD52786e918ad51c6668400decf45728e35
SHA1a842a2b8c4455689f119734b63854b38670c219d
SHA256f44ec9fc4785fa83070c918d84e108e2db33bf421b3c5d5448bdbdaa53081811
SHA5120969fcc9f8b712c5d0d809a41155eda91cf4b12fce01a68b495c026d31020a19ab2a8c39ef1c91dce1f6690ed8c36fcf5bf5b0eeee3bf2a4b5551f07bdaff358
-
Filesize
392B
MD517a899a05a089ffc81e4be5d51d7139d
SHA12c1b8dfe5c63a432779858bd8b8a5935c919df55
SHA256907f21d363623cd12739536957552b44994ebf85062bad510e7e18a1a513f809
SHA512a49b0e912cd1c5cc6876e0bfbdb555932f854ddbb16d66620c57b19c6e1b7dbd3fdb7fd024e3c6c4325841a2fc7ba425b47ad97be268d3903bf78d085a6e1290
-
Filesize
392B
MD5fbb7a6bb1f6c9d01a723ffff4a30ef93
SHA19f2a0acad517dc7441613d779af95913d9985f31
SHA256f1e1382e9ccc3c7a2af9c30c574d5100055407674de5ae40a6fd2ef9b209dd43
SHA512d8e7af9c4cd3688602bfb9c12d7b8c5b0ab5748aaf53ba64d9fd49a5fcae3b71f8dc5f62c5d312c99871442b506c50e2559b405e6797431ec9fc9c91a8825f8c
-
Filesize
392B
MD525bcfd11138de335311232956ac78c57
SHA11e168bb5c7cf5164b1f64739580ea854ecee6611
SHA2560bc21b703aa0890adbd3b89dd94e6a19b597e751ca83c62d95cde4bc58965559
SHA51275a5a8a82ca13aa879ba9dcbac3747fdbcbde597ce8711f9061542396be869033608073dc3feab2380304a7dcfa1c77a6f2badc45b61f7717d12bbffa69751cc
-
Filesize
392B
MD50c16dc16a137c2da867e90e9f5f7f589
SHA134954945066195b941c9f6cda56d7695aece09df
SHA25681052a867f139ca8d64fea5983a6d8289a8211dde045ce88742882d0e36166ce
SHA512ae98f166050ab06b4614ac07867204c073a7d3a3853b8585d2d0c64a1e5d384a9e88de676cf7d1f22492662f17a14b87d2952c2be7da3086c821cd92d5305798
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD58ce36db277e31710a98d5cf5ccab293b
SHA176f0bac8cce9b642628ed9e3353e264a1b3dc7a9
SHA2563d09f89412b58915de10e5e95f3fd71de93a28d75cbf3e534a5874edb8a6d7c4
SHA512d8acbf6135d8a6c0c1a6b1abbb7d6926a921dbff8eae34c3ff88899b0b6aa7522d4857c61426340dfde2840e88892af31367c62bbe2d8a516db074e5cdbd7662
-
Filesize
5.3MB
MD55f2b8fd2194514e35fc4e8598908d1c3
SHA1cf1023e7a3e1ed3e0904ba8f2146330b4481254e
SHA256a4482877d1f337895c8549e8d260f42dd570235963f61bde21da109e3ffd1550
SHA5127cf138167c36e24b92adc56976a0053e3afaa383aaed43115d1b1aa52a88251a79a4d76ce26598bde1a813a555e445087b96e3cf04f9c1d2533ec63483a85a2c
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
Filesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
Filesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
Filesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
Filesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
Filesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
Filesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
Filesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
Filesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
Filesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
Filesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
Filesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
Filesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
Filesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
Filesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
Filesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
Filesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
Filesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
Filesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079
-
Filesize
64KB
MD55dcaac857e695a65f5c3ef1441a73a8f
SHA17b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA25697ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA51206eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2