c787cef9e7216be955d5f4ff7b305f3f08d1d283ac3f09a01f821bf7b2d4a9a2

Resubmissions

22-03-2024 10:29

240322-mjq1lsdc6w 8

08-05-2023 11:46

230508-nxdg4sad72 7

08-05-2023 11:33

230508-nn5j8sad52 7

Analysis

max time kernel
336s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a/activator.exe
Size

34.0MB
MD5

ec78b42d48246195cbe1180360681b90
SHA1

017ec0ac62f7512c990e6d07b1399861d6e8c4f5
SHA256

e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a
SHA512

a461829596bfd050c733a38c83cdefc53f1b6c6ce48c3f14b7eaaf867bd58a87a19b17c9bbcfea5883e27c7547da8e2c78ea6ed8086986c4aa1c2de50c763dd4
SSDEEP

393216:bcvSm8PjCEyF74qWuRTk15Bot2FCHMA28a2M/a16fPHEZe9tY1bTqE:bcD87qBW2XwoHMA28ae6fzY1b2E

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FlixGrab.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	FlixGrab.tmp

Executes dropped EXE 1 IoCs

Processes:

FlixGrab.tmp

pid process

2056 FlixGrab.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

activator.exe

description ioc process

File created C:\Windows\System32\SyncAppvPublishingServer.vbs activator.exe

description	ioc	process
File created	C:\Windows\System32\SyncAppvPublishingServer.vbs	activator.exe

Drops file in Program Files directory 64 IoCs

Processes:

FlixGrab.tmpactivator.exe

description	ioc	process
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-I388B.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-2NSB4.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-DEQFO.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-UU092.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\imageformats\is-9TDA8.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-L38IR.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-VUGU4.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-VV9LM.tmp	FlixGrab.tmp
File opened for modification	C:\Program Files (x86)\FreeGrabApp\unins000.dat	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-T3QLD.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-A99RC.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-47BDU.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-KP3C2.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\mediaservice\is-FKPP9.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\resources\is-PHKT8.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-5ENVR.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-C7KHK.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-PNC2J.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\audio\is-FGMG8.tmp	FlixGrab.tmp
File opened for modification	C:\Program Files (x86)\FreeGrabApp\FlixGrab\FlixGrab.exe	activator.exe
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-BS243.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-JN1P2.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-D75NI.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-LNL6G.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\imageformats\is-U3ANG.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\playlistformats\is-22DH8.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-A159B.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-K9KI5.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-R2PE0.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\mediaservice\is-BLNSJ.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-8MR2V.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-4622M.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-62HH7.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-5U44E.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\audio\is-TP7Q2.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-QCHL0.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-6FK7A.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-UGL37.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-8QLNA.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-VARKU.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\imageformats\is-R9HQA.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\resources\is-CF6TA.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-GR1VO.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-8K9CD.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-9TO6J.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\DriverStore\FileRepository\iclsclient.inf_amd64_a93205b6238060e4\lib\is-A1DCC.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\platforms\is-SEF02.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-037K6.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-3H2T8.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-GHCLJ.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-1J1MS.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-STBO2.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\imageformats\is-1OTCF.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\imageformats\is-AF9MU.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\position\is-27VNF.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\resources\is-B7Q5E.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\resources\is-DHS2S.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-H9RUO.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-V66CV.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-G9D19.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-9FQIJ.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-QSGA3.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-JU35F.tmp	FlixGrab.tmp
File created	C:\Program Files (x86)\FreeGrabApp\FlixGrab\is-BAVT7.tmp	FlixGrab.tmp

Drops file in Windows directory 1 IoCs

Processes:

activator.exe

description ioc process

File created C:\Windows\logs\system-logs.txt activator.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\logs\system-logs.txt	activator.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4736 taskkill.exe
4612 taskkill.exe

pid	process
4736	taskkill.exe
4612	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133280267874186973"	chrome.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exechrome.exe

pid process

3028 msedge.exe
3028 msedge.exe
2840 msedge.exe
2840 msedge.exe
772 identity_helper.exe
772 identity_helper.exe
4996 chrome.exe
4996 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exechrome.exe

pid process

2840 msedge.exe
2840 msedge.exe
4996 chrome.exe
4996 chrome.exe
4996 chrome.exe
4996 chrome.exe

pid	process
3028	msedge.exe
3028	msedge.exe
2840	msedge.exe
2840	msedge.exe
772	identity_helper.exe
772	identity_helper.exe
4996	chrome.exe
4996	chrome.exe

pid	process
2840	msedge.exe
2840	msedge.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

