77da860cd56ac35ea77e4768745a0c36a3662ad08fca31aa6a5ab1cec5c3d4e0

Resubmissions

05-06-2024 15:48

240605-s8zxpsbb5y 1

Analysis

max time kernel
1036s
max time network
965s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

873d16767e0895ff109b2a2ae61335f5_JaffaCakes118.html
Size

175KB
MD5

873d16767e0895ff109b2a2ae61335f5
SHA1

15ce4fd25f2709f3a3379a41e51337ddfa6c773c
SHA256

77da860cd56ac35ea77e4768745a0c36a3662ad08fca31aa6a5ab1cec5c3d4e0
SHA512

280efb73feb2b569444212a708be2e1d9432752ececc7302f4841235c6d76f3d50f2732f12d867b289f9c881a282abf5709918435344d91948ee7570a2d436f5
SSDEEP

1536:SqtY8hd8Wu8pI8Cd8hd8dQg0H//3oS34GNkFjYfBCJisl+aeTH+WK/Lf1/hmnVSV:SBoT34/F6BCJiZm

Score

10^/10

agilenet evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MrsMajor3.0.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	MrsMajor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

MrsMajor3.0.exeeulascr.exe

pid process

5244 MrsMajor3.0.exe
1732 eulascr.exe
Loads dropped DLL 1 IoCs

Processes:

eulascr.exe

pid process

1732 eulascr.exe

pid	process
5244	MrsMajor3.0.exe
1732	eulascr.exe

pid	process
1732	eulascr.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C2E9.tmp\eulascr.exe	agile_net
behavioral1/memory/1732-898-0x0000000000050000-0x000000000007A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

177 raw.githubusercontent.com
178 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
177	raw.githubusercontent.com
178	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{EFA9A521-CBE2-45FE-B03F-05E800930C93}	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 281639.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 281639.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
3396	msedge.exe
3396	msedge.exe
4872	msedge.exe
4872	msedge.exe
1268	identity_helper.exe
1268	identity_helper.exe
2880	msedge.exe
2880	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
4080	msedge.exe
4080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.exe

pid	process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MrsMajor3.0.exe

pid process

5244 MrsMajor3.0.exe

pid	process
5244	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4872 wrote to memory of 2936	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 2936	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 4132	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3396	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3396	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe
PID 4872 wrote to memory of 3084	4872	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\873d16767e0895ff109b2a2ae61335f5_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1ec946f8,0x7ffa1ec94708,0x7ffa1ec94718
2⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
2⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
2⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
2⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
2⤵
PID:5212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6352 /prefetch:8
2⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
2⤵
PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
2⤵
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:1680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6084 /prefetch:8
2⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7136 /prefetch:8
2⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,14244146967458779823,14912474929864721473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Users\Admin\Downloads\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\MrsMajor3.0.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\C2E9.tmp\C2EA.tmp\C2EB.vbs //Nologo
3⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:216

C:\Users\Admin\AppData\Local\Temp\C2E9.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\C2E9.tmp\eulascr.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\41ed9f61-c283-4bb1-b8b0-50f08792a205.tmp
Filesize
12KB

MD5
4d7ef9642166e607e05624f1dc7889e5

SHA1
1924984915fb8a4e2d1a37e1b67a45a7d7df8c9a

SHA256
25a5656cec291f59f1e231dee4bb1cc9766cc0355d54ba72a5f66d7afa5fef27

SHA512
679565ad0cc7e0f2a468afd7983ea13a9a56f8bba0584fd0cd286d80fe3b939813882e0b58c94c35269db915ef15d55c9bb7e8e58f6ff1502cdd9bf998d50133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
63KB

MD5
5d0e354e98734f75eee79829eb7b9039

SHA1
86ffc126d8b7473568a4bb04d49021959a892b3a

SHA256
1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e

SHA512
4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
69KB

MD5
c0b23ab60efb763d27f9f92b50b6728f

SHA1
259f669d1089469b1485ab4c07942c8f32431267

SHA256
c066161623da6821af1d38fb2fc8b5026e89caf02416be88d9543d1a0d337f1f

SHA512
0a43c9a501a2b462b19abca689815b4a8ddab19b1abef51072f86686fe6c20f555b9d4edc62cc41d3dff6f364269507a75da6d43ec11eec129d28a44857bb717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
42KB

MD5
b14b132b897c73798c66917791717e4d

SHA1
6f3399e17e1cadc0e1cd9272eb20f17741df2948

SHA256
31ec27e6031e6bb365a0408e96d01c603e0ac60e4d69d118177bd63ed463197c

SHA512
803a051eafb972fd61efd79189afb4d954a5f795c504788872045455ea01acca35464acc1b52e705fd503405b1c6b1eb024e10a43943f6bb2cef3aaaff5bb558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
19KB

