hxxps://drive[.]google[.]com/uc?id=1Lh7o4pZisGuu1FA-jTqGRQ-oH2DVF7gX&export=download&confirm=t

Analysis

max time kernel
1043s
max time network
965s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-10-2024 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1Lh7o4pZisGuu1FA-jTqGRQ-oH2DVF7gX&export=download&confirm=t

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
3396	F-M-Е_v2.exe
2748	u0Y4ZfNbjZ4PNDNB5.exe
4632	AutoHotkey.exe
932	AutoHotkey.exe
2720	file.exe
1856	file.exe

Loads dropped DLL 2 IoCs

pid	Process
932	AutoHotkey.exe
932	AutoHotkey.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
13	discord.com
25	raw.githubusercontent.com
27	raw.githubusercontent.com
47	discord.com
1	drive.google.com
4	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4624	tasklist.exe
4300	tasklist.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\F-M-Е_v2.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	u0Y4ZfNbjZ4PNDNB5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F-M-Е_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutoHotkey.exe = "11000"	AutoHotkey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.22000.1\"hypervisor=\"No Hypervisor (No SLAT)\""	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	AutoHotkey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\AutoHotkey.exe = "1"	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	AutoHotkey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AutoHotkey.exe = "0"	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\GPU	AutoHotkey.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	AutoHotkey.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2253712635-4068079004-3870069674-1000\{8F9C083B-956A-42F5-9C28-6839AFBBD258}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 383079.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\F-M-Е_v2.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4608	msedge.exe
4608	msedge.exe
464	msedge.exe
464	msedge.exe
3948	identity_helper.exe
3948	identity_helper.exe
5016	msedge.exe
5016	msedge.exe
1780	msedge.exe
1780	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
2608	msedge.exe
2608	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
932	AutoHotkey.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3204	WMIC.exe
Token: SeSecurityPrivilege	3204	WMIC.exe
Token: SeTakeOwnershipPrivilege	3204	WMIC.exe
Token: SeLoadDriverPrivilege	3204	WMIC.exe
Token: SeSystemProfilePrivilege	3204	WMIC.exe
Token: SeSystemtimePrivilege	3204	WMIC.exe
Token: SeProfSingleProcessPrivilege	3204	WMIC.exe
Token: SeIncBasePriorityPrivilege	3204	WMIC.exe
Token: SeCreatePagefilePrivilege	3204	WMIC.exe
Token: SeBackupPrivilege	3204	WMIC.exe
Token: SeRestorePrivilege	3204	WMIC.exe
Token: SeShutdownPrivilege	3204	WMIC.exe
Token: SeDebugPrivilege	3204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3204	WMIC.exe
Token: SeRemoteShutdownPrivilege	3204	WMIC.exe
Token: SeUndockPrivilege	3204	WMIC.exe
Token: SeManageVolumePrivilege	3204	WMIC.exe
Token: 33	3204	WMIC.exe
Token: 34	3204	WMIC.exe
Token: 35	3204	WMIC.exe
Token: 36	3204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3204	WMIC.exe
Token: SeSecurityPrivilege	3204	WMIC.exe
Token: SeTakeOwnershipPrivilege	3204	WMIC.exe
Token: SeLoadDriverPrivilege	3204	WMIC.exe
Token: SeSystemProfilePrivilege	3204	WMIC.exe
Token: SeSystemtimePrivilege	3204	WMIC.exe
Token: SeProfSingleProcessPrivilege	3204	WMIC.exe
Token: SeIncBasePriorityPrivilege	3204	WMIC.exe
Token: SeCreatePagefilePrivilege	3204	WMIC.exe
Token: SeBackupPrivilege	3204	WMIC.exe
Token: SeRestorePrivilege	3204	WMIC.exe
Token: SeShutdownPrivilege	3204	WMIC.exe
Token: SeDebugPrivilege	3204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3204	WMIC.exe
Token: SeRemoteShutdownPrivilege	3204	WMIC.exe
Token: SeUndockPrivilege	3204	WMIC.exe
Token: SeManageVolumePrivilege	3204	WMIC.exe
Token: 33	3204	WMIC.exe
Token: 34	3204	WMIC.exe
Token: 35	3204	WMIC.exe
Token: 36	3204	WMIC.exe
Token: SeDebugPrivilege	4300	tasklist.exe
Token: SeRestorePrivilege	2748	u0Y4ZfNbjZ4PNDNB5.exe
Token: 35	2748	u0Y4ZfNbjZ4PNDNB5.exe
Token: SeSecurityPrivilege	2748	u0Y4ZfNbjZ4PNDNB5.exe
Token: SeSecurityPrivilege	2748	u0Y4ZfNbjZ4PNDNB5.exe
Token: SeRestorePrivilege	2720	file.exe
Token: 35	2720	file.exe
Token: SeSecurityPrivilege	2720	file.exe
Token: SeSecurityPrivilege	2720	file.exe
Token: SeRestorePrivilege	1856	file.exe
Token: 35	1856	file.exe
Token: SeSecurityPrivilege	1856	file.exe
Token: SeSecurityPrivilege	1856	file.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
932	AutoHotkey.exe
932	AutoHotkey.exe
932	AutoHotkey.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
464	msedge.exe
932	AutoHotkey.exe
932	AutoHotkey.exe
932	AutoHotkey.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
932	AutoHotkey.exe
932	AutoHotkey.exe
932	AutoHotkey.exe
932	AutoHotkey.exe
932	AutoHotkey.exe
932	AutoHotkey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 1592	464	msedge.exe	79
PID 464 wrote to memory of 1592	464	msedge.exe	79
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 1284	464	msedge.exe	80
PID 464 wrote to memory of 4608	464	msedge.exe	81
PID 464 wrote to memory of 4608	464	msedge.exe	81
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82
PID 464 wrote to memory of 2232	464	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1Lh7o4pZisGuu1FA-jTqGRQ-oH2DVF7gX&export=download&confirm=t
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff72a53cb8,0x7fff72a53cc8,0x7fff72a53cd8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1956,1826292873237833195,10401783242171042548,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4128