FlixGrab.tmpmsedge.exechrome.exe

pid	process
2056	FlixGrab.tmp
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

activator.exeactivator.exeactivator.exe

pid process

1652 activator.exe
2584 activator.exe
2584 activator.exe
2216 activator.exe
2216 activator.exe
2216 activator.exe

pid	process
1652	activator.exe
2584	activator.exe
2584	activator.exe
2216	activator.exe
2216	activator.exe
2216	activator.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FlixGrab.exeFlixGrab.tmpmsedge.exe

description	pid	process	target process
PID 2404 wrote to memory of 2056	2404	FlixGrab.exe	FlixGrab.tmp
PID 2404 wrote to memory of 2056	2404	FlixGrab.exe	FlixGrab.tmp
PID 2404 wrote to memory of 2056	2404	FlixGrab.exe	FlixGrab.tmp
PID 2056 wrote to memory of 4612	2056	FlixGrab.tmp	taskkill.exe
PID 2056 wrote to memory of 4612	2056	FlixGrab.tmp	taskkill.exe
PID 2056 wrote to memory of 4612	2056	FlixGrab.tmp	taskkill.exe
PID 2056 wrote to memory of 4736	2056	FlixGrab.tmp	taskkill.exe
PID 2056 wrote to memory of 4736	2056	FlixGrab.tmp	taskkill.exe
PID 2056 wrote to memory of 4736	2056	FlixGrab.tmp	taskkill.exe
PID 2056 wrote to memory of 2840	2056	FlixGrab.tmp	msedge.exe
PID 2056 wrote to memory of 2840	2056	FlixGrab.tmp	msedge.exe
PID 2840 wrote to memory of 3820	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 3820	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 2548	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 3028	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 3028	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe
PID 2840 wrote to memory of 4244	2840	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\activator.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\activator.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\FlixGrab.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\FlixGrab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\is-2RROA.tmp\FlixGrab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2RROA.tmp\FlixGrab.tmp" /SL5="$A0188,92329271,1199616,C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\FlixGrab.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im FlixGrab.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /im FlixGrabMS.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://freegrabapp.com/install/
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadd9146f8,0x7ffadd914708,0x7ffadd914718
4⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
4⤵
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
4⤵
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
4⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
4⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
4⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7ff702af5460,0x7ff702af5470,0x7ff702af5480
5⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14731230452102546079,5556133538444877187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\activator.exe
"C:\Users\Admin\AppData\Local\Temp\e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a\activator.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Users\Admin\Desktop\act\activator.exe
"C:\Users\Admin\Desktop\act\activator.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffadad09758,0x7ffadad09768,0x7ffadad09778
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:2
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3220 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:1
2⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3264 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:1
2⤵
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:1
2⤵
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3980 --field-trial-handle=1840,i,3731359177327694241,8462980011148214832,131072 /prefetch:1
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FreeGrabApp\FlixGrab\FlixGrab.exe
Filesize
25.9MB

MD5
b4d4470d5346c5ccd72f37b21f831645

SHA1
7e202cb99fd827981ead5f3988338895f4b24ffb

SHA256
e0eb40386bab9523967f91c744acc08652a8132627d3cb7248d8851fe3273991

SHA512
cd9b07e8963c550303a77ce0ff5c5818a02538c98fce79fac288ea1c43f3ede733e8cfb506ab5f3108c808eb0be44706d4d3ab2d89a4681f462d90f7f9da207e

Download Submit
C:\Program Files (x86)\FreeGrabApp\FlixGrab\FlixGrab.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\53dca31c-eb40-425c-bb13-d319be1396a0.tmp
Filesize
6KB

MD5
604bf3790a80fb92e98613de31018051

SHA1
96f209df04146aec6e40921a1238630cd5607931

SHA256
b378622126d3bd9a51c3a6437d16199eb90b87edb8da517dafabde158699e533

SHA512
132becc00e5c65d57ab51a4a70464481f9bb3a691578071b27c402410f464f32575cad8660279fd5d996d90bc995eefb4b82651a9706b29c19aab22250abc861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
a585fbb0fdb802bc31f89907549ccbed

SHA1
dbab00ed791ed53a1efea8c9fcc06999b10ae399

SHA256
086490f121cbaf1da9dba45c8ef19e8454150f031accbb4a51866eb754678d37

SHA512
0df30f2681afd7c95ab9361cde79f2cb9dfb88f42981abc5b71e731fc8d23d3545a6ab4540e1d5e4aaa6fceaba496b7dc268a4eac67c4562c59de8f035955d0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f0236d97178ae5693aa1b040834d2454