MD5
635efe262aec3acfb8be08b7baf97a3d

SHA1
232b8fe0965aea5c65605b78c3ba286cefb2f43f

SHA256
8a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06

SHA512
d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
64KB

MD5
2923c306256864061a11e426841fc44a

SHA1
d9bb657845d502acd69a15a66f9e667ce9b68351

SHA256
5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa

SHA512
f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
88KB

MD5
77e89b1c954303a8aa65ae10e18c1b51

SHA1
e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73

SHA256
069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953

SHA512
5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
1.2MB

MD5
882a1e1f1cd7ce33ccd4c8c0ecf5e2fa

SHA1
3b8a1b5d383c7c86b7e208310e0d9b42871a8f5b

SHA256
52a4429b86802852fa95506e5dd2d27a25f1d9c82792dcc26bc905e04e2a52f2

SHA512
e86edb1f019835dee4d403f355f5fcba8271ca46b900d6f4ed4b4e53cd5084d6a3512468bf11c506baf0fb4b27dbbf1a3f6994051ac59b5dc72c54c37fee6496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
52f13b722781b5cb753399a5a5e40d41

SHA1
1ad8518144574f6d838f73afb23534d56743446c

SHA256
c361f68815a1d42cc33173000e2c279b6a8a02c89f4a37142b3215fe80d992a5

SHA512
9756c63978374faf8a3f3a37269d6dbdf728d624691dd1c201eb53911b083f270f51d4732b66537a835b77709a894574632c0cbb78d25ca0c0465652220456d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
08830b5ac705c25b90ad5aaf09734fa2

SHA1
868b357f5104a7e655fb506e71e0a95d1db3e6cd

SHA256
3d6e3937aa493785f462e48fda0fadd98adc36df1a4c99683deb4eb342ef641e

SHA512
8c0ed8d69287a0c46124617ffd618d18a7282dace6dc767ab7d67c4e0eddf8e335b3e6103af1ffba4a832f0508c4585f7214df6d634d58df8a44448b9e7a28a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
c9fc88a71757eb481e1c47e49a4bfa01

SHA1
72b7c78d41f0e4154c45b3a7d8a24ba7f78f11a3

SHA256
2459563d8e8b881429144f5fc515561eb9feebfc1936e85f01449570041ef097

SHA512
3a96d9dd5015a7e7c31f31969f273303edf2efa75965ecfcf0b66099d36c4667a8da6383ef0a44b4dbaf7a15824482e124604a695a186af3990fa4277dd86ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
d13a2b601555351a4d67e888b32f6e1b

SHA1
23620f29c24c54e6973ae14e045ba5f6e42ac7cf

SHA256
4897dc843b142a4c4cd9667dd6f069087b83c9429d3ccdc78dc166181137548b

SHA512
2e3614a77e406b5cb5d4ed132c63c733c1b7f9edd9c74283b145650fa4850492aae4520be909432b97fa6f6bb4972e42bdb0a4d187b86fe4a8f47e4dbe6c8656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
d11bc5fb0819029c336e7adda8cefe4a

SHA1
8a7942d8690344182cfac0bebabc82bc3daa7339

SHA256
79f98e21705fbf154bcb0979c8f235c5e85f3fb5d2d3a959102346f966441ad6

SHA512
418c817b4cc5e6637a3a35b1e721419a8114248e22164f2e2daa40f37452028f56fc5c333ce0dbf0df18002ee54d397509d260a6aa73a5e80236742a3b23f602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
e14f426ef5d3678d4a09f5b9da18bdc3

SHA1
fc2be080f7e5a21caa739be8fff1e541697482cf

SHA256
93b5c39ed7f4ee881fe5cc6f01a0582d2b90c14e0f1fb7adda3908abb648a720

SHA512
8917140ff27c3711d87e9970ecba613fb4ca71f058d3f093e52e0b986865b64fd2b67bd05e13208a5f240eed0f5a88f26273879a6d4307f65d24dfedcf626d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
d1c1f63a22fa2fcd25a93d75e03fe687

SHA1
73f88461c7468c603184a98a299e148cdf1f46fb

SHA256
4687ca250010c7b5ae11dc2ec0475f0f847ed0b8ad3199a241d26b2937b64e83

SHA512
15a9ff65ea9086d46ffbecd5fe501ecbc638454b4a2b4b89f625cc8c842bdc8c09d550bb9d4625ec7a7285405bac983ca7d2bcb4a55a7018720e90a5f7861ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
c3cc19ef06fd2f83af2bc5fb1d8b03d0