C:\Users\Admin\Downloads\F-M-Е_v2.exe
"C:\Users\Admin\Downloads\F-M-Е_v2.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS44DFDBE8\run.bat" x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y AsDxzcDAzSDzdD fkkfk@fkfk@fkkf@@kf fk@fk@fkfk@fkkf@fkf FME bN4Aynk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3816
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=40 lines=3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /FI "IMAGENAME eq EasyAntiCheat_EOS.exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- - C:\Windows\SysWOW64\find.exe
    find /I /N "EasyAntiCheat_EOS.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4680
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='cmd.exe' and commandline like '%run.bat%'" get processid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3204
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /fi "imagename eq AutoHotkey.exe"
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Windows\SysWOW64\find.exe
    find /i "AutoHotkey.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy *.* ..\ /Y
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:3800
- - C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5.exe
    u0Y4ZfNbjZ4PNDNB5.exe x -pZhd2kZSak8js u0Y4ZfNbjZ4PNDNB5 -o. -y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
    AutoHotkey.exe AsDxzcDAzSDzdD
    3⤵
    - Executes dropped EXE
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe
      "AutoHotkey.exe" /f "\\.\pipe\AHKAMENFNLH"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:932
    - - C:\Users\Admin\AppData\Local\Temp\new\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new\file.exe" -p97atIkGf4jbDjT x "C:\Users\Admin\AppData\Local\Temp\new\file" -o"C:\Users\Admin\AppData\Local\Temp\new" -y
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\new\file.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new\file.exe" -p97atIkGf4jbDjT x "C:\Users\Admin\AppData\Local\Temp\new\file" -o"C:\Users\Admin\AppData\Local\Temp\new" -y
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/bN4Aynk
        5⤵
        
        PID:1424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff72a53cb8,0x7fff72a53cc8,0x7fff72a53cd8
        6⤵
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
3edea8e9e4f48df744f5748227605e0a

