hxxps://down[.]easeus[.]com/product/drw_free?ref=%2Fdownload[.]htm

Analysis

max time kernel
548s
max time network
548s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://down.easeus.com/product/drw_free?ref=%2Fdownload.htm

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
3944	drw_fr_installer.262.exe
5576	EDownloader.exe
2788	InfoForSetup.exe
2980	InfoForSetup.exe
560	AliyunWrapExe.Exe
5560	drw_fr_installer.262.exe
6360	EDownloader.exe
6596	InfoForSetup.exe
1488	InfoForSetup.exe
6972	InfoForSetup.exe
3196	InfoForSetup.exe
6904	InfoForSetup.exe

Loads dropped DLL 8 IoCs

pid	Process
2788	InfoForSetup.exe
2980	InfoForSetup.exe
560	AliyunWrapExe.Exe
6596	InfoForSetup.exe
1488	InfoForSetup.exe
6972	InfoForSetup.exe
3196	InfoForSetup.exe
6904	InfoForSetup.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	SystemSettingsAdminFlows.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\PBR\Panther\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\ReAgent\ReAgent.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\WinRE	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.setup.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\cbs_unattend.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\DDACLSys.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\unattend.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.app.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\BCDCopy	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\SessionID.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ReAgent\ReAgent.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.offline.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\_s_33B3.tmp	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.setup.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\Contents0.dir	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setuperr.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\unattend.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\PushButtonReset.etl	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setupact.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\_s_350C.tmp	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\SessionID.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\Contents0.dir	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\diagerr.xml	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setupinfo	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG2	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\CBS	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ResetSession.xml	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\ReAgent	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\DISM\dism.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\cbs_unattend.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setupact.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.offline.log	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\CBS\CBS.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\setup.etl	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setupinfo	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\BCDCopy.LOG1	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\INF\setupapi.dev.log	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq	SystemSettingsAdminFlows.exe
File opened for modification	C:\Windows\Logs\PBR\Panther\setup.exe	SystemSettingsAdminFlows.exe
File created	C:\Windows\Logs\PBR\Panther\Contents1.dir	SystemSettingsAdminFlows.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\drw_fr_installer.262.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\drw_tr_installer.17230591998728b262a12012715.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drw_fr_installer.262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drw_fr_installer.262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AliyunWrapExe.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{779E15F3-C628-4B31-936D-8F486FD988D1}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\drw_fr_installer.262.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 805892.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\drw_tr_installer.17230591998728b262a12012715.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
704	msedge.exe
704	msedge.exe
5808	msedge.exe
5808	msedge.exe
4324	msedge.exe
4324	msedge.exe
6504	identity_helper.exe
6504	identity_helper.exe
6800	msedge.exe
6800	msedge.exe
6800	msedge.exe
6800	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	6132	firefox.exe
Token: SeDebugPrivilege	6132	firefox.exe
Token: 33	7088	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	7088	AUDIODG.EXE
Token: SeDebugPrivilege	6132	firefox.exe
Token: SeDebugPrivilege	6132	firefox.exe
Token: SeDebugPrivilege	6132	firefox.exe
Token: SeDebugPrivilege	6132	firefox.exe
Token: SeDebugPrivilege	6132	firefox.exe
Token: SeBackupPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	776	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	776	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	6488	vssvc.exe
Token: SeRestorePrivilege	6488	vssvc.exe
Token: SeAuditPrivilege	6488	vssvc.exe
Token: SeTakeOwnershipPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	776	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	776	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	776	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	776	SystemSettingsAdminFlows.exe
Token: SeShutdownPrivilege	776	SystemSettingsAdminFlows.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe
5808	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
3944	drw_fr_installer.262.exe
5576	EDownloader.exe
2788	InfoForSetup.exe
5576	EDownloader.exe
5576	EDownloader.exe
2980	InfoForSetup.exe
6132	firefox.exe
6132	firefox.exe
6132	firefox.exe
5560	drw_fr_installer.262.exe
6360	EDownloader.exe
6596	InfoForSetup.exe
1488	InfoForSetup.exe
6972	InfoForSetup.exe
3196	InfoForSetup.exe
6904	InfoForSetup.exe
776	SystemSettingsAdminFlows.exe
5976	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 5616 wrote to memory of 6132	5616	firefox.exe	83
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 5088	6132	firefox.exe	84
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85
PID 6132 wrote to memory of 4320	6132	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://down.easeus.com/product/drw_free?ref=%2Fdownload.htm"
1⤵
- Suspicious use of WriteProcessMemory
PID:5616
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://down.easeus.com/product/drw_free?ref=%2Fdownload.htm
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af911c4-12b1-4931-a760-4a9e05e227bf} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" gpu
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a8a4ff0-b6d5-440b-a510-638401cea121} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" socket
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 3216 -prefMapHandle 3212 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc6ec8e4-8769-4266-9f44-8fa50d31cbf9} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 3616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd45c6a-06a7-4e30-8eb1-61ea4e29f49e} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4416 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4392 -prefMapHandle 4412 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b72cf4f7-2370-404d-b78e-c881a4b8ed97} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" utility
    3⤵
    - Checks processor information in registry
    PID:6096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5280 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48d8656c-3458-4538-8aac-b401569bfe33} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72ae1210-e266-4ae2-97a3-4f0c5d565570} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:2252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5676 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df9d60a9-acbf-448e-a8e3-264a0b1da085} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1484 -childID 6 -isForBrowser -prefsHandle 3788 -prefMapHandle 3932 -prefsLen 30493 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8043e6ab-b21f-4399-b001-bc3ba2b382dd} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:3748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6856 -childID 7 -isForBrowser -prefsHandle 3320 -prefMapHandle 6912 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63e8d66f-a652-4548-bfe8-ba755d92588e} 6132 "\\.\pipe\gecko-crash-server-pipe.6132" tab
    3⤵
    PID:3896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5424

