quasar | hxxp://gofile[.]io/d/Vw475K

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://gofile.io/d/Vw475K

Score

10^/10

quasar office04 discovery execution spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.28:4782

Mutex

03ef2b9a-5389-4312-b3d3-9b6f68cc5386

Attributes

encryption_key
F8A900CD75D848E74023B3A66FA8AA5469C97692
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ahhaa
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5768-367-0x00000000003F0000-0x0000000000714000-memory.dmp	family_quasar
behavioral1/files/0x000d000000023b05-370.dat	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
5612	powershell.exe
644	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

Cleaner.exeCleaner.exeCleaner.exeCleaner.exeCleaner.exeCleaner.exePermWoofer.exeClient.exePermWoofer.exe

pid	Process
6092	Cleaner.exe
2476	Cleaner.exe
5696	Cleaner.exe
4592	Cleaner.exe
6024	Cleaner.exe
5892	Cleaner.exe
5768	PermWoofer.exe
5720	Client.exe
5792	PermWoofer.exe

Loads dropped DLL 48 IoCs

Processes:

Cleaner.exeCleaner.exeCleaner.exe

pid	Process
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
2476	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe
5892	Cleaner.exe
5892	Cleaner.exe
6024	Cleaner.exe
6024	Cleaner.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
67	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
4964	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000b000000023b28-142.dat	upx
behavioral1/memory/2476-146-0x00007FF903740000-0x00007FF903E05000-memory.dmp	upx
behavioral1/files/0x000c000000023b0b-149.dat	upx
behavioral1/files/0x000b000000023b1e-167.dat	upx
behavioral1/memory/2476-169-0x00007FF918D40000-0x00007FF918D4F000-memory.dmp	upx
behavioral1/files/0x000b000000023b1f-168.dat	upx
behavioral1/files/0x000b000000023b1c-166.dat	upx
behavioral1/memory/2476-165-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp	upx
behavioral1/files/0x000b000000023b1b-164.dat	upx
behavioral1/files/0x000b000000023b19-163.dat	upx
behavioral1/files/0x000c000000023b18-162.dat	upx
behavioral1/files/0x000c000000023b0e-161.dat	upx
behavioral1/files/0x000c000000023b08-160.dat	upx
behavioral1/files/0x0008000000023cc1-159.dat	upx
behavioral1/files/0x0008000000023cc0-158.dat	upx
behavioral1/files/0x0008000000023cbf-157.dat	upx
behavioral1/files/0x000b000000023b27-154.dat	upx
behavioral1/files/0x000b000000023b24-153.dat	upx
behavioral1/files/0x000b000000023b25-151.dat	upx
behavioral1/memory/2476-175-0x00007FF905920000-0x00007FF90594D000-memory.dmp	upx
behavioral1/memory/2476-178-0x00007FF9181F0000-0x00007FF91820A000-memory.dmp	upx
behavioral1/memory/2476-181-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp	upx
behavioral1/memory/2476-192-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp	upx
behavioral1/memory/2476-193-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp	upx
behavioral1/memory/2476-187-0x00007FF918B20000-0x00007FF918B2D000-memory.dmp	upx
behavioral1/memory/2476-186-0x00007FF917CF0000-0x00007FF917D09000-memory.dmp	upx
behavioral1/memory/2476-185-0x00007FF903740000-0x00007FF903E05000-memory.dmp	upx
behavioral1/memory/2476-180-0x00007FF9058F0000-0x00007FF905914000-memory.dmp	upx
behavioral1/memory/2476-199-0x00007FF905890000-0x00007FF9058A4000-memory.dmp	upx
behavioral1/memory/2476-201-0x00007FF902EA0000-0x00007FF902FBA000-memory.dmp	upx
behavioral1/memory/2476-198-0x00007FF9034F0000-0x00007FF9035BD000-memory.dmp	upx
behavioral1/memory/2476-197-0x00007FF918920000-0x00007FF91892D000-memory.dmp	upx
behavioral1/memory/2476-203-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp	upx
behavioral1/memory/6024-267-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp	upx
behavioral1/memory/5892-268-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp	upx
behavioral1/memory/2476-276-0x00007FF9058F0000-0x00007FF905914000-memory.dmp	upx
behavioral1/memory/5892-275-0x00007FF910100000-0x00007FF91010F000-memory.dmp	upx
behavioral1/memory/5892-274-0x00007FF901F70000-0x00007FF901F95000-memory.dmp	upx
behavioral1/memory/2476-273-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp	upx
behavioral1/memory/6024-271-0x00007FF901FA0000-0x00007FF901FC5000-memory.dmp	upx
behavioral1/memory/2476-270-0x00007FF905920000-0x00007FF90594D000-memory.dmp	upx
behavioral1/memory/6024-269-0x00007FF912150000-0x00007FF91215F000-memory.dmp	upx
behavioral1/memory/5892-282-0x00007FF900AA0000-0x00007FF900ACD000-memory.dmp	upx
behavioral1/memory/5892-287-0x00007FF8FFAC0000-0x00007FF8FFC3F000-memory.dmp	upx
behavioral1/memory/5892-286-0x00007FF8FFC40000-0x00007FF8FFC64000-memory.dmp	upx
behavioral1/memory/6024-294-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp	upx
behavioral1/memory/5892-293-0x00007FF90FA50000-0x00007FF90FA5D000-memory.dmp	upx
behavioral1/memory/5892-292-0x00007FF902440000-0x00007FF902459000-memory.dmp	upx
behavioral1/memory/5892-285-0x00007FF9010E0000-0x00007FF9010FA000-memory.dmp	upx
behavioral1/memory/2476-284-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp	upx
behavioral1/memory/2476-283-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp	upx
behavioral1/memory/5892-297-0x00007FF8FE9D0000-0x00007FF8FEA9D000-memory.dmp	upx
behavioral1/memory/5892-302-0x00007FF8F9370000-0x00007FF8F9899000-memory.dmp	upx
behavioral1/memory/6024-310-0x00007FF8FFA30000-0x00007FF8FFA63000-memory.dmp	upx
behavioral1/memory/5892-321-0x00007FF8FFAC0000-0x00007FF8FFC3F000-memory.dmp	upx
behavioral1/memory/5892-326-0x00007FF8F9370000-0x00007FF8F9899000-memory.dmp	upx
behavioral1/memory/6024-330-0x00007FF8FE900000-0x00007FF8FE9CD000-memory.dmp	upx
behavioral1/memory/6024-345-0x00007FF8FFA70000-0x00007FF8FFA89000-memory.dmp	upx
behavioral1/memory/2476-348-0x00007FF902EA0000-0x00007FF902FBA000-memory.dmp	upx
behavioral1/memory/6024-363-0x00007FF901FA0000-0x00007FF901FC5000-memory.dmp	upx
behavioral1/memory/6024-360-0x00007FF8FE900000-0x00007FF8FE9CD000-memory.dmp	upx
behavioral1/memory/6024-359-0x00007FF8F8CC0000-0x00007FF8F91E9000-memory.dmp	upx
behavioral1/memory/6024-358-0x00007FF8FFA30000-0x00007FF8FFA63000-memory.dmp	upx
behavioral1/memory/6024-357-0x00007FF90A6A0000-0x00007FF90A6AD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 5a003100000000005d5941be100053706f6f666572730000420009000400efbe5e59d5025e59d8022e0000005507000000001a0000000000000000000000000000004c272a01530070006f006f006600650072007300000018000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "5"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000388ddce19718db01256ef5219d18db01244f8af2612adb0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
5776	schtasks.exe
6036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exe