SHA1
20f140e1afb00bbd886243375bdaaa87908df81b

SHA256
7281b68e9705065f5bc121a39807c7bc6c875214ae7614e51ab90bf9f5410630

SHA512
98935c164f8fb6d24eb7099e9ca73d7970891ff195744c316fc07909917820a1deea9fa497eefb5e31e871f8bb8184846ffd5c0db1c20d3b4c107732ec1b9280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
776b0cebd769b383d93ff2deadb5e72b

SHA1
d1474432dc2ba30724d4a209a3b33f1dc389a8b7

SHA256
386a5a20bde1ac6c21dc0eb841cad54678bfe5e8847afe7fdc3ef325ada7b652

SHA512
d0aea0a0d710105ce28a39dd5cd0b13a3cbb7ca4126b0a7c25a13df9730597d27c59762c97f4dbc242dc99ee7baacc7415eb8a66d9d2a2eaad32e120c305634f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
c225f48b114cead341f7fd29458edc4d

SHA1
982a015409c4b2c472c6add47d290baac06520a0

SHA256
538a396338deeccce2c9eb7dc1d61bad90bd87bb129ba2df9da7ad70e5db9b98

SHA512
c41e18ca1f9a35940a7926272c2f2c0f424cc937358dcefc96d61cb1c9602c5c6b92a32636217b25fd5ce8ef14886f02540a6528b9ef9c63a0e666d0e1e83d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
765B

MD5
ea25bd82ccb12b50bf2e71d82716e953

SHA1
6c05b1c84a16c1853be899a447cadb77e888ad30

SHA256
3565b3e735c90caee1e10409562005edb9d81c50647f557747db056de73af7fc

SHA512
806b8d882be32296474ca8db8ed6bf9812898d83a500363778db1f6ff7a147955d69709d2abbd224e141fc36d4f8ca17fbb58875cdf70fe9980699e11b3e966d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
c655674625a341ce6be65c0614f3793b

SHA1
72dbff9da43cdbe0c93c2c230c3d61e49f316042

SHA256
2e9e9ab188882f115474ab5ec1593210da6ec8c11ba55e655aa8c74fb3c61ed4

SHA512
66cb0e8fe866c83bbdb19a0dde5999a784b3248e4aa22c43c568a535dc7c3b5505b8bd8ff051cee00875dd0936ba573b3814c7715da781a914f051278cb5ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
933B

MD5
d1bbea8e08970ca2998c9a4e9b2d05ee

SHA1
44d82845d6a22afc45e22da04f9b93c95e336d20

SHA256
ad38f5abf9024ce287edefeecf5ae5c11f210ee962bc3a7d0f3d2da7982bd25c

SHA512
9d32e2ad03a06570307ea9161bdbab039f881c36ef03b4c49c229f26dde56b1ccbf2e361e2cb8161ceaeda1cc1415424a39df668d4f6b68f86be660a6ea370bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f40b6892ccf2ea20302b895bd7578c1

SHA1
f320f2b47d40911d4eed9748d3b7b299460c5ae7

SHA256
56cdf28777b8668ef9aa793f0fe666a890da15e060e65425f61bfc65a8404356

SHA512
dcc927a23dce103bebd0fc34fa067a7a10b1aededd13e154da9d62396ef747df293581a902ba35da6999c528a2e0ca1abd919f6b0218033f8f6a7a6c8681fecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f1b2bd1bd86b996c4f5051c7fcc853c

SHA1
2c41e012550b456762f6c57631f263d212c32caf

SHA256
d25662aab11dc9c990b00e62ec684be2388970fc34c73e6eabf1ac784fb8116d

SHA512
63e15724eaad7fb031c3b2b10983b4bc429cb6b7ccfa635ec5314edb5308431089f1c5d83a85a4e4c4910fc6190afd1643577bff84664addbffb067ac71c9e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c255769a4b9e9f9b30fe3506e7e7c66

SHA1
45b6dd6410f951762da024ba584da4471ebb977b

SHA256
8f5d64fedc7f17809dc3cad3506f2f348cb8f45fc25639341b182950793d0583

SHA512
7acf68d131e990a4781273544e2ed4e345f9f4073eb97af5fd0cd9a8cacff143e8771b0a9bb20ca2b577a7580d691348609c34380e8400f50e17796642105888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
65aa279afa896636cbbfa6572e4399a5