C:\Users\Admin\Downloads\drw_fr_installer.262.exe
"C:\Users\Admin\Downloads\drw_fr_installer.262.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3944
- C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\Admin\Downloads ||| EXENAME=drw_fr_installer.262.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5576
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /Uid "S-1-5-21-4182098368-2521458979-3782681353-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"262\",\"Timezone\":\"GMT-00:00\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.Exe
      C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.Exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:560
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Click_Fold_Custom"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Country\":\"United States\",\"Install_Path\":\"C:/Program Files/EaseUS/EaseUS Data Recovery Wizard\",\"Language\":\"English\",\"Os\":\"Microsoft Windows 10\",\"Pageid\":\"262\",\"Timezone\":\"GMT-00:00\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6972
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"0\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=262&lang=English&pcVersion=home&pid=2&tid=1&version=free\",\"ResponseJson\":\"{\\"check\\":1,\\"msg\\":\\"\\u6210\\u529f\\",\\"data\\":{\\"pid\\":\\"2\\",\\"download\\":\\"https:\\/\\/d1.easeus.com\\/drw\\/free\\/drw19.0.0.0_free.exe\\",\\"download2\\":\\"https:\\/\\/d2.easeus.com\\/drw\\/free\\/drw19.0.0.0_free.exe\\",\\"download3\\":\\"https:\\/\\/d3.easeus.com\\/drw\\/free\\/drw19.0.0.0_free.exe\\",\\"version\\":\\"free\\",\\"curNum\\":\\"19.1\\",\\"testid\\":\\"FR191_202485AB1-07242\\",\\"url\\":[],\\"md5\\":\\"CFF02C9F5C55A5516B512374DD649565\\",\\"tj_download\\":\\"test\\",\\"referNumber\\":\\"1000000\\",\\"killSwitch\\":\\"true\\",\\"WriteLogSwitch\\":\\"false\\",\\"configid\\":\\"\\"},\\"time\\":1723059231}\",\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3196
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Downloadfrom\":\"https://d1.easeus.com/drw/free/drw19.0.0.0_free.exe\",\"Pageid\":\"262\",\"Testid\":\"FR191_202485AB1-07242\",\"Version\":\"free\",\"Versionnumber\":\"19.1\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8f3346f8,0x7ffa8f334708,0x7ffa8f334718
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3780 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:6512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:6852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:6860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:7160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:7052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7296 /prefetch:8
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4424 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,16846304036418361386,5153400244317435775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:5144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7088

C:\Users\Admin\Downloads\drw_fr_installer.262.exe
"C:\Users\Admin\Downloads\drw_fr_installer.262.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5560
- C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe" EXEDIR=C:\Users\Admin\Downloads ||| EXENAME=drw_fr_installer.262.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6360
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe
    /Uid "S-1-5-21-4182098368-2521458979-3782681353-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4f3d2862hbed3h4cachb2b2h0f1ca75618c4
1⤵
PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8f3346f8,0x7ffa8f334708,0x7ffa8f334718
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,115807723772925006,2281228224313090608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,115807723772925006,2281228224313090608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:776

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2280

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:6960

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6488

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393f055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$SysReset\Logs\setupact.log

Filesize
110KB

MD5
4006df0a3e4be603ccccf49eff4796ec

SHA1
f46155d957e526c8cc14cc77f4d8d98a73c0dd82

SHA256
9c5c1f7a16c247226c38d6da0b7a7db8d492a084d1d6b59bf1d2592d7252b5e2

SHA512
ebc6b2cca805d84c553353f72f9a205ff8d53b3ee237211480572e398eb81f3ee30b1a8d38beb6d657bf6efe1506c2af3008222412bc5d093d36ac5b59af1a2d

Download Submit
C:\$SysReset\Logs\setuperr.log

Filesize
749B

MD5
ee40e44bf3e6ffc53e6cc26df72824e6

SHA1
12dcf5ad68b6743cbb0b9195015ff56a754cb557

SHA256
e6375699b78425950d55f7b61e6ffffeb90e06ad64649ff28045d3dfd21507de

SHA512
dfcbadb755803790d4bc16bf565b7db1ad643bad016cc0b87bf5af443c0ff70d26d500f74d403591457b18e3d0d4089fa4173555067b47e9f30ebcbc93ce1f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_298D93E3CA8570319E94A0828EC477E6

Filesize
727B

MD5
3257756910151aec7dfe9302955f20b0

SHA1
12505641a61d6eca74a8223d33b311d44a16501f

SHA256
4378b929f6504b305f1c8a10272cdab4cbee462c8434f6d9be19502dbb7cb3ae

SHA512
5736d2d56927d2f0c75e5348db3205c9afcf6bcc39fb79657a9453baef41a757b94b8432a095f2791bc7e647ec12ee3c8a3dcbac49adca3edcee7837a7a9211f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
519f47ca386a53c372d32c745e3ff3d3

SHA1
38299d39d43b29c8145af347e59e11d233ec225c

SHA256
1cc9a63b647ec23c31782940811afce8f2f9c9cf1a54172c63a308b109051e23

SHA512
9755bb085c54b749efd6d235fae12064e585641ff10751af4c26f861b590868480d19e17a4784a7548cf09f72c9e654186f687f1a569cd885f4dc7c48eb424d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_298D93E3CA8570319E94A0828EC477E6

Filesize
408B

MD5
4c1a2b49b51ed6eaf2e3e4f3d81bd473

SHA1
294bd0e62e0c7d9bdfe5f665ce245eb117bf2208

SHA256
8a47ac4b9a83a54f25c931409f4e2fe04814f289cb52d5f7e15557de8c7eeba6

SHA512
57f37020c88c8e4a1b08b3bdf20066f8d3be89cbac5a48114c55b0b62e6d9a93d4c35aae52a1d9e1ca5fbb420a334cc51a3f9718283f99e7a4afafdeca41371e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
aef3232530a3a05bc26cdd030d315a76

SHA1
dc8e4d4118cd12acfd9126b76024129b2ac205c4

SHA256
f3a543736b5d8f63c00b0d5e2e0ce2adbd6f57121b4f6e97196f6260eeeca045

SHA512
42929633482533da2f3a0250aa5e32c8ae14a9e4871ea16995fdac9a25e4855c29c2e7db38f14b18a6bd471bf745d49bbfdf8606da2d1ff5c20b8f41494fe985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
793d5df67dd2bdac5b13002fe6a56feb

SHA1
d7c7e4fc13101e854103ae0d372f6920eb1e6da7

SHA256
b89c6850b95a11456edd863216a85ff4f7d1b62941fb1f57ac975f821e7623e7

SHA512
0dec6027427b4980f58d5f5c15b2bbc8a3de5b1b65335ddea7656d0511d022e031f61d11dd18cb0abd2e22e8accec6433e6faaa00f4d7720a8d0e7b003baf8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
50KB