SHA1
f9447ce11cc41faed440567b1bea6fe8613d8394

SHA256
b8997b2db2cf8e3bd864d3b474e09719b59b23e8691ab57f3eea59b1917ec3a6

SHA512
d43406cec1a1f963ac88e158dc8d9ef83bc6f341ee8de6765c9ebb1b1906202d6da7b02f5ab95fced6a45570b6b58bc16c6b52e6a5e2640dde9026290201940c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
6543b569789399685728af805c18c941

SHA1
2d5eeb2057ec5736d1e856aad50c649cb291b082

SHA256
333f065295d916f0cc3c8f31d8c7a8c4c06f3f263c987c44f334b9862c238f71

SHA512
d014e967eb54127682984499b5dbeb119bbebbbe8fa63287c7079f8aff6fa02fce36dee26f652b2a2f7c89b56de5809d590abeffe1b64b694906b6d59f2c12a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
889c9fd68d49b5862e08a001e26e08bd

SHA1
a6fabad398111e31bce919a7c8f27ea78692a793

SHA256
d62a112a2b8ccf403f21a38ef0611fb68a3e78f5206e36a5da32de3d83af84f5

SHA512
754745bb3b4e28579ca2d1e4604232620cdf8669961b892fe0870cb5a11a0e2245375a60c7f0fdd80c034d4f2d6ba346785167213b00c8d04af6320e83fe9542

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
4c06ea447e36924fbff1f12e204e901f

SHA1
9b9ec4f820e51e9798278a6772b753f0245c09d5

SHA256
35709d42d387b742c61c8b77a110e5abd3e50d9fbb389d42c5f086e0fc026547

SHA512
0a4a75cb5e4a71d036d7301b3c3a6134a99d4679a41e78893efd72322280a956c2d0d88445c0b0317bbc1ec6e8f4f41e01862473c54b9daded5d4e8e9e03a252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f9a2.TMP
Filesize
48B

MD5
90ebdb082d2af0bd73de03b2351d8ea1

SHA1
fd4f314f13469bd6acf518b4c425ad36d1c25742

SHA256
a57c81a6ffe30c45ec4013a2a4f8862663c8acee6ceedf999fff4a5955651738

SHA512
a59477e1cbd7daeaf4158b30f66b9e4789f2a8749aa2592efe227eee7a732df8baa9966d06687028973766294692d72469259a29fbb562deca7b77bbadc1d2ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
29acd12a642eddba7f0b72927c17ddeb

SHA1
a200ecb51ab9c94b610c53690435a983fc781302

SHA256
e7f913c165dd9c905f11c979bf7859199fb3b750641e8537b337dfe22d861b35

SHA512
f96cb0824a4ab5d0de5c3f173a887a08129902b796b6a0183305e5ed6654fe8cf3de4a551f36265b93b5734cb78bcd77bb36d962f5930f9efd87ff086653092a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
183B

MD5
240178851c958367c22d09627dfe36b7

SHA1
bd34c9c6a8bcf5bfae9e4fdb89538dea11d2c65a

SHA256
82f46b727390855cc34cb02076edd1a61d40f9b1f63b678b1b433dca2c37247a

SHA512
a21583c8fe80e5d438dab8945328f2cc8d02b4302dc1d6633f43d9db93c74dd71c36f52fb479afe04975c4cc20f10dee7842a6bf45e45dcb2d93caacf923bc31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
91c490336280c930224b5f8c2706eb64

SHA1
4d76b84dacb525951eb93a1bcde787400df2f9e6

SHA256
71423bd38da06895d2b6142cb3009fa40f6002db732280668d14a21fb0d4353b

SHA512
9af548132611227990fbf8cfb5ddaa5b52154f997a8bbda1086a99cf064810e07db7078c2b12ece13e2146dc7e7e535244a855c21ffaf6bdd2d68a46fbc9c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
10f570b75807c07d0c8b3c32ca2360c5

SHA1
f3e68ff93f429c9a298a69d80cf5346becbea2b5

SHA256
6b15e9f1e9f77dc448b93d3b376000df8dea7a8c1f27f5d3cd9f63470ce15445

SHA512
534175d91b80cd376a8018e0f2749886c10a40d78e2803b9d3006be1ba63718fa09fd47fea8774ce791c34d8f3f9a2fa86815c3d3f253b553503167e0a9db00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
85526c5793aa368cad1fb451b5387d22