SHA1
8a097eb7ba62b1182dd69dcd8bfead00a4253922

SHA256
770642ad3f32b8eee58beaaf6e9d57307b3bf0b8ffd45dedc754771631bb4456

SHA512
809030e418489df9c7b9f3fc1e409fb4812e3b726c9368557181b434e4e4151248d334eeeec70ea81c6228284b1e1392aaa0a1eb4fdb31f30cb7d1b0d0c4fa3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ad708.TMP

Filesize
204B

MD5
e68485d85760b50f43940c1286ca9c6b

SHA1
4c2587f571da4c147da72a5cfa8e348615ce675d

SHA256
3b011c3dde1f88ff68c641a83d8579b8fe5495c77bdacd12a0ccd530c9e6a5a0

SHA512
de66f116c4eeee9b354394fbc8a4e3c99e8e3039a412718c7f8e5370a7179c5f5bcca102f3150d8a90bc80419828e0a45dcfc3a376e5b6ca638a4b1c8528aedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6bf533659f682b6e9bb6ba52f1aaad0

SHA1
84159e178b1b2d80b000e6cdae9ebeaaa03b0f7f

SHA256
2644f333610cdfc2d41ac5b951881e959ea812cc132bbd96300edc13ad6bef93

SHA512
2d3be61c6b86d6b212789ef05c13b4e736ff63a7171437acf6dcfb2e9c5f4b4367343c2894f47641b7f6ff1cdc50dc638c75cb87f393b0b5af0e60f3fd5e08cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd050f03a9e2a7e78c021ea844a85423

SHA1
e98e13e0e714e8f2c8579b19a4e25552abda69af

SHA256
f40148a3164352769c4a72a6a1849dee10684677c65feff2a202e756bea4734a

SHA512
5c0ea214d1b93a2e2a043158ea58706bfebca2e2f7d79c1a79769e59ee24ba50bd9f49fbd117d53d8c45583c60d513ee5de0241613edbb8d84c2dc83d52960c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f341604b6f221d98478ebdf0168e40e

SHA1
bd9aa7d1c50a17ff64486796d10315b1c53cb653

SHA256
a614a8f1652ba5e884e70ba9ca181c9d140dfab1e0585fd706363e8f3a765975

SHA512
402917bb834eb05b1d7216125f88d058b8adffae4a53ed38b29154551949249fe658943cee75045e13f382468fe63ee5903ace842242a8e9180111e84d94387f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bd36a1decf47b7bf80b27e71312a1f0

SHA1
5be3b273df4604a7e99c150695af2d5f80a63b44

SHA256
5af5017f47d8d04034f632329af06a2de78d6f42e6ce2bed174f53e9629d4488

SHA512
b7bdecc856968211196b37e1659c4903b2e48bd2a4ef43a2efb68d1a2a4a26679a738f1cfaa8aa3c3575f323f561ac5fb9cdbf767258828fe81e46d2e1e5fbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44DFDBE8\run.bat

Filesize
1KB

MD5
0e18b28ad81adbac6d108969a733307a

SHA1
9abd50146b045a771c8d8afea9524a9c5e74323e

SHA256
69dd02b4cc7526d85c16b786ed3a15f6f1d32171db78edd7ed70cf7538957225

SHA512
00d0c7483636fc41b49b57edabcf0990c490bcde5d36788e650727b0c46ec1b54bb4c0c60ef5a8acc523611c797d3b794191f7b0e5436d7a54ffb65ffa82d90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44DFDBE8\u0Y4ZfNbjZ4PNDNB5

Filesize
651KB

MD5
afcc26c8db5a02896b669d11c5a98ac4

SHA1
de8e5874bef77f9b1eca562bf790fbc4953659b7

SHA256
062955e91b4bdab20791473588f2027cbee9915f7578216d782ccac908ee8594

SHA512
bd726b41d9d5c426a0bfe6b7e3621ea8a8e0ada64b50256b50a300454d01ddc6a1d110e7a1e909f339bcf1fc11321e9324694631a4d6d1a5e358690790f331a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsDxzcDAzSDzdD

Filesize
38.5MB

MD5
9dfcc32f9b3c4c4189454755893f32ce

SHA1
7de7c51eb46b3c599160596b5def8ec3067b750d

SHA256
1b4122c058b7c92fbff8d89931685dd4a3f33c7840e8f08d1f731c8ab56fe0c1

SHA512
5f4855a7c212d1a9e6bed2e6f8c9bdb99947becfd2ca4d4c6e706f3c08dc69d29e65e07f4c7d8035cf37902886f6d8367805ba19b4423276129e6ddc096714fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoHotkey.exe

Filesize
1.3MB

MD5
2d0600fe2b1b3bdc45d833ca32a37fdb

SHA1
e9a7411bfef54050de3b485833556f84cabd6e41

SHA256
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

SHA512
9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\1\1

Filesize
3KB

MD5
512cd906c4f2ee99a5ffe6dae90ea71a

SHA1
d0dd01a0a28f6b515063644180ed9ac2426e514f

SHA256
4a52af492d61c65b58116bcbf71059dd53c61d07d01b5e0f09573f4ecfd8bc46

SHA512
b5f44fbe59947c44d418b38e78c8c3650c9d39d73b92748dd757c1e9aeb9d7afbe3bf031541c1223e8a2b6d91994d37eb6b3c3ebf2ed363c3726bb0c6888ccf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\1\data.txt

Filesize
5B

MD5
525c961845ee370f826593c47595ab11

SHA1
4373be5e4fa368ff8c9511b0180f99663ae4b76f

SHA256
ae4ea086f68f3ee8f83f8eb118d1d989caed142732c9e325fd00372cbea451dc

SHA512
e07fe1c4a915d41680a42f106fd6f45effb5c96b469649093096c85ce28fd573941761b867a6e8783b98892f4125f2283f7dadb9e512471f6a180a4e047f7bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\ChangeLog.json

Filesize
105KB

MD5
698c4d0b63e7c1ba2c678280dc89dfd9

SHA1
00925b1fdee4ebd6eed3bcd0dfe6bdde899f3af4

SHA256
a34d978a8ef061bcc2da00ec164dc8e01c338a58682ba0f6dddba09ffaf94e3e

SHA512
23810a7a65f3998283285120e5e00370d489c807949a109e58595d3dca6406cc017b1e598b0afa04921a081a8f361d8fa9b171501e7bf1aa286b97c4c00941b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Config — копия.json

Filesize
6KB

MD5
9c13e1287cf02c04671f07cb3130d2b7

SHA1
b8a6c9dbc68265ef58099d25855311ad3acb9681

SHA256
b6862210b9e6dabb85f5b1d4728496f02a02c8c3974d8b724d122c9bb1589b49

SHA512
f40f801f92d24fb53d8657772f3295e113897d388178984bd177ccab539cb2b79dcf7b330e48a3b7602734f337141c931386d35e294f446ae25cca2603ddc870

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\CrossHair.png

Filesize
234B

MD5
5708840c1c245bad73dd6ff689bf74e5

SHA1
cedeeca6fa4c2757dfeeda022d2ba33dce752c6f

SHA256
175c1745cec830354ba7b883e1a6fce77e188d402fbdd45060eb6a045b7b4b33

SHA512
ec25e8d371cfd0f1d890bec7447533ae1b7dddbc83afcdb4cb023ffa2432742e8160920a645726d45d639c847602da25637c30239363ed3b3bd59765122bdd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Default.json

Filesize
9KB

MD5
55ee2b51c1bb6614deeb2138541d6c27

SHA1
4bfd0dbc7edffebb47aff60a3a682d88ccbcb618

SHA256
659f3ef2dd3e1cc2fa28eaaaa2cee4e1316c4d35a8a0984102603593f9686b5e

SHA512
cfc070c8a86a6973f4702c9f61a967822da848f4a8926325cf0c85c2a0fbdf468d222eb22ab5c9a93dbc9c58d9255b7f4159f01868c4d30fdcc79dc257b0797b