MD5
d309c6d9435bfa799929f283fea3bc2c

SHA1
c826b8e20331ef1f85a843b8584325939e605147

SHA256
0d8b7232939c5406ef264b90096f25faabd6c2117b09105402b993b260f1c85d

SHA512
b3a224e69af7f2f4b488de151469e150536fdb8867df0a09c81dd25bf95f43a75708644de7089f49faeda10e02b46b78414610fc3707b98f2a82ebcfaeaf0f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
48KB

MD5
c0b003d362c84b3fac821d1ffe1254ad

SHA1
738083c205104ed11dbc3d1befb553a3939d5218

SHA256
10be7e9b21937f9871096cac1aa9290b3002cf243f32ec5e79f3ecebe836c1f0

SHA512
997669ac5321e307cc690b48ef188dca5b935ec6b469adbf4f6483fce43263aa16715e8752804024154ce6d4dc3b2711a6322890d4b953ec061434b877274918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
68KB

MD5
0a517c3ea5528e0dc81e62eafc9876ba

SHA1
b75f109c808ee3201e38b65493bd2b5181d09d32

SHA256
9a77edf530627efe35eb30c414cee40c7eb6ab6197ade7c9f43d41d1d1983419

SHA512
70bc95ecf5fe4bbaf5eaf45e7983ac0df346aa4da91741ab8838f9ea890280caf9cdb6bc45ce77d35bf156b2ba130acbfceae17f507951c9967927a3739a3a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
91KB

MD5
89e5afe66ea65633b4d21c7bb178fe46

SHA1
62bcdeb0ba0ef9266c1ec5725bcdde18a45740d3

SHA256
ad5bfb586cfdb4002119fe082cc377b997d534efe8e4656c0c6f609d4caa9286

SHA512
04ff6cdf92a08503c6b399bc5609285c39e9a40b8fb0768d29e08c16fa95f0c6c9671b05d9e9747100616070566ef3793f69a4c437b0177cbfda3d876935e938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
91KB

MD5
a4c4175577ff33cc1c4652dc7fe4ceac

SHA1
b7e099d35ac284ab7184f630bd9b8b22284eefcd

SHA256
7f3a9a1db08027888c7cc8e2af7d917748ce5ae46cfe553598062bb651929da4

SHA512
dbd714016468988c42a3a00bdd7db1a166fc2ea0b6426c23dc9a35599287488e699629e422e4ef5e5bbc634f51dcbb9193183cd600db96b6c7dc2cfb1c9fba45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
106KB

MD5
760c5e9013a536f8b507df6c374606ad

SHA1
07829e30970db91ecd6d52cc4789aacc7213fa83

SHA256
decfc3b589f326c56193466c0be8abaffd6d33ff7959674c2dae2f2247cd5a7a

SHA512
136d2c3af555ed4bcf1a74d5067c1859359d6105baaab757e498031940a8ff890038af38fa9d8e6fbcf1ddf6b2be13e7317e503ded98b9c060732dc9e24b23de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
93KB

MD5
51ae200253c6a2a0d0a3e1e02c980cb4

SHA1
a0bf83264e2a11a1df2e250087169c03cc936995

SHA256
12ee3e4578063d1bfa45f2f3bce69f8f793ae7f2be65d83ac0d23d701568c4b9

SHA512
b0c7267fe6e27f334972ab76be869ec6104a7871919ed0006843cc610a5a801c1596ff7593841755480027713391c0913d12b282bd20c811a82c6b5ce5a665d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
19KB

MD5
28af246bad84dfe46b80c1c1ecea5ee6

SHA1
cace7d8d0857f570ae5ee8ec22ba40a712ebe559

SHA256
8c13b7e519af80f2b216c23e5780f902fa854e8605a7a522e27235b63ca3510b

SHA512
7129ae320914ba33e514abbf223cd92d07ccb5b493f26832a966c02c090732b3874643acf1d866a4672a2ab828352810355c9514d9aa3ffec1bba39b100b0908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
21KB

MD5
dec0b0103336461b3d3625f96785e634

SHA1
201b0dcfe21174dd08ee8b45729754a214d79347

SHA256
3f92f11725f840771026276003840db7d43c0248ebc78e14c605589387ce9f63

SHA512
f8e834b639c4f11456cccba69515601bb7ba3de89421802b6a9613cfeda63dfd5d178b962fe93fa359ccfb84ae6c4a39db0dcd8b6c3e49a3b66a79a697ed7e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b44e12e2b8139e534863e22f1115c56a

SHA1
0c8b14ee2ffd756933d0e4ad156df8e5552e376e

SHA256
7c4e0581cd64ef976a425f3987af78b5b40aa196e21e9ed3a4823e673ff08f47

SHA512
07d7e26aa4e34f254c42c079693a5f74feb3bc75533a0f00c39361577e2ee708cf0cfdb8d9d93fa5707a103d38a212a5041ed6c5d8b9f2c9dfd1bb514de44ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.easeus.com_0.indexeddb.leveldb\LOG.old

Filesize
717B

MD5
e7ef578bce5d3903bd5fe241e29b94c4

SHA1
0416c90553579e53abfcf2c97743686b977ca816

SHA256
93bc50c0f9e6b8fd8a4a4f23f351f62511e456f50a6ac9689c71058f205cc0a8

SHA512
61467ef69bba94444192ae868771ec28306b6025ec653331f989a0692baab1169fa4fa558ba705a2a03047395920d660f5578b660a6a57f11020ec33a76ddd22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.easeus.com_0.indexeddb.leveldb\LOG.old~RFe5941f1.TMP

Filesize
672B

MD5
9ee993860ae84ec568a7f3b7da471684

SHA1
af52399c98ea4b272671ab9724c85d8a6c724d3b

SHA256
732878681c5b76d95933a4478a3b36e2e3f12ac29a940296760a510b2096e6cb

SHA512
955371ee1fd04f4b4be244948f81fd1522bf30026685b44a2527f0565fdb1dd665664c303b9c626efb26157aa45a8a5094c6255f7a42ed12fb4233fcffec17f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1e3459dd7dd97f1725a42503036c0bec