pid	Process
816	msedge.exe
816	msedge.exe
5068	msedge.exe
5068	msedge.exe
836	identity_helper.exe
836	identity_helper.exe
5104	msedge.exe
5104	msedge.exe
5612	powershell.exe
5612	powershell.exe
5612	powershell.exe
644	powershell.exe
644	powershell.exe
644	powershell.exe
1372	msedge.exe
1372	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5832	msedge.exe
5832	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msedge.exe

pid	Process
1372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

7zG.exepowershell.exeWMIC.exetasklist.exepowershell.exePermWoofer.exeClient.exePermWoofer.exe

description	pid	Process
Token: SeRestorePrivilege	5632	7zG.exe
Token: 35	5632	7zG.exe
Token: SeSecurityPrivilege	5632	7zG.exe
Token: SeSecurityPrivilege	5632	7zG.exe
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: 36	3024	WMIC.exe
Token: SeDebugPrivilege	4964	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: 36	3024	WMIC.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	5768	PermWoofer.exe
Token: SeDebugPrivilege	5720	Client.exe
Token: SeDebugPrivilege	5792	PermWoofer.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exe7zG.exe

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5632	7zG.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exe

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exeClient.exemsedge.exemsedge.exe

pid	Process
4284	OpenWith.exe
5720	Client.exe
1372	msedge.exe
5832	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 5068 wrote to memory of 3948	5068	msedge.exe	84
PID 5068 wrote to memory of 3948	5068	msedge.exe	84
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 4768	5068	msedge.exe	85
PID 5068 wrote to memory of 816	5068	msedge.exe	86
PID 5068 wrote to memory of 816	5068	msedge.exe	86
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87
PID 5068 wrote to memory of 4364	5068	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://gofile.io/d/Vw475K
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9180b46f8,0x7ff9180b4708,0x7ff9180b4718
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6136 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,7766717103266424212,3710608717633406784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap32370:76:7zEvent28521
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5632

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Spoofers\READ ME.txt
1⤵
PID:5724