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Language.json

Filesize
109KB

MD5
5fbe79dd42985f2bc2d8f447d790d11d

SHA1
5a619cba44005b2c10ff340236ddfbd260ab7b00

SHA256
7f7feffd5b87dbff2fd39d740bcc1aca82847be889e7fdc6ac3ed958c8f14897

SHA512
166425b96497ec993067b33d7a01e0a48b10b550d503d9024951550c066cf30cb29c5d19c85abcb295ecae8bff06c5141f11ba77b057bdc0ff35773f761cfba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\Pro.svg

Filesize
4KB

MD5
528c7edb05d700bc65ab59105e12938b

SHA1
95090c8e4a1e145079ad3a96a6d25f26a1a6165d

SHA256
b2496b7628759b1f61fee470393cb0922e4650a1147818b1fd99c0b5cf9fdb6a

SHA512
839eb0d257bc0bfea35536677a5c4b1d21379b9ac18e46229d7b2730800e495786918152e9adfd47391576d19da97291b0a7d2b5ed5080cbf1cd448108927038

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\background.jpg

Filesize
133KB

MD5
0c4b1730664d42444fdae6c62cf6f6e9

SHA1
bce6c0cae81088bbad4578f68bcfe880024287b9

SHA256
d6d018cb87981e4d69ffac2b135f4e0b54ce3244bb8cb3d54604438fdbd5d52e

SHA512
4c76a912f0bd4448d980736d5ed44c2a55f41aea6f4993a54d776f51dd39b0fdbed0cff5bd7bfd7cc0a99e9ec435f12f05e79ee617bd00ea1ab03257a0cff34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\file

Filesize
835KB

MD5
876a5ef79f40b6d0fb9290eceda0b172

SHA1
2e818b9cc1ae1cda9ed0ff96c039f62d1c070db5

SHA256
b945d91ce8a1f77a2e1a247f63a3678dc6e43f559fc4c7792211c4c128326607

SHA512
a596c8dc060a6acbbc31b4cf77162e55b5f513b560be3a07c9cbcb7cbcfdde0413b40c60a708c71b2c9503ec228afbb444e97b46aaef61dafa48771e9320a49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\gs.dll

Filesize
121KB

MD5
74c8c5dae54f226ddfd463d5142178e2

SHA1
728a4d28ecb8c81d25677d7415ee1204afe185e2

SHA256
1a064562544e2b975bd5f4bf9f894798b2dd1f77b7864d9ed52d93bf42174340

SHA512
0c92b23b20a01d1f2a57c90a0598683d5a8c3a52489e41527e56bae246904b289481d500f7b4b656bc727eb7d3ce77a8e8dac8b46608f4244f2f4b76d6a4c535

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\gui.html

Filesize
499KB

MD5
5c37f97111e2d8920a66311d4c57516e

SHA1
f6748147fa9cc08817fe3fc5a12aef893535ec41

SHA256
718f562a09a2dd426019a0194775f649fc28331ea766450d24fb69958da2f450

SHA512
5cad999f45d7fd87cf21f2abf417f98dbc2afd0699f8ad4861a21b5cfc8edef693a174b81b802c6d1de556460775a22c5ab91a6ff39cfb9a8b26221032ef6302

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\icon.ico

Filesize
139KB

MD5
38c0279563abc2c70f9f288b616c9770

SHA1
eeeab2f77e4aad904186e3dfe2ec65207ef92604

SHA256
e4a941a51c9fd340ad1612b1bd4040d53e6924d5cbe1224b1e09ce8a7d4b8c19

SHA512
1d0fdb93a143dacfb8a4d1f8b56c6da6f353d3061ae79777d78f5be9b0b8670f089186f66491a0ce10f6ccf489ea4ed531f41879756c700e170ff82807fff564

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\jquery.min.js

Filesize
87KB

MD5
b61aa6e2d68d21b3546b5b418bf0e9c3

SHA1
9c1398f0de4c869dacb1c9ab1a8cc327f5421ff7

SHA256
f36844906ad2309877aae3121b87fb15b9e09803cb4c333adc7e1e35ac92e14b

SHA512
5882735d9a0239c5c63c5c87b81618e3c8dc09d7d743c3444c535b9547b9b65defa509d7804552c581cb84b61dd1225e2add5dca6b120868ec201fa979504f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\script.js