SHA1
f13f44a164b14e3e6970c9afa33702bf603799a9

SHA256
a496f87a030b7fe1f1e335c338b07bae0f0b45aa51efdc6f95cc7a478a672864

SHA512
d77148b104db005961d293240255716e98a997218cffcdcef5d02029632a6490f4ee35271a97d12a6f1520d20a5dc84ba63d08c7ab55e823145a878b0cb3d50a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f23d8b9d847d2a77c3fcee879d5a2cd9

SHA1
c1ffde6aad226d0758c315344719318a010e5848

SHA256
3162465f378cee4b9fc665724fed0b61f587a1ae4997f1ee0b6cd5b576a157af

SHA512
a88d21e6eedce0af7946af7e2b0f3a9898d4e33f9f774b5145027fd2d0ffe9491f7ced92d4d9f6e3148760c83b4bd8d2514f26134a6c3ef6690dc25beaea3371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8cf19cf41d7d970c79c801f3aa27e7bb

SHA1
af81d5c74615cc4169e3a7601e848b5d76f98e43

SHA256
fde3beadda1dcdbfc77a4dfd77a25c31453ea0e7e5f0516201e4ba0d20fd7245

SHA512
fe369b64721df80dbb0b51f1240db16a4ce07090daf591a790396d5e67b831a153c32208d1188dee9ca112563131c9921a5bef127b78cea852b39590d5eea686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e9c82332731d80db5176f1b66a0b6f2a

SHA1
74815841f2c4e145817aa1d320ccffc3546c4fd7

SHA256
a2c111539680e22c88973568aa6a1088ca7a8ec345be1a2449f802073189920c

SHA512
90b34e2d5d81ab53444173753e07f5c35daa5b2fd3abec2f3342842441f5c9fb0dacc2669b1f7c922920871f157079c0db3fa311d2973b3c0591abf104482216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c82e0d20f5825bdecc7f6237ec305628

SHA1
af3de42641e0afbc908a09d5b6330271b407e2ba

SHA256
562875f0179c0b970785607faab27b1d5e995d84e1e4469e084d494801ae57e1

SHA512
4929a2cb8ee402d42512e7d4049cc898051af20fea46292fd2e0a4b3b859b72b3d335add7a5c8f9bbea252224a9cb1422c08ad7acd3ea5b7150fe20ccc9bc5eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b3329977693d3cef5eb2be4da7f37cd0

SHA1
9727bcc6d8d04bdfcf2b38d43942be9f2bd50525

SHA256
f4a4ca910c3ea298c2bafc04bbdbe894cf9e249595d6a90653ce103cbbc4db37

SHA512
be0defe8975e21500c06c83cc5eb1713c8143627317e42f333b3c6306adedf477913871953ea42f932f4b955e09831874e234dd61759fd9e143f1035338a0664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a44589a011240c2ba6150a0bbd50e4d7

SHA1
343b154ab6c386db593dc06cf99b3ffb64af61e0

SHA256
85e6ffae475f402a07550a96f0ae4099b31dbe6359366411720c3674235fce85

SHA512
a1276a0fc79b70ff63f2fd54e67f51ff6c1bd8fc7d4cdc619f274e72afdd33562a64840ec85621a287d5adb0a14988eed4c15a9f9ddea93144b16f516dca8f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592b8b.TMP

Filesize
1KB

MD5
47b500e1771eaa0f39f2069dfdf1f5ad

SHA1
382ca79bb1ad5fb7af74224e2c60643a9236129a

SHA256
d3f04a592e35512e7bb2ce51309b7262c3fe2419c05a2a46b3b52f57613549c1

SHA512
91a71e6dd18c88061aa4e123e2c982c0787d07e843dc7bfdb80ccd0f1ae5b357a2aa7b132260603e6cb3b5ab4f8436c609eb98af187e11862b4970002d224e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63b58b86480b0131e4f5e48b119ffa71

SHA1
cb039271a9d9665c26756217786bde7fdc9cd78a

SHA256
9715230ee04834f61acb079c283047d67ee1be7a1f340bd1fbffcdb6a08f1a25

SHA512
3c4138749bf47db9e62c003a6a6fa65b04316527647a073629c8d2660e58509233776c71b26140605250b739299f793f341073d972912aba5d380e467a8a27d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
400ac2e5220d683dbd5f56324890cffe

SHA1
cba69ce76a90c96aeaf92ac6043521e2e0f4a4d8

SHA256
b1d98310abd17925acd2b88592dab2fd4fe3faa868c9c2534ff64de5d3ecfd19

SHA512
9f518548c31b33356e1b1129f2919aa8fe59308f857b9fe45516d75343318e7550c4edabe388f598497fcae4765a088c9b2c01f27888c0e083874810c5b629c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
17501b9a1c1daeb4c75316a1680d6b8d

SHA1
a7a0a8388495e991074dd62f2e28ff2ba573ebd8

SHA256
359448326dd69564953f2834930c6f5d4c59b9561297b0f5fb60099a36e8aef2

SHA512
79980615eb42d639b34e796535f5508965f6dc693bd57adbddfbd7a2e2911e2b5a768bd02253cfe61954c9b0ac18107b22f71ea9eaabbeba3aef963b8a4bcfc0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
e17a754de479a4f216dc1899010bdeda

SHA1
d96e478159e9a89f4f2c389330e25c1e374dade3

SHA256
873be220b59ad92509c1be08703b322fd4cd582924b66ca39070261506ed6ff7

SHA512
b822e04a458da56393ab88ac695abd645a0ec322af016d3983698f54a8c8568d01904ba273d0f29aae34d6bbd7dd4b6906ced6135f3fc42a02cc231d1ed83b42

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\7943793AD6EF12CA229A1DF7A721B44C210BBC82

Filesize
37KB

MD5
4d9cff3a78f667dad22b73e35d897f2d

SHA1
5e48b496eaeb5b6d48f00ea0e4b350021776bfca

SHA256
1ef9cb12002f0cb72073e5fa262108535fc42a5175b5e4076c6eee47181f4f26

SHA512
ec56c35b4ca3cc25874d35cd6c147e15b2060134a56f95a295d3ecfdabf4ead83544020a408434f69c2819a64019d264dffa16883c90585020cf5c24b0ed32f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EDownloader.exe