C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
1⤵
- Executes dropped EXE
PID:6092
- C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
  "C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Spoofers\Cleaner.exe'"
    3⤵
    PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Spoofers\Cleaner.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:4500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('successfully cleaned', 0, 'cleaner', 48+16);close()""
    3⤵
    PID:4108
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('successfully cleaned', 0, 'cleaner', 48+16);close()"
      4⤵
      PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4788
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3024

C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
1⤵
- Executes dropped EXE
PID:5696
- C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
  "C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6024

C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
"C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
1⤵
- Executes dropped EXE
PID:4592
- C:\Users\Admin\Downloads\Spoofers\Cleaner.exe
  "C:\Users\Admin\Downloads\Spoofers\Cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5892

C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe
"C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5768
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "ahhaa" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5776
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5720
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "ahhaa" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6036

C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe
"C:\Users\Admin\Downloads\Spoofers\PermWoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5792

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Spoofers\READ ME.txt
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c2b373f-6525-404d-a22e-baece3a1944c.tmp

Filesize
6KB

MD5
51db92f95859a7715f3a7db09f61b48e

SHA1
6745499a39c638aba8e696430db6a9f8e0b2cd41

SHA256
cece4c6cfbb803a3e819473b5839c5204b7de4618cb4d7b496e9554b11036bcc

SHA512
3786fdbc84d5f3650ccd15bf8e7e8b50e048ef3a744f732a759792e71cc2e46149b8e7a3e4b748bff5418e824c2e795381601f08eb92962f01a9c238fb982749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
7af6d1669e78bd558b5fd9d509f30091

SHA1
c4927b5da0121663747f4e24e53fe971be118189

SHA256
1d5efe71bbf7d717432a318cedeab7d64d2b58e69da71f23a9d84afc7da6158b

SHA512
30338263a993bf946e7c41b9a923a33e3c2435fa90dda9cf0db0d79a42215d3b2f9efee21ba556cdad83193d4f4eb78a2edd5c887c16447430c1bc0fa290b599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
5b59c7145677a130787ae43910185023

SHA1
f7d62a2a617112f990faba4682a61e3cc385aabf

SHA256
9c5093c3dd1ec3b21fe0e994a3893a98dc389fb6dfbd0f8832314cb592b6f9a7

SHA512
c71e5f04b48d25da680acea37e6a05e31a8c267c68eebb9564cd79b918c0ab854c98781dd616fd664c3cea54d8e6add4c8e5ef53893b525fc3326a0af2ed5b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c81e1385192bacca3c9c0202fd7cdb7f

SHA1
de97da1dfe1dfc6e0e9a5f780440874dd6c19f5d

SHA256
4a0a5ad8a2259ebd6b01c951d7bc46e3c405886e2e118ec5a75431f6ca80f3bf

SHA512
22bf9e8616dc14f25bca14b10e168ddbb6aaf8e1404a0d3273ae10485b71e9b9a5ab9980c7fe4e05df5a657c38c7c39a8f940699726059e07217aad4392f450f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
cac99845b5dd7eb9894de7190cd216aa

SHA1
2dc6b51c94253c3cfded0bc7c9f625b5264cf585

SHA256
d03b9c34dee7364349b8edae0af3b64b55905f7f0c8c4204427d821ae211ba26

SHA512
958f5378e73a8e757ec490e88574c49771ab5a6104422bef104d51398ecc69e26210303f707ab4b62fbb1ac7d7da92af24be84d94737988a5d6ad19b477d079a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9942cf6e3d53f1bef6f6595f27377731

SHA1
ad128ea53a1f1455453726e6465e40174c8b8c39

SHA256
a4f762c2058d5a1bfeb9aa6f94b73190f65ae298170e5cf1e866043cd3d24618

SHA512
64cdf85161916632c96bf73bd3541e1e083f97b5cb76f936fab2e47f538c2e5ff25ae70252f96a65bc8dbd6fcf2c6753a7caa11db98e65605639921eeb01491d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2d3051bfdc7a56dfed16e74d372854d2

SHA1
9becdd14c0bb4e32427fd0545397f71b9563bf0b

SHA256
7e5bc66be67de89823ef6deca6c379949e0381e74d21177a02c28b70d5a506f7

SHA512
e148b8d8090cea9ef2ba749a7d148a773e9642e31f855f33d962f03e79992ef0c50fae8e05d9256db99ca6580750a5e3e828402a0bccdb0ca53c0fd5ba213fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
f9d0eef2af576c78cf4e6b3b8077444c

SHA1
6b73e40a80cf5cd7f9c1765d9e472f3a0b7a251d

SHA256
4b7d82ff40b1f5032ddbab9d71ca92c59137cddf5676bc0e526ce7c3dcbe0b8c

SHA512
3c40876633ae60efaeeb067c0c6ddc964543b146307cce7d154ec193a7e07d64a4298b7a055e372e5e1df79e89f90f77a94c7ea5a3d6a5040af121e9fd6fc842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f206b6e26ac5475cf566e92005b64d56