SHA1
a63b1ed43b952d21d28925f8f1eeb22ae67bfaf3

SHA256
fd3ea103b35101b70d11daeceee75aaa6a559e3da4ba51ab0258fb3f636b44bc

SHA512
cf3fc7d13b69accd8a15ed023c6ee6e7a0b8ac166dfbdd9149dba2b3e2525c40b746f2dd6553e58880d138d152eee7e157ab00eb6679e11fae25de2daf04d1e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
c76a4231e72a33b88cc1be31f6aff5c7

SHA1
dbe072573a8ee84b8d1ac2d26f66562a722d1bd9

SHA256
946f16bddef233ab4e96bf36ea97101bd280bd22bc555946057005d1456335bc

SHA512
ca7b61fcfaf7ef00594401abfd62998232f6fdd5acf0bf6f8de8615c1b273c71131b2a60aa764c194894f0f2a469c8895f14db00e5831e8fb8e5e3a24ba84adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d108e09c-0b21-44c8-b740-0248491bd213.tmp
Filesize
9KB

MD5
5200fbfdb34b984d218d4414e18c91e8

SHA1
fdb44970b6257731b0187f25d89d094314bf03b6

SHA256
cfe18724f2940c0940633305aa1783a5ff583c42b92746824754b1ed9b832422

SHA512
c2db3e8096eaf753b97c340d40c7d9439267028646426cc60f935305003c0ae682877065b6f55e27d7713e0c54fd3179306fb045ef4d12ef683796d5dd68ef96

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2RROA.tmp\FlixGrab.tmp
Filesize
3.4MB

MD5
3eab4a4bc4b893805806c9edb6bab9f9

SHA1
1cfe1a478e2168150c256dce1826dd9db083f04a

SHA256
e332511ac0e7a35540a676567814d2c8ce47cb2e596a6af9d02fd2e01fa414bf

SHA512
4fe9818e5ef3852a378deae1a3c0aa1ab4bb2996e8a899883215c4f9da7a124962332dbdd02969aa5b762012916cd464335f9ac5fae1382607360ef8635a797d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2RROA.tmp\FlixGrab.tmp
Filesize
3.4MB

MD5
3eab4a4bc4b893805806c9edb6bab9f9

SHA1
1cfe1a478e2168150c256dce1826dd9db083f04a

SHA256
e332511ac0e7a35540a676567814d2c8ce47cb2e596a6af9d02fd2e01fa414bf

SHA512
4fe9818e5ef3852a378deae1a3c0aa1ab4bb2996e8a899883215c4f9da7a124962332dbdd02969aa5b762012916cd464335f9ac5fae1382607360ef8635a797d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
92c64b084db39542776312fbe048b6f9

SHA1
aed2736145621fb3566b9c957b6ef76cdd9cb1dc

SHA256
1fd4eaad71955c4596a7d2980c868b42b0f29f8d3d6b3786d7f7a30964178a78

SHA512
f2408190a09e5d5891ebcd55310582c80c97d4584f4a2d91824bb449206c2322732b4cb013c3220ca6c3ca9a27ad4848c52a7cc80c54c460c56ee6886bfa88b2

Download Submit
\??\pipe\LOCAL\crashpad_2840_QGDELLZXHLHWLULG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4996_VVCLKAMVZSXDSOVQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1652-133-0x00007FF670E30000-0x00007FF6729E0000-memory.dmp

Filesize
27.7MB

Download
memory/1652-134-0x00007FF670E30000-0x00007FF6729E0000-memory.dmp

Filesize
27.7MB

Download
memory/2056-437-0x0000000000400000-0x000000000076C000-memory.dmp

Filesize
3.4MB

Download
memory/2056-430-0x0000000000400000-0x000000000076C000-memory.dmp

Filesize
3.4MB

Download
memory/2056-146-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2056-144-0x0000000000400000-0x000000000076C000-memory.dmp

Filesize
3.4MB

Download
memory/2056-140-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2216-741-0x00007FF6ED770000-0x00007FF6EF320000-memory.dmp

Filesize
27.7MB

Download
memory/2216-745-0x00007FF6ED770000-0x00007FF6EF320000-memory.dmp

Filesize
27.7MB

Download
memory/2216-746-0x00007FF6ED770000-0x00007FF6EF320000-memory.dmp

Filesize
27.7MB

Download
memory/2404-143-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2404-135-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2584-740-0x00007FF670E30000-0x00007FF6729E0000-memory.dmp

Filesize
27.7MB

Download
memory/2584-737-0x00007FF670E30000-0x00007FF6729E0000-memory.dmp

Filesize
27.7MB

Download