hxxps://fdl[.]echo[.]ac/7B69FC-a2tlemxw

Analysis

max time kernel
1680s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
10/06/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://fdl.echo.ac/7B69FC-a2tlemxw

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Executes dropped EXE 11 IoCs

pid	Process
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Checks whether UAC is enabled 1 TTPs 11 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 421124.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 912571.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2848	msedge.exe
2848	msedge.exe
1336	msedge.exe
1336	msedge.exe
1444	msedge.exe
1444	msedge.exe
2148	identity_helper.exe
2148	identity_helper.exe
2820	msedge.exe
2820	msedge.exe
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
Token: SeDebugPrivilege	2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe
1336	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3124	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4652	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
4908	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1756	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
3856	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1516	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1524	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
672	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
1772	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2944	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
2472	echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 5004	1336	msedge.exe	78
PID 1336 wrote to memory of 5004	1336	msedge.exe	78
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 4420	1336	msedge.exe	79
PID 1336 wrote to memory of 2848	1336	msedge.exe	80
PID 1336 wrote to memory of 2848	1336	msedge.exe	80
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81
PID 1336 wrote to memory of 896	1336	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fdl.echo.ac/7B69FC-a2tlemxw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd89113cb8,0x7ffd89113cc8,0x7ffd89113cd8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
  "C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3124
- C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
  "C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4652
- C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
  "C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:1396
- C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
  "C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:672
- C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
  "C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14603522813373032412,6409006038677738816,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3764

C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
"C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
"C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
"C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
"C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
"C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe
"C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
b96b92b2dccbcbca6c5289e5d5fe51a7

SHA1
fde2919e790c6098c3e5a79e3c721cbafe95398f

SHA256
6d25396aba05fd8349a3cd7f21f3905f2aa1a1c2d6f31f8b5d97434dcf2da108

SHA512
0b9426c799265e2ce90870e17e0a999b31e18c7dda165dfe66187fbc3de74942d7b6e7b741d7a6fcc259cc33ecb5fd629f684328c8a0779a086ba4e81b715e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e81807acce488c2cd8df00af6c1c693

SHA1
78f4d3bd0c13f48019cb4e0b05494ca8da9c85aa

SHA256
513b9db4c214fd93f6be25ab275fb78589c1a3651b6aaa066d5200cabcf12fda

SHA512
33d6a51569424d36be3a1f8432ecffadde7fce256394cebe332cc2b7a1d21adf11eb6efa56dd4c606667cb4e89ba538b26879d890b7d48bfc2b99ca368b41333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b579b73ea3df280d73126c422e979bee

SHA1
f49197625910a81f38b320516089f8fff19a3a24

SHA256
765f765a82a706988c8c0050acd5db6ee968d6a4c0125b6252ae7e3ec2c07f24

SHA512
f15ab5b017c39141f286c963777a9fda206b8c67d5574026826a93780429c5bae2864c94b8780f4293398dd6171071e9195ffa16bdc442ee46139ec3fcd68ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec84eb004fb346cb580cf946143ba139

SHA1
d130aba37243d704fbfed7b25ffba0bfcb442b9e

SHA256
fbd51e4034d4028740f319a6afb5d3a81d353a336650bcd870178f5a2bdd69fa

SHA512
689f21684dcc777a52204f4908a433c5010e2ab29c28c94e5f4949e2674e2fa04880731b8b62e7f96c5be562d5b60958b061200af45da83c7be7ee538d69c288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
889f7ce6ca4f9253faa62d417597724f

SHA1
7efc334edea78774df21ddd70f210f505895bfcb

SHA256
9e93b809359bf4748c135f633d73fe139ec9dd5fc35c3b211ac236214c72e5cd

SHA512
e017780ff5a89da3240b6a2aa51c8e978183c0d5a8aed8d4539365966c6060163f6f21cbb145a0ff38bc3ba61985386a4ec9971007a61df4a17cff3e559e1300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4692772667eede2a43fcf09cc4a38882

SHA1
fdc1782452c2a246518be8404f2b949ff86b3ad0

SHA256
4e4075d018cba34bc7b68df43324fe2faa38945034ddc0f733cfa199c5559f24

SHA512
b994500b2b88498d620b7e90214467d8ceb86e845fe31c280a1062c6b09f06fce17f84f5daa29af8cafdde2ad89255a725cf24a8da5e039b79e6e307724c45dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e1125bcfa11b2f8e9ba9b7d9c8efce6

SHA1
54e39703d08fe1b7e6b112b71b322fa8892945c1

SHA256
76b39be380ddf6ba8e230034f75dbac588c2482cae6c6988b0ae3e2500d5af81

SHA512
a19d600ca72602613ba36ad950027545e478915e880cf6454b301f985af758b591cfe2208b36625ae311e308abebeffb7c8fb9a9d9665621a0475a49ffc2867a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7d4eff11d9ecee47138f185b912801c

SHA1
8ce6625e7d6b9dfe7058642783792de89bb3dd21

SHA256
b09502f82f70ef9541766d0aa1d62f1c86fbc8e882631c0683e7af45f50e2648

SHA512
feca754d9a523efa1ed66e464616eb7dcc0fa8389cf7203a20d5722c9e87bd5d2b7257933401d0094019c5103b026e5967ec7c8ca403779fa3b1e7585e673966

Download Submit
C:\Users\Admin\Downloads\13d4722c-0d92-4af0-8bb5-ae492c74ee27.tmp

Filesize
29.2MB

MD5
becf89fc3466b6604efd19c0b9f48858

SHA1
437b027a9b65d894b286a3ee12665309aeb3daed

SHA256
c43fa18baad8a06cd5bba7e7e7f56bae13f7a22a65decb05abbf8239042ba281

SHA512
a2603f796ae4e669b67c1c9c00645baff5e3764ed7f8eda49cba0f61953c919ee43b050dc06ce4355004166556dc0955efc9b0cf1488c27f19c1ec9eb17f4476

Download Submit
C:\Users\Admin\Downloads\echo-7B69FC-a2tlemxw-zzLlAQ-f (1).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1516-291-0x0000000049B20000-0x0000000049F8C000-memory.dmp

Filesize
4.4MB

Download
memory/1516-290-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/1756-234-0x0000000180000000-0x0000000180008000-memory.dmp

Filesize
32KB

Download
memory/1756-242-0x0000000049B00000-0x0000000049F6C000-memory.dmp

Filesize
4.4MB

Download
memory/1756-241-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/3124-174-0x0000000180000000-0x0000000180008000-memory.dmp

Filesize
32KB

Download
memory/3124-182-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/3124-183-0x0000000049020000-0x000000004948C000-memory.dmp

Filesize
4.4MB

Download
memory/3124-181-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/3856-280-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/3856-281-0x0000000049AE0000-0x0000000049F4C000-memory.dmp

Filesize
4.4MB

Download
memory/4652-193-0x0000000048EC0000-0x000000004932C000-memory.dmp

Filesize
4.4MB

Download
memory/4652-192-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/4908-201-0x0000000140000000-0x0000000142C84000-memory.dmp

Filesize
44.5MB

Download
memory/4908-202-0x0000000049B30000-0x0000000049F9C000-memory.dmp

Filesize
4.4MB

Download
memory/4908-194-0x0000000180000000-0x0000000180008000-memory.dmp

Filesize
32KB

Download