SHA1
4d91b6250565a9514dc6ff18a2ea97e0b936ecfa

SHA256
dddb55fbe4b6da10155918ebf95428f4a3174f375e028dfc3117e493b72739c1

SHA512
8e75a87bb811f23b208690aed3a0031fd27142e9a7c6f8a75398e59b0c85780d032b753d839528c025f8720793ed0165edc430a07c31cb41e3b3cf26ba161bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a6c11e66ea6c8281824b78b4f2090e49

SHA1
daf346be7d759370f4891f5223087869ed715dad

SHA256
18f7a7b2aa0d79c47a12f9234a2c406374921aa17b8a06abe858570a82f20a4d

SHA512
f0d309239cd7e753fa6d61eecba188571bdf0dabe2f5a0fd696ce6109382a28a84e739633261108ecfd9a3ce1f534cb0ae947b81d4955b891fd7c5618c389af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e59b801f3b70575a7f3d90cbe851dd0c

SHA1
a2356e7e8ae9a5537bf9918f6ed78c44cd19a3b3

SHA256
ab71116f4d160e60fc1ed2977b05d919478107d06840d3c98940d0e0585cf857

SHA512
e299a19f5d440fbc584db73ff130c94121cd37ca7b45a356f5fd29eb3ff61ecd9956eb0235c1c03bfb080ebd59face2cb7dff87833528576a0b6b561e662490e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3b481811acda6405732186d771c982b

SHA1
e1cd46fa562bd3e3cea96ea2d4e6d7b6c66de1c3

SHA256
b192c26494d6ce61c1d6bcebd2f2f33a00afc67c6937d9dcc0ee1ccf211f83cc

SHA512
6fc9f2653c8bd0a192a8fec27fa8c35d90f181d81b79bad0c220e2e8cc39a3d5e49f151b1c5d775092edee43630866976be3fe76f6381a86707d4c712d33293c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e20657c0e86f16270e9868c9f2eae36

SHA1
4a9df15ce4045f8de90bf4caf848e327d0f9ddc5

SHA256
7a03e7a9984963a6214fcb8653f4e3409f945f32581256e3893e8b4c07452c38

SHA512
437eabba835947bb8789620643bdfa2d6a2d001e21e2dfd820ee70c1d30d6e253faee17af5830efc09be06cc333acbcaf4d3aeb59c816f3e85b96efa2e2ef9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9615e8d6bff6350c81bf6f05bebc83e3

SHA1
4cc63a2093c26695755946578dc93310213019d9

SHA256
0e15cad0527d5702e19f1502ffbe47c018d38270b154e8b06598e566db4e7340

SHA512
af9e0cbc6633ae6b8560be85bd116f61a32ac22d70777e7b054e1a7654c0e80bb35ecec36c22d05ec0e86428031eff03bf91f3f1c76bc88b129fc7cfa5648b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
b26abb1d39a92d78d21f6c22fc8f4b62

SHA1
2963ff5f71920c9560517531015c30b37395d361

SHA256
fbfe30c7243cf5294c69984898348bf08b6421e06484300b491839ed18795a85

SHA512
779f46e5e2c5f9567946c3a25e11cb6f0f17d5f56ed95002d49823cb37b00cf88bbb2152f784f3270e9b8dedb04565bef136ad4cef93f67bfc8c7e11454e908d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
8b243de10611fcdc771f6f3ff5d86362

SHA1
050064db869da4a7e2741f4373ef685871fc3710

SHA256
7f01128f043f037b5e3bf17cd61a10753f30dfd4daa62b9c729ee01f9f479b85

SHA512
f368a403174572b6b02877735127b427ffdb4cc2850398ac9b866182c498bbfd8525d74adb8ec575cc2fad5b51fbcfaddce58d4eeb0f4036873c2b7a449ea661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594b48.TMP

Filesize
370B

MD5
9d166162e8675b9491f5a675d96ff75a

SHA1
f2b00554853bd5f829646f8975bb8999cf152b30

SHA256
b940b0572e60ff9326678dfc5054596bfececafd87bea51177d31ede914cd7f5

SHA512
6f3c42bd3c93adf8974d12beef4fac0fab92c442daabf714511815e73d652b6fcfaa629ba28a215b47a689676971c0b9ce6fde54c2a58e86c6d4374e69c0e5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2d0b332bf68abf15b47b0628a8267f23

SHA1
2d1109d8c42fd2549c0b2c12fe1a37d028dffa5e

SHA256
ad1cf7635ac0cdab1ccb7b66fbc893b84008135662a82fc23187417b13e7fdd1

SHA512
15d800493b18f3d1b4b91bd02d0763a6d547851ffe1e93c2edcbeb44cb2ff6e79aba2d6fb7c61c0ae2bfc90d1d21a685631fb858858c0585e41cd1eb40eab50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b7c36ce38b436ef25e0fa17e09849bb8