Filesize
1.2MB

MD5
f65179263df95e1fdf78a09881681052

SHA1
bec2f648738be2e82d8b10fa52ab1c52332d90a7

SHA256
5f1661120e9cb071dcc479d796041faeb4c4eabed6be772377c8d59a30780333

SHA512
ce362d127369cbde7738fe98b66bf097b847a95077c9571e4d06867fc64d3bbc81d152c1422775f558d101b6d49751d03d6acb4f38ba04e2f0604ed114f3ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EasyLog.log

Filesize
509B

MD5
350bb6cd64d169a7c52de74fafab2d0a

SHA1
8462ff327e875f7f1b5a7d804d6c573502c3cc12

SHA256
43dec236d9f764cd26a4a58c361697628521fe4f9273a1ef045d680f0d36557a

SHA512
39c64c8a74290e430299667417fa701f290ae5282113f9b6e3a347c3f996ba67ce722c1645d4481c26c5cb26669a8778dbffab567e1bfbbba7db5d32cb3e44fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EasyLog.log

Filesize
1KB

MD5
2e8b0b113709942434659d9dc12ee5de

SHA1
ad767f5073a10cfa09d05d8174a2e6b9cb670c25

SHA256
22ba86e4a3e1a5c28517e1c2f54c18e63fa69a380117e538b0da9c5aa07008a5

SHA512
27387d8d91d70a524af528d1142452861562b4f6ea13be2a9d50af988fbb8280e79e04c8f048444eb044a61ef9ec6e766c980ae6873708affb33168354e0b640

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\EasyLog.log

Filesize
1KB

MD5
7bbaf7f3d9d60e560ea6350761385f7b

SHA1
366bde9560c2d9c79f787c90dd20b8a79f9160d4

SHA256
65966c6c8f52ad1da76cc4f2844a0bb7d12ccfe36ec161bacdd678b5c8a129d7

SHA512
061e9582ab50f206bd11370fc0e7b1b3fa46092bc502288f639223ee289f6aa0fb2f8eee97f3e48f44175d7308511b904a77d1e7d34e3c2116134bcdfb2280cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\English.ini

Filesize
3KB

MD5
514c7cfa0101eae70994afd3fa7801c3

SHA1
bd6249fe023542c5be1180b76343e4e220be7148

SHA256
a6237a06959f1bf65fc2b3e77ae509d3bca1713340227b7fbb66e28da4f84404

SHA512
d889ffd4495ec023394d1170b97bf40fad9ff202b36500fe85d6620cc08e3c42580caf6992c09817646a93d253cfece8e94b66b14e6eee5cefce3f91b5fa4919

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\InitConfigure.ini

Filesize
4KB

MD5
fec03e63245a8e784c6e81f86f56a4a3

SHA1
78343e79ab198d929332cbf65cfb831ee21f67e1

SHA256
e20ffb7dc15d0d949c834880c6f804a18cc2309aa98480525c86d63936036e49

SHA512
8afece87c4cae17bc2084d106c6cd9b2bebecfeef85562267a29867ac7103a3131de670e93fad394eff3fad56a92202d02f739452aff6ba4a529ed63d497b870

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\LanguageTransfor.ini

Filesize
325B

MD5
ffe692a67871185785ec705b1cc12c81

SHA1
06a12bffdff33024a7b8798bdcdcda1fd7255bcc

SHA256
373bec6e7976324ff879c2988bab772c69336d7bcb9a32386a6021568350a824

SHA512
7ecdb5a4e625370888fb3a827cb668e934e29ca764177fca04e4eb620bec2b664fe498c0e9e73288bf977006eaba9618a4dc5a169e0fc5588a0874d9e6bb6c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
05265500bced30d460ed017cbd025c9c

SHA1
4467e0875d6c70016b55536cf50e5ed504628dcf

SHA256
a98717c0a130b565faae701d4395dbae064392199a12d21f4d5c9e6b17267c6f

SHA512
332d89532e47baedf9c3284f590b3de1a25d88fb2ba4c1099150a179a2418577df53d03db7b56ca8a535b47802606b1f972290b56493de6e4b0bcc3ab837cbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrap.DLL

Filesize
482KB

MD5
747aacd07c3ff2e33019e1f314c7ee83

SHA1
4cdb41f2a20cb868177744ae96418f609a29ea0b

SHA256
dbb6ed92a54d875f8c650457c2e599fbc161280e8a66879a664dd6c5ac6a4a46

SHA512
1dd682e19121e9be0e47f2fd4936ff14ba0b45d1f542bfbaa71ea1becaf99c5ed895f8a2cfd6cf030eabb41912785ec19636bffab9ccbb0df62829d200eb09b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\AliyunWrapExe.Exe

Filesize
107KB

MD5
d83f449ddf329fc8451f464196aa8d44

SHA1
d84712f49ca033d362c5948a168d5ca5249571db

SHA256
c65312ba5fc5040730233992802fca922856afaeafc57ac5978385f9a66bcbbb

SHA512
f51c9edc36df37e1427e3d07acb734167bff8be0e2349c78b1fcb0762c64b8be234035266e020ac4659c0b1593d418a2ad9be928518d1d949529d8357534bfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
1KB

MD5
a0b2e8dfe6a4a99c457c2470e4a4ec4b

SHA1
0bedb605747b7a0daf7703163370103f14f71794

SHA256
89b6d6818b8542d5945c0cd4ef308a5d95a599560ba1a003cf0013967d5551e9

SHA512
31ff7ca902b1a09d99410a78d182ef112717b5522c0fbfa3bdcde8e34d85aa12f780eccd89f75238c848f28916bd4351823d95d598f9d80f0efe8a02f455a845

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
1KB

MD5
d01ca88cff19c24fe90bdce7dfe71238

SHA1
38666101d3a5e6870d2b4acf1bc1b3114b3be0d5

SHA256
5a29ab94aeecbbab5bf8c84fba0fe1641a140ac4074d5b0f0c43d3a39cbffd0c

SHA512
008d6c6a09f83ec57eea3a0927ca277ac51cca7d67a1805510047e7702fde1dca5afbd60a93e282164f28f5a5725e787d49441992d26dcc803ca605ca82910c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
784B