SHA1
06cb9251e3568122b88cb4a0225314fe46ed8e54

SHA256
8a2459c4de06b98291148c4a40f21dee01da7f966486f12c2cfd5b14bf19bc91

SHA512
4511a27f79ff68436521b57d72556a42d350954af680a1c56a29d6e78c3da0e0435620bcf66b9354d13a10e1471be8bc24fd64a9adeb96483fc0eda286aefd03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f309921792636f06eed2b1517a8f7871

SHA1
93141eedd2340c8df608b4780f04288db0ccf80b

SHA256
4ed2e2dd31d32eae64a0d7dea031b6634d8201b0cf070f346c849d3d8daabce8

SHA512
aaadebc47ee5f4f36f2794d5c24070071103539b97b3873b783d9449518006b6fe1f6f1ab6eee4e8dddb3c2337072620e5ec5ae5e3f72d5b10f71f99b5a36428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
342becbb099c621cb1c7fbaa5538bed9

SHA1
b4f3b7879ae8f25ba3b141a3656130a25de12d97

SHA256
57f04cf27dd1fdd80554a8d95b590541294cb6d4c4171878d67bbdbe9299a100

SHA512
e0485d42c5cecdea9ca1cab01d1826509997f2d52e6416afd754da6dade2e9e6027193976d7a9d621668fc2c70f5b0efce335f06b1d301878e944225d5507e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
888746f928b5dcd914d6ef4e9c3cabe5

SHA1
04a9ddcd8233b957141e58d3ea75436a37f4c1d6

SHA256
ad306137c93bc5e782a316e97621d4329e051a8f0dfd8a8fd5c2bca9ea1b35e8

SHA512
3ed30e68b81a74e4d44bc6e12c8cfdb6a7ca37255a7f3b2f81b6319c2667dd3b24d358a5ee42c1f02f3ebe6a65e29ac3aca7ca75d2afaf49277442d452befd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
b2929d157006e50dc331cc4ce7dadb38

SHA1
aeb5a0fdd37534a210c9173d27492f931afda57b

SHA256
508b359c87da1d87d8bb9a2ae989d58e346af30555c22da03d3648c959ddcba4

SHA512
9f4ca10844f596d436bc30c5f68f6b31d035d14929b24a29a29d702a2cc249c1fd6bd91b3a4c81e9c2fbc144e1eee9417c570d751ed77cf6a0f53013b6122ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
475fc2df1f0f4a0c0bd01d17b3669a1e

SHA1
8752597100055a8049e3defe418ecb73422c6357

SHA256
e1cee694fe60a77606a0ed8cf5c6884722f7498b2ea7b53b1da948c14f058baa

SHA512
ebb5641f5c22c905de38e1371eee3dc02264fce3dbdb6a5d84e497aa0545dab761155816fc1c568a76dee0168b98674b27fee4168da677c0d202fc230953aa4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
f2293c310c6a25fdab7824f9e7b6c0d5

SHA1
38f7d575ea3e1c23a1e7958e92566061c38c6996

SHA256
a8b042e632be795b05fed0b559f3b4f10f9ee9734eab19f91579231375654abe

SHA512
57559532abe860ee0b6d22e05a02b66d430186f7eb37d96e8c9b68ca97e46e287ddfd72bdc019a36566760150cdaa181e46c69778eeefdfa19a726ecd736f58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
22b960aa5ca7797a3f0753691f2042e9

SHA1
40ad076181b893c94850ebf5a65d115cededb80a

SHA256
33169549da3dc5998173f54658f789f50273144620964f0c9de0f35a2863322c

SHA512
78eb7c24bafe742eeae6a0dbeb968993f4a6a0ec96c0a8e25e463b65ca074bc21b7b6f9e6524d219b90875217077a4a89861fe0862ea1cfd16e06aa06c04300e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8174c6bc857cc9cc9060e7b00d01ed77

SHA1
a29d585dc61263f092ac356d5f7c14f0c6c8511c

SHA256
09470661b96e4e4ebd000f9b8903bf2c6e6e706e8339516bd2bee3ec6bc3cd7c

SHA512
c86869dab64f5f5affc888b7ff67608f8d5e51fe681d8170bf0ad8abd3388920fc60503a1720cd98225f85509415f02031d97d7e3b97aae7acbd8a2c71234bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
99cf54eb2dfae0543d786b08179e9275