SHA1
ae5b15ce1e5ab1d7362498dd93c891df386fd5b8

SHA256
01d10f6651ce0eb2d424f174d8714d5a63520bc80b1cf3a6a9dfa53612246e7d

SHA512
1773b0265cda45e11298dbb5fbffefc2be1661bda08020d64abe6b49163ae2c6e9ce326ae186973a24377897b3577574b3423d01f6b3c195d330d0dbf617f763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
447014687622af7c638e9cac9c8cc5e9

SHA1
66a0809c8e07bdc04b75cfd2db5e56107e933f48

SHA256
481d1978d5ed5ef3aff61db52e7df1bd012a5acc119900b10c89f14daca4d69d

SHA512
effa14177e5aec30de25d19fd5eb251534d950c1aeccf6fb0f7049b5af348d2ce3324391ecfef4d1669bd1246fe67ff739507535d6251bbc9b175b3f893f410b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45922\blank.aes

Filesize
110KB

MD5
a9a06416d9ef35cdabd07f724e9fc398

SHA1
ee2154a0f608f9a748f6ed476a05815b02e5d633

SHA256
18eebece903d437c60e7515a52e50e98baf7c42ae8a14a958f1edeaa7ac015f0

SHA512
a45b5bab4e4486f82705109fbb607c906ea51b3b1ece8f5dcf560828dbb2f5b1ef2ad5febb55c5428c81e830b434b0a9e197f0f41f401de512cc91f1511673a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_bz2.pyd

Filesize
48KB

MD5
82e4f19c1e53ee3e46913d4df0550af7

SHA1
283741406ecf64ab64df1d6d46558edd1abe2b03

SHA256
78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0

SHA512
3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_ctypes.pyd

Filesize
59KB

MD5
fa360b7044312e7404704e1a485876d2

SHA1
6ea4aad0692c016c6b2284db77d54d6d1fc63490

SHA256
f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f

SHA512
db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_decimal.pyd

Filesize
107KB

MD5
b7012443c9c31ffd3aed70fe89aa82a0

SHA1
420511f6515139da1610de088eaaaf39b8aad987

SHA256
3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9

SHA512
ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_hashlib.pyd

Filesize
35KB

MD5
3a4a3a99a4a4adaf60b9faaf6a3edbda

SHA1
a55ea560accd3b11700e2e2600dc1c6e08341e2f

SHA256
26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492

SHA512
cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_lzma.pyd

Filesize
86KB

MD5
bad668bbf4f0d15429f66865af4c117b

SHA1
2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8

SHA256
45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486

SHA512
798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_queue.pyd

Filesize
26KB

MD5
326e66d3cf98d0fa1db2e4c9f1d73e31

SHA1
6ace1304d4cb62d107333c3274e6246136ab2305

SHA256
bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e

SHA512
d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_socket.pyd

Filesize
44KB

MD5
da0dc29c413dfb5646d3d0818d875571

SHA1
adcd7ecd1581bcd0da48bd7a34feccada0b015d6

SHA256
c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8

SHA512
17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_sqlite3.pyd

Filesize
57KB

MD5
5f31f58583d2d1f7cb54db8c777d2b1e

SHA1
494587d2b9e993f2e5398d1c745732ef950e43b6

SHA256
fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186

SHA512
8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\_ssl.pyd

Filesize
66KB

MD5
e33bf2bc6c19bf37c3cc8bac6843d886

SHA1
6701a61d74f50213b141861cfd169452dde22655

SHA256
e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288

SHA512
3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\base_library.zip

Filesize
1.3MB

MD5
242a4d3404414a9e8ed1ca1a72e8039c

SHA1
b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50

SHA256
cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d

SHA512
cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\blank.aes

Filesize
110KB

MD5
febe7f583d8a00d10d03b7eeabeb0f89

SHA1
0462c069249240aea09799f0b5306b9cecdb11e0

SHA256
4cc9dbca92848a67b0d4cb0b7f7a97b7176bc364fc44470700eff40f499a2d6a

SHA512
46debbd4f755456f23f9cd1b3bf02a67395b02f488b18e863171d5c85218f11fa8960e05974c6956230d924bd722d4173121815b5a654fcf7ffd00e764c8b57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\python312.dll

Filesize
1.7MB

MD5
eb02b8268d6ea28db0ea71bfe24b15d6

SHA1
86f723fcc4583d7d2bd59ca2749d4b3952cd65a5

SHA256
80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70

SHA512
693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\select.pyd

Filesize
25KB

MD5
33722c8cd45091d31aef81d8a1b72fa8

SHA1
e9043d440235d244ff9934e9694c5550cae2d5ab

SHA256
366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12

SHA512
74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\sqlite3.dll

Filesize
644KB

MD5
68b435a35f9dcbc10b3cd4b30977b0bd

SHA1
9726ef574ca9bda8ec9ab85a5b97adcdf148a41f

SHA256
240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277

SHA512
8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60922\unicodedata.pyd

Filesize
296KB

MD5
6dd43e115402d9e1c7cd6f21d47cfcf5

SHA1
c7fb8f33f25b0b75fc05ef0785622aa4ec09503c

SHA256
2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233

SHA512
72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_035xnzlg.0l1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
b4ac68d3c6cc89ae97e519b9a7241bba

SHA1
ced8a4dec2238bc5f2b7ca9ef9fdac0a6cd9108f

SHA256
03bc2c340a1081e1521a5c4b92c38756f4de234ac1b1a578556d83737972e343

SHA512
8870741c08574945ea43055e6031394af96290348e4e55d3570f937020c49020fc7d61517d9ab9dd42fc65066ba113cb8a31f2d45cff7f7301f8e865d52aa1d5

Download Submit
C:\Users\Admin\Downloads\Spoofers.7z

Filesize
8.2MB

MD5
cb7960f8fb08dc1d63269e205e490b03

SHA1
184d929681a0d5ae239f148214ee5d070b1adc69

SHA256
4fa37e700c2b9ee257995cc82ad1f02b02bf5b031a5fda15ff34277c82239d8a

SHA512
852ea8344772464f4bdbca2108a33bc156b2c7d99ff40588a07e98c055a996567496196f5f1fe7512a1d8cb7a8e132942f7c1a157ad45fe6314838c13ed5eb12

Download Submit
C:\Users\Admin\Downloads\Spoofers\Cleaner.exe

Filesize
7.5MB

MD5
ba5b980e4d8a2229836b393860cc3b4c

SHA1
b08af0140ef0e54fb99d077b08d97ec5c8ebd52f

SHA256
89f481a8c2b2b29afbdb45e2bbe01b24346a118aa3775e6a7a28537a54a85e15

SHA512
bff2841fb6d166abec6a1d3f9ab1fb777f3e1f912e47dea650e4119919310a10cf0399d3d23d4dc700890e327b5b2f8d99fa28c317fb11e56582e83b53a28a5a

Download Submit
C:\Users\Admin\Downloads\Spoofers\READ ME.txt

Filesize
116B

MD5
b7cc3eee27555abf47add422d2b73853

SHA1
7350c15f6aebfa249c35727f10e72025141a22b6

SHA256
ec81bbefcff680906e9390d6249856c36b8d666dc22e13752ee856641d6b2d34

SHA512
8956d4e3560640d7a92b1c5ccf89f7901ff6a70dc611882db49409bb169be5e4d6d3a53879a2cf79e34718c7d5d1044cdd41cc1cf187a215f41b508dde4d3294

Download Submit
\??\pipe\LOCAL\crashpad_5068_GAVBZAZWQTBHKOGM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2476-270-0x00007FF905920000-0x00007FF90594D000-memory.dmp

Filesize
180KB

Download
memory/2476-284-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp

Filesize
5.2MB

Download
memory/2476-203-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp

Filesize
148KB

Download
memory/2476-197-0x00007FF918920000-0x00007FF91892D000-memory.dmp

Filesize
52KB

Download
memory/2476-198-0x00007FF9034F0000-0x00007FF9035BD000-memory.dmp

Filesize
820KB

Download
memory/2476-276-0x00007FF9058F0000-0x00007FF905914000-memory.dmp

Filesize
144KB

Download
memory/2476-201-0x00007FF902EA0000-0x00007FF902FBA000-memory.dmp

Filesize
1.1MB

Download
memory/2476-342-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp

Filesize
5.2MB

Download
memory/2476-273-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp

Filesize
1.5MB

Download
memory/2476-199-0x00007FF905890000-0x00007FF9058A4000-memory.dmp

Filesize
80KB

Download
memory/2476-196-0x000001E3D1DA0000-0x000001E3D22C9000-memory.dmp

Filesize
5.2MB

Download
memory/2476-165-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp

Filesize
148KB

Download
memory/2476-180-0x00007FF9058F0000-0x00007FF905914000-memory.dmp

Filesize
144KB

Download
memory/2476-185-0x00007FF903740000-0x00007FF903E05000-memory.dmp

Filesize
6.8MB

Download
memory/2476-281-0x000001E3D1DA0000-0x000001E3D22C9000-memory.dmp

Filesize
5.2MB

Download
memory/2476-169-0x00007FF918D40000-0x00007FF918D4F000-memory.dmp

Filesize
60KB

Download
memory/2476-186-0x00007FF917CF0000-0x00007FF917D09000-memory.dmp

Filesize
100KB

Download
memory/2476-146-0x00007FF903740000-0x00007FF903E05000-memory.dmp

Filesize
6.8MB

Download
memory/2476-187-0x00007FF918B20000-0x00007FF918B2D000-memory.dmp

Filesize
52KB

Download
memory/2476-193-0x00007FF902FC0000-0x00007FF9034E9000-memory.dmp

Filesize
5.2MB

Download
memory/2476-192-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp

Filesize
204KB

Download
memory/2476-346-0x00007FF905890000-0x00007FF9058A4000-memory.dmp

Filesize
80KB

Download
memory/2476-283-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp

Filesize
204KB

Download
memory/2476-181-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp

Filesize
1.5MB

Download
memory/2476-178-0x00007FF9181F0000-0x00007FF91820A000-memory.dmp

Filesize
104KB

Download
memory/2476-347-0x00007FF918920000-0x00007FF91892D000-memory.dmp

Filesize
52KB

Download
memory/2476-341-0x00007FF9034F0000-0x00007FF9035BD000-memory.dmp

Filesize
820KB

Download
memory/2476-340-0x00007FF9058B0000-0x00007FF9058E3000-memory.dmp

Filesize
204KB

Download
memory/2476-175-0x00007FF905920000-0x00007FF90594D000-memory.dmp

Filesize
180KB

Download
memory/2476-337-0x00007FF9035C0000-0x00007FF90373F000-memory.dmp

Filesize
1.5MB

Download
memory/2476-348-0x00007FF902EA0000-0x00007FF902FBA000-memory.dmp

Filesize
1.1MB

Download
memory/2476-332-0x00007FF9062B0000-0x00007FF9062D5000-memory.dmp

Filesize
148KB

Download
memory/2476-339-0x00007FF918B20000-0x00007FF918B2D000-memory.dmp

Filesize
52KB

Download
memory/2476-331-0x00007FF903740000-0x00007FF903E05000-memory.dmp

Filesize
6.8MB

Download
memory/2476-333-0x00007FF918D40000-0x00007FF918D4F000-memory.dmp

Filesize
60KB

Download
memory/2476-334-0x00007FF905920000-0x00007FF90594D000-memory.dmp

Filesize
180KB

Download
memory/2476-335-0x00007FF9181F0000-0x00007FF91820A000-memory.dmp

Filesize
104KB

Download
memory/2476-336-0x00007FF9058F0000-0x00007FF905914000-memory.dmp

Filesize
144KB

Download
memory/2476-338-0x00007FF917CF0000-0x00007FF917D09000-memory.dmp

Filesize
100KB

Download
memory/5612-204-0x000002AFA8820000-0x000002AFA8842000-memory.dmp

Filesize
136KB

Download
memory/5720-372-0x000000001BAF0000-0x000000001BB40000-memory.dmp

Filesize
320KB

Download
memory/5720-373-0x000000001BC00000-0x000000001BCB2000-memory.dmp

Filesize
712KB

Download
memory/5720-384-0x000000001C2F0000-0x000000001C818000-memory.dmp

Filesize
5.2MB

Download
memory/5768-367-0x00000000003F0000-0x0000000000714000-memory.dmp

Filesize
3.1MB

Download
memory/5892-297-0x00007FF8FE9D0000-0x00007FF8FEA9D000-memory.dmp

Filesize
820KB

Download
memory/5892-328-0x00007FF90A640000-0x00007FF90A64D000-memory.dmp

Filesize
52KB

Download
memory/5892-268-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp

Filesize
6.8MB

Download
memory/5892-275-0x00007FF910100000-0x00007FF91010F000-memory.dmp

Filesize
60KB

Download
memory/5892-274-0x00007FF901F70000-0x00007FF901F95000-memory.dmp

Filesize
148KB

Download
memory/5892-282-0x00007FF900AA0000-0x00007FF900ACD000-memory.dmp

Filesize
180KB

Download
memory/5892-287-0x00007FF8FFAC0000-0x00007FF8FFC3F000-memory.dmp

Filesize
1.5MB

Download
memory/5892-286-0x00007FF8FFC40000-0x00007FF8FFC64000-memory.dmp

Filesize
144KB

Download
memory/5892-293-0x00007FF90FA50000-0x00007FF90FA5D000-memory.dmp

Filesize
52KB

Download
memory/5892-292-0x00007FF902440000-0x00007FF902459000-memory.dmp

Filesize
100KB

Download
memory/5892-285-0x00007FF9010E0000-0x00007FF9010FA000-memory.dmp

Filesize
104KB

Download
memory/5892-302-0x00007FF8F9370000-0x00007FF8F9899000-memory.dmp

Filesize
5.2MB

Download
memory/5892-321-0x00007FF8FFAC0000-0x00007FF8FFC3F000-memory.dmp

Filesize
1.5MB

Download
memory/5892-298-0x000001FDD3690000-0x000001FDD3BB9000-memory.dmp

Filesize
5.2MB

Download
memory/5892-326-0x00007FF8F9370000-0x00007FF8F9899000-memory.dmp

Filesize
5.2MB

Download
memory/5892-295-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp

Filesize
6.8MB

Download
memory/5892-327-0x00007FF8FFA10000-0x00007FF8FFA24000-memory.dmp

Filesize
80KB

Download
memory/5892-325-0x00007FF8FE9D0000-0x00007FF8FEA9D000-memory.dmp

Filesize
820KB

Download
memory/5892-324-0x00007FF8FFCA0000-0x00007FF8FFCD3000-memory.dmp

Filesize
204KB

Download
memory/5892-323-0x00007FF90FA50000-0x00007FF90FA5D000-memory.dmp

Filesize
52KB

Download
memory/5892-322-0x00007FF902440000-0x00007FF902459000-memory.dmp

Filesize
100KB

Download
memory/5892-315-0x00007FF8F98A0000-0x00007FF8F9F65000-memory.dmp

Filesize
6.8MB

Download
memory/5892-320-0x00007FF8FFC40000-0x00007FF8FFC64000-memory.dmp

Filesize
144KB

Download
memory/5892-319-0x00007FF9010E0000-0x00007FF9010FA000-memory.dmp

Filesize
104KB

Download
memory/5892-318-0x00007FF900AA0000-0x00007FF900ACD000-memory.dmp

Filesize
180KB

Download
memory/5892-317-0x00007FF910100000-0x00007FF91010F000-memory.dmp

Filesize
60KB

Download
memory/5892-316-0x00007FF901F70000-0x00007FF901F95000-memory.dmp

Filesize
148KB

Download
memory/5892-296-0x00007FF8FFCA0000-0x00007FF8FFCD3000-memory.dmp

Filesize
204KB

Download
memory/6024-360-0x00007FF8FE900000-0x00007FF8FE9CD000-memory.dmp

Filesize
820KB

Download
memory/6024-301-0x00007FF8F91F0000-0x00007FF8F936F000-memory.dmp

Filesize
1.5MB

Download
memory/6024-300-0x00007FF8FFA90000-0x00007FF8FFAB4000-memory.dmp

Filesize
144KB

Download
memory/6024-299-0x00007FF8FFCE0000-0x00007FF8FFD0D000-memory.dmp

Filesize
180KB

Download
memory/6024-308-0x00007FF8FFC80000-0x00007FF8FFC9A000-memory.dmp

Filesize
104KB

Download
memory/6024-309-0x00007FF90A6A0000-0x00007FF90A6AD000-memory.dmp

Filesize
52KB

Download
memory/6024-363-0x00007FF901FA0000-0x00007FF901FC5000-memory.dmp

Filesize
148KB

Download
memory/6024-345-0x00007FF8FFA70000-0x00007FF8FFA89000-memory.dmp

Filesize
100KB

Download
memory/6024-330-0x00007FF8FE900000-0x00007FF8FE9CD000-memory.dmp

Filesize
820KB

Download
memory/6024-344-0x00007FF90A480000-0x00007FF90A48D000-memory.dmp

Filesize
52KB

Download
memory/6024-329-0x00007FF8F8CC0000-0x00007FF8F91E9000-memory.dmp

Filesize
5.2MB

Download
memory/6024-310-0x00007FF8FFA30000-0x00007FF8FFA63000-memory.dmp

Filesize
204KB

Download
memory/6024-359-0x00007FF8F8CC0000-0x00007FF8F91E9000-memory.dmp

Filesize
5.2MB

Download
memory/6024-358-0x00007FF8FFA30000-0x00007FF8FFA63000-memory.dmp

Filesize
204KB

Download
memory/6024-357-0x00007FF90A6A0000-0x00007FF90A6AD000-memory.dmp

Filesize
52KB

Download
memory/6024-355-0x00007FF8F91F0000-0x00007FF8F936F000-memory.dmp

Filesize
1.5MB

Download
memory/6024-294-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp

Filesize
6.8MB

Download
memory/6024-354-0x00007FF8FFA90000-0x00007FF8FFAB4000-memory.dmp

Filesize
144KB

Download
memory/6024-353-0x00007FF8FFC80000-0x00007FF8FFC9A000-memory.dmp

Filesize
104KB

Download
memory/6024-352-0x00007FF8FFCE0000-0x00007FF8FFD0D000-memory.dmp

Filesize
180KB

Download
memory/6024-269-0x00007FF912150000-0x00007FF91215F000-memory.dmp

Filesize
60KB

Download
memory/6024-271-0x00007FF901FA0000-0x00007FF901FC5000-memory.dmp

Filesize
148KB

Download
memory/6024-351-0x00007FF912150000-0x00007FF91215F000-memory.dmp

Filesize
60KB

Download
memory/6024-349-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp

Filesize
6.8MB

Download
memory/6024-343-0x00007FF8FEE80000-0x00007FF8FEE94000-memory.dmp

Filesize
80KB

Download
memory/6024-267-0x00007FF8FA400000-0x00007FF8FAAC5000-memory.dmp

Filesize
6.8MB

Download