MD5
269f703571b8c7fa811ba8c25a25aa7b

SHA1
515072053a3d4a5b2dac1b3dfc95e29a539d4552

SHA256
31a7903431127fd65b6c8d5375ced413dc59f9add11bd1a2ce974e827be9b0b6

SHA512
2adba0aec4e1ac2b35065a19dd2e4e1d50df181eadf32af6100918f55326c7bd77c6427f8da982d6f31d3b11ee834ae7e61a4a45fd804f48ba4b9f5e25c947d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
2KB

MD5
1b7abe90ff09a7e1e8d9c9df6623e451

SHA1
48bdfc95373d1f213fa40dcfada1ce22107e5147

SHA256
3a218b5a40ec64be372e23e9dd3f45b78b8f19fa522dfc543ca3811878f2a877

SHA512
eaffa13b4fa9ff3ef31d7406f5bed635163549dccb9985125089af2d4dae91ea0e1fe4a520b0c7b06cd806368778726031beab71c357055114826edbfba326c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
756B

MD5
c423e6cb2427b8f8fcc9bf986882675f

SHA1
8b462ded056285c2c08a918730b25610a196d36e

SHA256
4e2f1a022fa055805d5581c8382b34aaa4ec0b1bc875296a04613e41cab5dd9a

SHA512
c9c2bf46c4b841e60b2255fecf1791724d0f39200d014a5949dd54fabf69298ccc7417db04523da53b980d6d59b877f0fd741603d3dbbac126510e68f3a9b0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
560B

MD5
b24d170470498d377355d85caa9c489c

SHA1
59eff5669357b09fdf36118b846b0fff2b79df36

SHA256
73a95b8b94eadfa4559b81a47cef322be405e4dee6e724df8a2dd391aba5499f

SHA512
3eaae5e06ff7f7eccaa4177cf095deeb1a2f89e4d6776b2e9ca4a4975f7b7618e69564baa1dc11047b87b42c7daa43ae04c75ad3241d297d8e51c14f6d218fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\DataFile.ini

Filesize
88B

MD5
7f411750d07619f38537e7fd612b8b44

SHA1
cda241a1ce5141288582c8f0ac4850992b427bdc

SHA256
ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87

SHA512
35dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\InfoForSetup.exe

Filesize
66KB

MD5
c06b7f733c7b0b6bd1da7fe7463b7f8b

SHA1
be3385e5d2d2c819884239240e3d8fbb44fa5f75

SHA256
6ead4a22a91a553aaed44229b9b1b712852accad4cdc74516e33b0af21c55daa

SHA512
1241f635c6f03c09c2da255f7ab8a95d16e1a1ee0622b2e4c0faa61d321252ac37a5428f31954b1261ebb12cb38ef1c3f36bbe7979334306670f887c9d775e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\aliyun\tempInfo.web

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\downloader.ico

Filesize
65KB

MD5
e7ba7ed202773284c3dd85e4162c38d3

SHA1
7467da2d1455c5af1419da18feae2cb5c3558a3d

SHA256
aa4df8b6f5bc456121eafd03857098e56a4357a2bae7cdd651cafd2cfd78ac7d

SHA512
87dca3bcef8b309a501ffe3eefb5b20194dcf3b9729f024577f3d57dc025643e556c5c01797606483590e5dbd28502425c5f603a0077cc2e4561dddd0322efc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2free\skin.zip

Filesize
509KB

MD5
6fa30f652398a902a1464888399e4a33

SHA1
900b7888cd083a40456df9f357a4c8792d6c704c

SHA256
ef835aadd1fd02f8769e56e796fb280f9b46aa39e254fabae6629a81508a87bb

SHA512
e006d33c5f024dfa3e6d4fabacdee0f7149e213c9240ea9636629154363f5c9c7f9e509edee70d58421515fac4301f41de16fddc100eaefc5d7a2fe9aa747b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X34KZEJE5NJYO0M49CAD.temp

Filesize
12KB

MD5
7de69b4b7871df56e6abb94bbe206c61

SHA1
dc8bb8df78b0c37e00f1023b3b8b94ccba9ea257

SHA256
0b0869966b4561449ecc49391232aca76dd7b4834ec3ebc3b8995a847893cdb3

SHA512
3fbaa1be898c22aaecc2d6adbaf3d3ae5b66e9f12e4cfeb200b48e9f9a8ef190b1f8246d0d74bad4027e9db26fa10234d8a9f3094d0ba12db0a39d2c8560c2d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
8KB

MD5
803278ac7e9a8ce00082cab13280af40

SHA1
022dc49931613f4123422543aa33f3fc39a7da2f

SHA256
040e0958111be0dddb0ebfcee655abcc59dbf104962e1d763432dfb2d72a4fd2

SHA512
8115f3cf3defd0097644f1093508b604f4dcc16f6c1a37fc3d8b21e080674153d3e0ffab142c78350f1bbf78adc093c062dd1f00c95339766c65880b0510e612

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\bookmarkbackups\bookmarks-2024-08-07_11_wUK5TEQYvTGYbASR1WCBIQ==.jsonlz4

Filesize
1005B

MD5
30a638f369cb0fbd95846ab9dfe99a6c

SHA1
186d7655cd86bc89362d38e2c4e82c3d8799c0bd

SHA256
24cd27348053b701020e7c4f3423cb6660f4b78cab4cfd7a6165558e660a3d2b

SHA512
e8486811137d2b99077e4c388a699df88c11a03e54c441845bb241b2ce0673be2098e2e39d0308c4ac89ad3e158ff48fd0b953ba8e46a08ee37833fea011500a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4a89951e0086de378434fcc013ee6c54

SHA1
6c1b951e0786b5b207752b729bc6dadaedd841fb

SHA256
3024bc78bc254cbc15fa3a85437981504955e45b14c1ee0d78fcf17572f5beac

SHA512
b322f79389528f50ee65e16bd26a6b484f3c49abb3f685f7a0bf384bca6cd14abe4a16091eb2c89d75cb6f39202034b76d9b608f0a0d58d3ddfcc94d0fd15818

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
25902f491b1593b6db6e339a99cc70a9

SHA1
3b7492eb20a3f2c86b4aeab95f0914b36e4e4434

SHA256
f73d323663c10bb5b20be1945184233acdf9601e1bc541cd8f0a46faa43dd4d1

SHA512
8d7e328f7b3df77f66fdf10ecad37bb5cac5fce6f7af93098e52725badc3f701150ccd81436327fa6727720189ef04d32837030fa5eb71522b1cd0417926601d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
34KB