Filesize
16KB

MD5
ac1d20da4d518b1c74e7640233a830eb

SHA1
1b113d00d3908815cf9d9d6b7400c686fa4fa526

SHA256
770dac9889a0a3a42bc995385b692630537d2c46e53ba89737a460f12e6edb9e

SHA512
abfbd1185252388af265d28c7ed4918cbd3558793b9af4d1e631684f20adfc1d3d20eb9c00feda362f2644d26d01c2b3eb5905b150ac6bcc1ec3baba513888bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\style.css

Filesize
16KB

MD5
1261a774b4ec34a92439bd3b509c470d

SHA1
ff7cf9d6a21bd79fa24b461a9c04d3d24607fbe6

SHA256
a16846c4021e8c4fbf2a7ee97dc54ead4bad02ad07c8780ca3a3be38bdd16d28

SHA512
5767b44035653d5cb77635d0ca363c1d3023257569252ba459fd05898e88331b80d89c15440e66cd1350cf0e8c144c7135ef24a809ca8ee81d7eedb1262c27c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\new\swap

Filesize
1.1MB

MD5
3bf06f64e178d8dcf06e25131c0e6d10

SHA1
f6798bbb82581707cef54c2c2aa1fdf6b9578b36

SHA256
7037f6cf83d9164b86c5d614728aea7410ad90971a8aff392d6c62763b0a4d6c

SHA512
7edb72ec103a9f172cb9e35751a126ac3611b17483aade086ff4f25d642c978065cbe947c226b30caac7447bca5295e6233c2ffaed21eb6f8b2c8bcf37e7d56e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0Y4ZfNbjZ4PNDNB5.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Roaming\test.txt

Filesize
2B

MD5
23b58def11b45727d3351702515f86af

SHA1
099600a10a944114aac406d136b625fb416dd779

SHA256
6c179f21e6f62b629055d8ab40f454ed02e48b68563913473b857d3638e23b28

SHA512
16b7aa7f7e549ba129c776bb91ce1e692da103271242d44a9bc145cf338450c90132496ead2530f527b1bd7f50544f37e7d27a2d2bbb58099890aa320f40aca9

Download Submit
C:\Users\Admin\Downloads\F-M-Е_v2.exe:Zone.Identifier

Filesize
186B

MD5
71249633ca9f8da54b34e5406fe54469

SHA1
1f3e12ee15dd106a7ba7cbbda42f3fdcda20955c

SHA256
f48446c17d03bad9bb2c39e8aac9d3b4b6150225cebb2f352cabeb9c5950c0c2

SHA512
0e1b3281234ca2d7af5fd6f93ce10da30374a83bd3c177ddf34e4187d9621254be1722044fed4d659db03f7e7015a13d74698aa1d743c388256612fdb9d9540c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 383079.crdownload

Filesize
1.2MB

MD5
19e7a518ef6467a8ce8117e53039d03d

SHA1
4ac1eb8ac08a3df378c9cf25843aadc53cae2184

SHA256
a41e4e4510ee1991c2bc89a862c9d89d9b85fa2f841e833092102e6d3e49e4c1

SHA512
682ab6059142882d183f6b37904fe420ad1d67033c4994b71ddc72797598a9e8a5736d64761e318c32352a8d7b368aa87a9e623df12196a1edb5d008225f1f17

Download Submit
memory/932-531-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-537-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-380-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-400-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-401-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-402-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-403-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-468-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-377-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-376-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-371-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-496-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-370-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-511-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-512-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-513-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-514-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-515-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-369-0x0000000013C10000-0x0000000013D10000-memory.dmp

Filesize
1024KB

Download
memory/932-525-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-526-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-527-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-528-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-529-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-530-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-324-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-532-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-533-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-534-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-535-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-536-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-390-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-538-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-539-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-540-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-541-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-542-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-543-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-544-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-545-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-546-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-547-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-548-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-549-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-550-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-551-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-552-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-553-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-554-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-555-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-556-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-557-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-558-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-559-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-560-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-561-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-562-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-563-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-564-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-565-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-566-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-567-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-568-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/932-569-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download