SHA1
bdfaa8a87957e8a12c3655c684c6575587e98b00

SHA256
a9bea47507fe0f15e45278d0987ff654b79db17cdca0b5a629687c535aadc2e0

SHA512
d4a1fa0a2de44ab0a54947b8bef785bd277d271c79acecd6f2b95bc93d55b9f142d1330459e518390f0682fdcce9fa433e26ae48821f66dddceb1264b7ea83d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
411c7c614dd724b208d71eb779873636

SHA1
5c8d5cbac3f1bc4af37275b0bd88ce1f73ebc0dc

SHA256
69ff79ce56768d690121897d3ba118166c78637419807b966cfa44c97c1dc48c

SHA512
4544d32d7642434e006e705f30d541d92bf7486d2da09911f0fc36e149126ed6b1e31b035fe574d2482725121a622cbe1a0fd9538b4c1b0c3a4c5baf2dd2ed47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
808fd35b717628cf7f7146b3e049c8af

SHA1
463456a73650f6230a4c37dd724fa7cce6f7163c

SHA256
1cda5ea497d23aadc09d38f241909d58c2a9f3b5e922c977dd3b4d3e6d68a8e5

SHA512
1103b29dd77d23a0b0155e4ecae5c7ead7b17ff895e7757e0c62307477017393937c58b441db171696f07066253db71c681fd1b8519a277e1b7a074e6e96e9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
53800646158e41f9938d1c5fc2a1bb2e

SHA1
3bc4e565fee5b3d5ba87d31b637489cd06fd5311

SHA256
18f5ae1a6abd559f4ff4a21e7417676f2a1ab2760338869060d10a6a5c2af3ff

SHA512
dec3966c745ada18d3643a39c75a67993129edf6357ae895cb3f1ab3db4674e427a427ee4ba7c768237b427990c0e2f17bbead23cd93071acdf5dd1f55d5207a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578ccf.TMP
Filesize
372B

MD5
d01e455699c8d8c75a44f67367f543ae

SHA1
5238b0b8d344dd4c53dd812686e810384006fd66

SHA256
35171e8f734ebc6459ac45e5f289c0ebeea6a59c8cb3dc168179665b4a7df6fc

SHA512
7fd6fb645c567921cdaa3c4aae21aafea9d3af1e2a4269599784f566d6bb4efd79e57c1442906877ff1edd80d663eeb38a4998e27e3992aa304ad6246a06fec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
743689fd694e00f37c9663fa6f122e8e

SHA1
563c5670d6fd3b979cc0f274d30700c2a196396f

SHA256
fd59fd5032f2a60970d1b8738950c66752a92bbaddfbc153c3ad229d89d40ef2

SHA512
b7c012197bd747b3b96f362d64680173013992ceecd6be8fdc934e02bc8428ff85fa793cc6dcdccb284d012a085a50290fb01af52dafbd0a6f5ab6598aeb1133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6e43d46d6bbb7befbe705080c023ea45

SHA1
2dc7f3ef5532ee68a3bee2a1f13613b2cd01cedd

SHA256
db7498f619e523e1eeaa3afd2d0ba8d09543b9da92e208e0ad48020d0bbea1ff

SHA512
05d2e0973a4d29e0690696c77e9f46f67fe1182e6cb05920b7752542f08f1afa88444cb2c9cb469fda1d21d7e002a5d0b3b41e40be1fb11a52bdb838c025653b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E9.tmp\C2EA.tmp\C2EB.vbs
Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2E9.tmp\eulascr.exe
Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 281639.crdownload
Filesize
381KB

MD5
35a27d088cd5be278629fae37d464182

SHA1
d5a291fadead1f2a0cf35082012fe6f4bf22a3ab

SHA256
4a75f2db1dbd3c1218bb9994b7e1c690c4edd4e0c1a675de8d2a127611173e69

SHA512
eb0be3026321864bd5bcf53b88dc951711d8c0b4bcbd46800b90ca5116a56dba22452530e29f3ccbbcc43d943bdefc8ed8ca2d31ba2e7e5f0e594f74adba4ab5

Download Submit
\??\pipe\LOCAL\crashpad_4872_DWIBCLLEKSVXYVQW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1732-898-0x0000000000050000-0x000000000007A000-memory.dmp

Filesize
168KB

Download
memory/1732-905-0x00007FFA0DB10000-0x00007FFA0DC5E000-memory.dmp

Filesize
1.3MB

Download
memory/1732-906-0x000000001D170000-0x000000001D332000-memory.dmp

Filesize
1.8MB

Download
memory/1732-907-0x000000001D870000-0x000000001DD98000-memory.dmp

Filesize
5.2MB

Download