MD5
8240d24718364b895c7d4e267fe2f1c1

SHA1
15ded687e402802a74c2ab3bc9fa8ffc762a7800

SHA256
97295d68960c88698daf035c998c6c69e7ede336aee189b13a2833cdd0e63bb2

SHA512
3e252ed5f03104431634f72758def5358cfa0942857e58f4dcac70dd6f23bcc69c68687e4d682e2a66e606a633143cbe82f70cf2816135600983c73d1691d1df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ef750e098a36c7f535295884ed69c147

SHA1
261c06a8f9d8a27b02e0cfe39e271771aa24ff60

SHA256
92d305e2d129cc69db01170f84df2653a7684e4e4346a7ed44bf3d0c1cb45fd5

SHA512
aef3ee7ed36cda2c7b592ea20494ecd233d78ecbcfd972a0cf0b065800563a7c011e4f5cf713428643317ff2ed6f0b6370e6e05f3e2180ae3c4ed8e05c77dd27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
34KB

MD5
982ce9ffd7c8a0b750e384c76e81183b

SHA1
c6801c51066adba5656ef90b4f72efb1b531b927

SHA256
328b0c72b4251ecf8980a6baff6eab776340619cc750f9ea942eeedb6c56aad4

SHA512
593d9e81ce02ef697b3f51076dd263e397755762e4366340c9fd02399d04c1d6a0ff78ed5426bccc9864c5d1c8754bf4518e8a951c90e1b1aecd688103a6d3b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\1abcd8b5-c34e-498b-b95a-e947a2be7671

Filesize
982B

MD5
23f8453b7b0496042efd85f8dcab69ab

SHA1
4e8bd29ed47ac1881b76e16c68103bdf396cf2a2

SHA256
4ddaec5013e2f179a0c7ff8666d06b6aef6a8fc3bc81b1ce1891736cbb202e8d

SHA512
43da919a469215467b02f3455a762cad493a5ee1c2f0dd4dab7996f8c7a5571b8ec5745760a5011f587b37aa2fcb7bf0c0392006190e906f7be4bfb77f70fc72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\771d50a1-c5a5-41dd-9283-f8bf7d47c53d

Filesize
671B

MD5
bcac5ec583e0221ce932df8210bd3e03

SHA1
aaba7364303f5fb6dcbb4b574445c51284c3e93f

SHA256
91abd75d0bcabad803d1d8a930dd04676a40433e9c9deda293a81bc8f6265143

SHA512
3e9ab402a25917488dbe1e76addc01f31b6f66c4c509e26336dbc58e0f7f72818cc932a995d161a8826970e6bdf9406c3d2c9bccc9250fdd3664bec760c1b7ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\a60afb87-b80f-444d-b3e8-227243891dc9

Filesize
26KB

MD5
a9662d3f31e71543bf147b036f9fcd39

SHA1
52cdf5fec92d4a95dc5cd053140ce43cd52338ff

SHA256
394328282798289228d93bb5630a7195045cd36763c57e7d08a3912bd571d491

SHA512
0c84830db0e6978d01737c95fb637656672ea711845cc6320bdbf38e7301e9afe03dea42a35cf5841bbf4e964e00d9ac2ef32c37e5aebb447860c7faaed3ea80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\favicons.sqlite-wal

Filesize
64KB

MD5
3809a5ea19db8f5c12d102b537f2b211

SHA1
1a1e40a907113bb6a4521b8a074b0a2aca687adb

SHA256
d9fdeb1be50c371916f6f065b0d63bd0bbe2d03dd05598e163ca2576ad40d1f5

SHA512
b919528a907b738784d89d77936bf9ae653b41e98490cbfb5a00d215ec88d8849f404ac5414a8bd22c7ad044ecef3e11180b3ebd3e76914e4025973a0035807f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\places.sqlite

Filesize
5.0MB

MD5
dbc614c21ed6fa025bfabf828e9fa999

SHA1
51da0ad9d4ef67a981962f941517c739eb26025e

SHA256
fd669c7323e8e4d8500cf377b8ee381411131b0f31b41ef723ddcf1ed57702a8

SHA512
2661a5402bae6c8ba16d6d4ff364da50314ff68724182eebb902923f6210395591a539ab1b3d11aac9814cc502a8317733d8145b9ebbab9ab3ae328c4ad53705

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
12KB

MD5
97d147bc7b80e94f6038512b5564db0f

SHA1
cd7f952ea4b254bf4bd196c0326c00affb71b07b

SHA256
5d870426243a953363b0989d5403cc7d3793a17d7af0e3cae792c5564fe83f56

SHA512
0079e7fad68d53b4f311da5a007fa680b670ea1c1096f3cdf02929d829ac683dfd4542148ddf7d5dee7c7ee319eeb8a147a48a6b4441c556cd5bf6322f09facf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
13KB

MD5
e96a7cf1ed0c654ccdf91fc7091e7b3f

SHA1
24113e34ba6408a76ea4e9d9fa524455f4434aae

SHA256
69ab68f25a47f91f9852c0362f4e3de8ce757edf8b2625cf89ea0d5c90d14819

SHA512
5cfbbda772fc6daa032d562c3356358ab76df933726cb88768167820726222aa823f7e6aaa954489a1175287ab99dc5ce4ab7f6f80cd46757996655ff8274a52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d801e7a2baf9e69e178448bdfdcde0a1

SHA1
1e5e5fab76e1c1a9dbb559d63fb82f63028b26b0

SHA256
b8113d7bba17fc35ce7e8ea106f7ff9b3b5428cb54d9c010dbd8df211fa7e3b5

SHA512
c3cc8b46b2107b9fb674e74dc0a4c7331b6632e7595b1bb596fc448e92fcc1e0a2e191dac67dfe4e61c4c10a875f4c4208160cacb7528eee1c1563ef5e6d1221

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
32be56c8dd30e5873dfffee040f0203e

SHA1
e8413569c7252c8d5ddb5eff6386538e4ee814f7

SHA256
a50ca4b978037898be79aca59eddac87849cd7850a8e5f25048f25a4dfe61e69

SHA512
a850c1dab9bb346e884bc08231a6cdeb564abbfd0b7e88b342cd6adcb8b1ae8083904d28e3e321e21e64eda39fbea21a6b7b278849b8854cd825089e13a85461

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b8dcd7505a9f2f0461104a1533a46b2a

SHA1
b5830d13f949c3f14d05f9547bad24167bc54e49

SHA256
6fb25798e84d92960858136bcacca6c3375fb85d457b9eaf857dde8d47496e8e

SHA512
3270936d3fcfd74029d680084c57d4806ccc5140080eee5a619664ff5b84d1a6707e19b7526d72b00ed791f492eca5517f426f835f28bef210964eb051ae225c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
7e2f915c8c5d525e5edb289249f86f9d

SHA1
653a82885f0ec461a01c140b8f1fad1fe682a7e3

SHA256
06af19596c3391dee17dd31e3ff412e173b872001e40d8992c38214ac8871117

SHA512
5d2ddee45e240f201a101fcc20a843f58be725f391cf2b9a6cb5aec07739838b17fe3c7668e06907a942a2cbe58c2a68368312e756b24f200a5c91233e3c4076

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
17c8bc9416e3b6511674c9dc4e18392f

SHA1
ec3f5bcc30e90f0f7c2870be5ac0c40265ab4d11

SHA256
14016e208c377474a3c16d7eab62c2bbd127d8230ad66b9bcff96df8547dc4ec

SHA512
c957b655ee0b48fb1a51e87bba453b470c25558e420382ee1608ff48f685b63419c404c7a4b2e6c0f0f04005304c32bf30177d5bb2ebb1a79ca9bd420099c431

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 805892.crdownload

Filesize
1.6MB

MD5
a7d03b70b3822d57cb4ffc48911f202f

SHA1
cf0e6bb86efca485f717942fd90c38a89ebac42b

SHA256
9319160f9b780b7057c4630fbd9ba534b6943273bea3b76eec1f6b5d6ae8f38f

SHA512
978b6fa69adefa9be7106c2352e0757c4888ac6500a2eaa943b433ff52d5ee81c2865a484aeb5a930227629f769d872db0932305935bdca99d56f9aa5a75b99c

Download Submit
C:\Users\Admin\Downloads\drw_fr_installer.wk4wHuGH.262.exe.part

Filesize
1.6MB

MD5
2eea36240f8a9e8df63f8edf1c74be83

SHA1
2524bc5b4dd572f9c6f40fb30057251550f278d7

SHA256
1415cff1239e323f7fe80c6e56623ee2a719ae2af726033afcd75a8fb9197d0b

SHA512
252d937724294d772a28eb0302bfda804defaff13b21b2d8bb5e5c2b26277ecf906e15b411563bfd61190e65956566885b9beb913284a319df55107ed82af879

Download Submit
C:\Windows\Logs\PBR\ResetSession.xml

Filesize
7KB

MD5
84e3f04b1cf09ecc4dfe514f62dc16d1

SHA1
abe7d85403596c99bb527b36ff2597fc5099b3c2

SHA256
9c7f7ced97ec0a51b0889aa7123066c8c05ef8d3f5382ce75d8d7e032cf36935

SHA512
b2db6d07bc87276b5e712397031c5a754cf274ba691a2de24b41925b3e5234589f64621d75caabba164a6f500182cec9c3d21c879c668a1ccc1961293f7216eb

Download Submit
C:\Windows\Logs\PBR\SessionID.xml

Filesize
106B

MD5
de69617b1ef897178edd721365404d2c

SHA1
8be5513c278d1f4420eff094ccb6cab3882dc231

SHA256
75a04595488308a799086fd267233fcccee7a8f28259bc3bcc89df249de277f4

SHA512
4c7192697ff4e7250cc1347b1737b05bc60fad3bf729dba7a97f6e684e6b364c7ee6e79ebdc2a8f6a1c4157021ef08bed449a3cf96deca398a9f6cfd89c8a634

Download Submit
C:\Windows\Logs\PBR\Timestamp.xml

Filesize
42B

MD5
45aceb0a689c3cf353ac396696073153

SHA1
693f5217fb0c168f594cfccc80be97859b16302f

SHA256
21bf5cd614f3185ef263f6164c91339f0f97af1aa888f3864c301445bd80701a

SHA512
d09a6ddc3a9e917b9248a9bd53fe4ddc1bd1d8cc2edfb7b4945f6a706739522a4eb4758b5085a4dab77eab50affd5036bde342c0f401a293ad7b384c25f4ec73

Download Submit
C:\Windows\Logs\PBR\WinRE\bootstat.dat

Filesize
66KB

MD5
3c08dea20e350ea34f7309e856576428

SHA1
d7a048ccc07b4d16afc4d778d5601a067fb151b9

SHA256
b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82

SHA512
1c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
9KB

MD5
cae64d27952d339d7d9076f33acd831e

SHA1
77543cdd8564f7f00bd6adb2afb88437229816a1

SHA256
58a9ea172ae6d66b083a6770e8feac9f07b7c0735a13ac0a474a231e04fe4267

SHA512
09adc91044d28f8e14cbe38ad677b29b282c1c414d8673ae04f5e376c25381141b49ad6f3574e12f8397b737015f0ff387af5e0c3f0f79c70aec3e475013e9c0

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
13KB

MD5
c8232d76293eb56221fc2b53bac2dd19

SHA1
bd69dde62efa2ad79179bfe0f9ebd5abc6011cc7

SHA256
9e878409e1d8ffcd08d179d2bc4037b3ca520421d199a5ae79b23da7466b85dd

SHA512
33e7510f104a2a3f6c1a2aa1515d06a3cbf1edbff619661275a6174f8474db48fd657acc2b4a1b7baa553f9add175bf9e4c41c84ecd5b1c0a13ec1c4d4b15966

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
5920b4d359ec31da196b25604854bbfc

SHA1
33923316259f51b6e74ebe01c9457b40fd84ba9b

SHA256
37ad6c0b0aac693a2e7ee4493561019039b762b9413df843df670ec95c4548cf

SHA512
39efbb29721d8d087ccdd4a82c5e76ee8607405c114d0c24bdca5bcc151c4c207542b7e8a0e41675866edcbe3a2ac69235a592e57e8c5cc02f5ebcaad5c174e3

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads