9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26

Analysis

max time kernel
93s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-11-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EZFNLauncher.msi
Size

8.8MB
MD5

c094ae439f4a97409d752fa64f6eab86
SHA1

e607d4616a2262bb245c43269d7c3f769269e5d0
SHA256

9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26
SHA512

df8bd4db2130cdf94493caa170801cfc1e273aa22253d33b066db3be56b164c904f54172bb6f60afd131f9459a8e9895d718bb905420f067936862d86ed9506e
SSDEEP

196608:hwrQNEqoCdzOx618QNSi2lfVc6VpvPH62RM7tBIbK1/JuhC:hgcOxvQgllfjXtr8/kh

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 21 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\FiraCode-VariableFont_wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\next.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season11.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\vercel.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season7.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season6.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\Inter-VariableFont_slnt,wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\BricolageGrotesque-VariableFont_opsz,wdth,wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\favicon.ico	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season1.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e586963.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5271FD18C17C4391.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF03BD0F6887FC49C1.TMP	msiexec.exe
File created	C:\Windows\Installer\e586965.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0FBD095F71622CFF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF598E584166D8E35A.TMP	msiexec.exe
File created	C:\Windows\Installer\e586963.msi	msiexec.exe
File created	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe

Executes dropped EXE 4 IoCs

Processes:

EZFN Launcher.exeEZFN Launcher.exeEZFN Launcher.exeEZFN Launcher.exe

pid process

1404 EZFN Launcher.exe
5100 EZFN Launcher.exe
5008 EZFN Launcher.exe
1224 EZFN Launcher.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

3588 MsiExec.exe
3588 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

4216 msiexec.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MsiExec.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe

pid	process
1404	EZFN Launcher.exe
5100	EZFN Launcher.exe
5008	EZFN Launcher.exe
1224	EZFN Launcher.exe

pid	process
3588	MsiExec.exe
3588	MsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

msedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
4388	msedgewebview2.exe
3960	msedgewebview2.exe
4988	msedgewebview2.exe
2284	msedgewebview2.exe
4616	msedgewebview2.exe
4852	msedgewebview2.exe
1928	msedgewebview2.exe
240	msedgewebview2.exe
3148	msedgewebview2.exe
4732	msedgewebview2.exe
2468	msedgewebview2.exe
236	msedgewebview2.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000235a573f571b962e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000235a573f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900235a573f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d235a573f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000235a573f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 27 IoCs

Processes:

msiexec.exeMiniSearchHost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\External	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\PackageCode = "902E236029C1087479870FBC7034677D"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductName = "EZFN Launcher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Version = "16908292"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\ShortcutsFeature = "MainProgram"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductIcon = "C:\\Windows\\Installer\\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\\ProductIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\PackageName = "EZFNLauncher.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msiexec.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
3936	msiexec.exe
3936	msiexec.exe
3496	msedgewebview2.exe
3496	msedgewebview2.exe
1076	msedgewebview2.exe
1076	msedgewebview2.exe
1316	msedgewebview2.exe
1316	msedgewebview2.exe
2348	msedgewebview2.exe
2348	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid process

4660 msedgewebview2.exe
4604 msedgewebview2.exe
4904 msedgewebview2.exe
480 msedgewebview2.exe

pid	process
4660	msedgewebview2.exe
4604	msedgewebview2.exe
4904	msedgewebview2.exe
480	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeSecurityPrivilege	3936	msiexec.exe
Token: SeCreateTokenPrivilege	4216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4216	msiexec.exe
Token: SeLockMemoryPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeMachineAccountPrivilege	4216	msiexec.exe
Token: SeTcbPrivilege	4216	msiexec.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeLoadDriverPrivilege	4216	msiexec.exe
Token: SeSystemProfilePrivilege	4216	msiexec.exe
Token: SeSystemtimePrivilege	4216	msiexec.exe
Token: SeProfSingleProcessPrivilege	4216	msiexec.exe
Token: SeIncBasePriorityPrivilege	4216	msiexec.exe
Token: SeCreatePagefilePrivilege	4216	msiexec.exe
Token: SeCreatePermanentPrivilege	4216	msiexec.exe
Token: SeBackupPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeShutdownPrivilege	4216	msiexec.exe
Token: SeDebugPrivilege	4216	msiexec.exe
Token: SeAuditPrivilege	4216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4216	msiexec.exe
Token: SeChangeNotifyPrivilege	4216	msiexec.exe
Token: SeRemoteShutdownPrivilege	4216	msiexec.exe
Token: SeUndockPrivilege	4216	msiexec.exe
Token: SeSyncAgentPrivilege	4216	msiexec.exe
Token: SeEnableDelegationPrivilege	4216	msiexec.exe
Token: SeManageVolumePrivilege	4216	msiexec.exe
Token: SeImpersonatePrivilege	4216	msiexec.exe
Token: SeCreateGlobalPrivilege	4216	msiexec.exe
Token: SeCreateTokenPrivilege	4216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4216	msiexec.exe
Token: SeLockMemoryPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeMachineAccountPrivilege	4216	msiexec.exe
Token: SeTcbPrivilege	4216	msiexec.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeLoadDriverPrivilege	4216	msiexec.exe
Token: SeSystemProfilePrivilege	4216	msiexec.exe
Token: SeSystemtimePrivilege	4216	msiexec.exe
Token: SeProfSingleProcessPrivilege	4216	msiexec.exe
Token: SeIncBasePriorityPrivilege	4216	msiexec.exe
Token: SeCreatePagefilePrivilege	4216	msiexec.exe
Token: SeCreatePermanentPrivilege	4216	msiexec.exe
Token: SeBackupPrivilege	4216	msiexec.exe
Token: SeRestorePrivilege	4216	msiexec.exe
Token: SeShutdownPrivilege	4216	msiexec.exe
Token: SeDebugPrivilege	4216	msiexec.exe
Token: SeAuditPrivilege	4216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4216	msiexec.exe
Token: SeChangeNotifyPrivilege	4216	msiexec.exe
Token: SeRemoteShutdownPrivilege	4216	msiexec.exe
Token: SeUndockPrivilege	4216	msiexec.exe
Token: SeSyncAgentPrivilege	4216	msiexec.exe
Token: SeEnableDelegationPrivilege	4216	msiexec.exe
Token: SeManageVolumePrivilege	4216	msiexec.exe
Token: SeImpersonatePrivilege	4216	msiexec.exe
Token: SeCreateGlobalPrivilege	4216	msiexec.exe
Token: SeCreateTokenPrivilege	4216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4216	msiexec.exe
Token: SeLockMemoryPrivilege	4216	msiexec.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

msiexec.exeEZFN Launcher.exemsedgewebview2.exeEZFN Launcher.exemsedgewebview2.exeEZFN Launcher.exemsedgewebview2.exeEZFN Launcher.exemsedgewebview2.exe

pid	process
4216	msiexec.exe
4216	msiexec.exe
1404	EZFN Launcher.exe
4660	msedgewebview2.exe
4660	msedgewebview2.exe
5100	EZFN Launcher.exe
4604	msedgewebview2.exe
4604	msedgewebview2.exe
5008	EZFN Launcher.exe
4904	msedgewebview2.exe
4904	msedgewebview2.exe
1224	EZFN Launcher.exe
480	msedgewebview2.exe
480	msedgewebview2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

4204 MiniSearchHost.exe

pid	process
4204	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeEZFN Launcher.exemsedgewebview2.exe

description	pid	process	target process
PID 3936 wrote to memory of 3588	3936	msiexec.exe	MsiExec.exe
PID 3936 wrote to memory of 3588	3936	msiexec.exe	MsiExec.exe
PID 3936 wrote to memory of 3588	3936	msiexec.exe	MsiExec.exe
PID 3936 wrote to memory of 3412	3936	msiexec.exe	srtasks.exe
PID 3936 wrote to memory of 3412	3936	msiexec.exe	srtasks.exe
PID 3588 wrote to memory of 1404	3588	MsiExec.exe	EZFN Launcher.exe
PID 3588 wrote to memory of 1404	3588	MsiExec.exe	EZFN Launcher.exe
PID 1404 wrote to memory of 4660	1404	EZFN Launcher.exe	msedgewebview2.exe
PID 1404 wrote to memory of 4660	1404	EZFN Launcher.exe	msedgewebview2.exe
PID 4660 wrote to memory of 2008	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 2008	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 1928	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 3496	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 3496	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe
PID 4660 wrote to memory of 240	4660	msedgewebview2.exe	msedgewebview2.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\EZFNLauncher.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7D194E891C031337ABA9ADE8F8E00A9A C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3588

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1404

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=1404.4656.14969422377632015678
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4660

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffa3d3e3cb8,0x7ffa3d3e3cc8,0x7ffa3d3e3cd8
5⤵
PID:2008

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1848,7159754680693083534,8210249038278344156,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1928

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,7159754680693083534,8210249038278344156,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2164 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,7159754680693083534,8210249038278344156,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2152 /prefetch:8
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:240

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1848,7159754680693083534,8210249038278344156,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2468

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3412

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4908

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5100

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=5100.1412.2556501023077678088
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4604

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1c4,0x7ffa3d3e3cb8,0x7ffa3d3e3cc8,0x7ffa3d3e3cd8
3⤵
PID:4664

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1824,5515561117544315976,12526647645038393002,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4388

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,5515561117544315976,12526647645038393002,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2196 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,5515561117544315976,12526647645038393002,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2560 /prefetch:8
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3960

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1824,5515561117544315976,12526647645038393002,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3868

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5008

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=5008.2524.14546636101891660075
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4904

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b4,0x7ffa3d3e3cb8,0x7ffa3d3e3cc8,0x7ffa3d3e3cd8
3⤵
PID:3420

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1992,10287979415668408214,253062646695223384,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:2
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4616

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,10287979415668408214,253062646695223384,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2052 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,10287979415668408214,253062646695223384,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2468 /prefetch:8
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2284

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1992,10287979415668408214,253062646695223384,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1224

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=1224.4496.7267068427322406787
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:480

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ffa3d3e3cb8,0x7ffa3d3e3cc8,0x7ffa3d3e3cd8
3⤵
PID:2112

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1776,3213716794352928690,2237374011461946306,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:2
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4852

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,3213716794352928690,2237374011461946306,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1776,3213716794352928690,2237374011461946306,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2576 /prefetch:8
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3148

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1776,3213716794352928690,2237374011461946306,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e586964.rbs

Filesize
21KB

MD5
f1fa019dc83d2950098df6c790572b16

SHA1
cb6a40967f00f5ba77c831fc248387a59ab5e039

SHA256
a53f42a490f0745574d082c8007195324313ba351a38114c029e771a1f7b08d4

SHA512
8bc46cbb39389075b1c3a5d5c1b568e5ef0acfa99cbda2953399ee6d707c0259e08f7b10186772df27b416b229f815c1021b4e4004a416b29a5b557c5e8b51d5

Download Submit
C:\Program Files\EZFN Launcher\EZFN Launcher.exe

Filesize
9.4MB

MD5
4f33ce3ea36ef1f99b6825a86b2470ff

SHA1
baca999aadc039799d779088276704b14b5c665b

SHA256
5f05babffaded0eae013bcea5de6821cb51c82acbb6889c4b01ebde41b3dafa8

SHA512
a96e86906b195d035a824f48f89db9455208dda2ca7ad1d7dc88881cbf6b0649bafea39fa384254aebc23f6a903cd18cf7dda375194390119c0111d901fbc0b6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk

Filesize
2KB

MD5
421287a3125b0a1c16ae6daddf2ec691

SHA1
1e66cb8f24d122258aa5fd070151972d8398fd0e

SHA256
0cdec6b9e89fa66415cc1732b3353dd6d6d4b275ee539261f50a2689afe3e35a

SHA512
19fe4294c9516696459ba755f5df6a8a96a735b015f9e773755bb0813fbbf75fe0aff08a327193f5d6f478cbb2dd87116d4781744e66b9888141f7018ca6a781

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk~RFe586c03.TMP

Filesize
1KB

MD5
24592585941b6be726f8de44d2daafd3

SHA1
6a86e69e9341534614792e6bf562921d739f2653

SHA256
fbc959f85a61462bf9c4150fa80dbefb02099c52286e3cd3f1cc6cbd80b75b9e

SHA512
f5bad2fdbdd568cd2010efc52c23d52e8f7eea16c28ba4850bfa83b36d623b70d356cb1444db18c45b3a839577fe68fcede771d5ef9e2605059d558134e57924

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
71a6b59e08e25451e52675c842fae23c

SHA1
565a97673954a9209c7a05fba20b89d10b88025f

SHA256
5b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6

SHA512
5cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1B53.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7924.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\80baeb40-0112-49c2-a5ad-d1b3c59c2eb0.tmp

Filesize
8KB

MD5
45fee19e131c0750b8cb46c85c4c6d2a

SHA1
647ddffca7a4865b43d5d406f8d889e1446605bd

SHA256
2df24b1043e233952bcb5abbb527d45645fb917336c78f980ee6f787ccc7fdea

SHA512
9fdfb2af153423c707cc2c58e32f73b739ffcb7955bb7a94b852bc8e15e9c9bea0b3f7bce9dd732ef544c69d15c66a50afbd09f2937167735a3e6ec4ecd0a709

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
dc5f4cda8d31b94e596a5be5ad777245

SHA1
e219bda039b171063c91704b3e733c05ca98c057

SHA256
ee919cfab8ccae5cfba37b88a8085630e073ffacecf26855ff538e82f60b6309

SHA512
77e375909755ffed58781c10fbbf518910f7a806d0c49e39b4611544c805b5666eebd293ec92b7b7bd5ee201a37d5d7ad423272e33a936469eb93c20a584de11

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
dce453507194b5d67f829d33fc3b2348

SHA1
ded8d8406c0e22daf2d8da44bd2068197f7b0dea

SHA256
e3ae05df6df05e74c521a2296898f1f3f4a4676905dc4986f7614282e27f3b39

SHA512
dd5725e33debc5ab2520556d8dd28ca1c5607167258031e2933edbc150be30ceb48b7628fd469669e1aa74f67de468231633a38cb1637102c6977e45afad7bd2

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
0a2b0c62c23bbc2e9bb38b97886d09c0

SHA1
8ea027cdd82386798a05b23a841b51d9d2cc57c4

SHA256
301dfb060499b4bfb7a88420207bf918e645cc4bf0386a727b304ec07bbda287

SHA512
4c28442b064a0bfd89f87529ec76626be738d78040af0356c00f990404b5348207f902f7de96d5c112f9d6f2cbbfa41bf1e2289b663af5cd93116d5f35995d1e

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\3664c90b-3bb9-49a1-9feb-a7967c1a88c4.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
61a03904abb6fef6593079c18e0f74e0

SHA1
2dc06f8ea6000d8aabde134b9c8355139d53b530

SHA256
cabe8a32bf4d30ef0a328d9c8cd7fa3c16c103f7db80bcd195dc07e2a6195e95

SHA512
25f97c91ea610dd5b28add1539c8131bad3ef4a8f69a9b25277cc5559f47e4f939a6b505f8b3fcd4e75d399441d5c591a656d5196fa36cab4f94e8e8b200829f

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
e415b1a6783f471af100c043d3b0172c

SHA1
e8d96c8d2caca5cff74fda30fe31156bfe00829b

SHA256
e84d52e085ab6bb1aef8187e8adc228f82bab59963169c0f98b55634efdf4e05

SHA512
8482a811a4b81e0759206b867902de43fe2ee83197307096e4b8128cdab03b29f862fe9d65e7e485ec697a37032d9f93a0dcad4a1b0954320c12d0e84b587888

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Favicons

Filesize
20KB

MD5
5688ce73407154729a65e71e4123ab21

SHA1
9a2bb4125d44f996af3ed51a71ee6f8ecd296bd7

SHA256
be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60

SHA512
eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\index

Filesize
256KB

MD5
4009aacd745ea525f35c58f42bab4c09

SHA1
236e0d9ae23bedacb71676c14e9c0b96c627b014

SHA256
289cca520bd8ab41958b7390bbaf7f83e73717adfd1cb77430557d75104ba566

SHA512
913abc2c3d0fe2c32d675b494e754da88f3caa336bb39ff13092a28cd7edc0ab908b7eb429b1e18b506a5421a469ee6535cbd1de9e520131a7dcfd02bce336ca

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\History

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Local Storage\leveldb\LOG

Filesize
279B

MD5
61c7468a236dcd80f174ca8747119e29

SHA1
34f0e70c492971e3e2361725268423329c7fea7a

SHA256
a85eb0b9a860e118bd3ba71bb19940184215adea6a40ba250e15c66921fd8739

SHA512
a1ead917aa2825fb7f0b0cd5800cc9affa2d50463478eff08975825b1e09ddb5796119f07b441f5248b4d67998800216682b0c9a22df57ce44dc245107d92133

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Login Data

Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Media History

Filesize
76KB

MD5
cf7ac318453f6b64b6dc186489ff4593

SHA1
b405c8e0737be8e16a08556757dc817bd02af025

SHA256
634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a

SHA512
b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
3802de1604094a297b6db976c0e13710

SHA1
820339f46960367ed5f56261338ba077ef6c7a03

SHA256
2c47492f284c15b1cd1b3ca46fe7f923d19dd3d4558ebb20e1d8a8f47d4f2150

SHA512
0acb7584fb5cd4b70485a02e72c4dff8d979af2101582e3c18a3195c6a3f017e165d5e904e5c48289f3cee2050650ab9d59601a63c2cf5edd3cc76e4b8177c1e

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
6f248bad0462e4649ce0b6ae1ffb4e28

SHA1
a8fba983797011bdb365ea089d249734e27f8c35

SHA256
f81ccdb98d3c7d6c84a5c6d7c8ac543927265361dccfe82856f245dc4374e480

SHA512
c4881dd99000095568c99215b10927b6208492cfc0f7a47f7a1e05bb86c023801dfd0ec101b0833792c57d63f654e7a31663f32e280ee21a61a16976d81aa9d3

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
e8f57e4e419bc00449a041a607939204

SHA1
6a441b8eec727fafbcd5b17ff093c3d92d5c465c

SHA256
182cae60aa3f2eb22ba58dabc182df8d89bd74a280cbe3a9d53a12a85983f5cd

SHA512
35186edad74fa0c189b57fc0af246251bf31803d4a1eb8fc1f94bc0901ad7d052a94d3de4a21b19c9377137dd44b8c467b8ec0bedf08bad18d7395d1571e42cb

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
2d2e744da7d6868026dcb37cb11f918b

SHA1
2ad658261bab12982a4c9293ffa46963168f52ce

SHA256
2a1b9f890e863c26f426cc9657c6599f7674820aaa63cc5fa2fddad58c5797ff

SHA512
eed939877627f19d6788792d6e8f687cdc880c723d1e3dc1980399c8427b01b86eb110e9ed59f87c722365a30f4b8ff62fe7f457bf761ba5e2a377161dad1376

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Secure Preferences

Filesize
8KB

MD5
0155dfd8255ca6d6ecc195194244808c

SHA1
6cfbe2325524aabe2667de82fe317e9bb909035b

SHA256
41d04c9eae3e7ea57649d6293c311925f0ec6f006413a4965d47c1d130478c85

SHA512
a207eae3c8b1d40a9e118cb94174ca67d566aa5e335baa1d153f8e2b4842912fd954d6007f416a146bfd6bb7933b04e837e9ba1745a6be5a6bdf4e58dd126fec

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Site Characteristics Database\LOG

Filesize
297B

MD5
fe5e1caf26a13cbe0cb775ec020e724e

SHA1
1d8a045d94b1059b7a5f2a0c037242e628ff844c

SHA256
35b1f9aa7df39b75851c6ef12a98f7f4b5a70011f87b400b99c5e4456f76e976

SHA512
e07a241675922021ff337b61caf79501b36fb50dcb72f4f79a20f0bb9caf6432b79e260d8f37c0a7d07a41b9056b20f69a977727395ae38de80968abc2b30391

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Sync Data\LevelDB\LOG

Filesize
271B

MD5
cf94ea7b9410d9f7b3e0d06eb5b361b6

SHA1
bad65b2376191164b552ad99ab7173620952f811

SHA256
82da9c1ff510bcaaab8f52d1d151ede78ff1958b9a4f5d867bf707f3eb570855

SHA512
d9e0a41d91ccf2268d40af3dac6fabfc3a96baac980f94051ed5ea0afac5e9787077744bdaf6950ae5446de847f229081b6b4e898c6ccb4cfe67e61b462f6826

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Top Sites

Filesize
20KB

MD5
325ddf165383376a8e530a8288a9fb73

SHA1
f451204bb6f3de9de42f27bd887576b083026e87

SHA256
53eb4fcb3cbcaacd4d94036c9379715990f86185b8ef7fd18cb27665193da6c8

SHA512
edb9c49956741560f40df102b81c3b558b1ae9ce902040f89cecb2fbbf60277dcb73f68d8b7c60340a92c46915828b7a204420292d0a4906ac0e9082943ad528

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Visited Links

Filesize
128KB

MD5
1fc6db98a15c87e8b25ba86f4746d9f9

SHA1
125873ac73bd9b74d9ffe7a3f50cbc71e1a4ea52

SHA256
c4c0071c4debab28723867c0556335425fdd92487856779fcd89dfed7dcea123

SHA512
53e2d89509f422dc5f9262c7daa063d88ef695266f639fc236b8bd0a9d4654cd1de6882f2ad5739f08d42452b8b9f1c4b804be3ab5f88b6038719669ab320d5b

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Web Data

Filesize
110KB

MD5
12aff5c24b1e165da94cc9ddef6d752a

SHA1
345a57b067d6c7561b149b6a7de1d0cf53e42cc9

SHA256
b49ee954c97289b707fcaed55266f7c49720d1c24f4a8872038384155081aabf

SHA512
fd584f3d7e3a5603ff2699e1b4930d6594b0ea09c0a194b7329f44d3d4d2e1e985a42ab512afc1b6a0f35412ef839d35f27fab1f6506e871d74c648c3adb0ae6

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\load_statistics.db

Filesize
44KB

MD5
144dfaaa82df72858197f4ef7ddd34f2

SHA1
e6bbbc5593c1d782e2d23c6ba6a5f5468e7548fa

SHA256
fe2844d9713e3f49ff6e5c6d5e9f3b7af671fe9165cafe01ebbaf61bb1ae84b9

SHA512
5a53b1dfd4729dd2cf7c5fb45b4b15e3b1729c7c7dca1a029b39964a6e0f9435bde61ba5c8e7b859254798fa135264c9814533409e5980159e52cdca2b1a5793

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
2bbf2836a5cdd6fd59dda792fc43f3f8

SHA1
e47392b0b56162d376f14c533ca3150a31860ad5

SHA256
02a4ba992e6d29321c4c88bb8f735db753757d56105e5fe1ec652f15b2f930e0

SHA512
87882252ff75a0b288b64d164185211e3bb57bab8f0135ceb07485b174c21aa26fa526ad082b343fb093c1c5b483d725c882663707bd31f08a9d104e3426aac5

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
bd574b991749a1e6d7d3a28a0af8b5c3

SHA1
ef49727cddf14b53d6d89193e790e264daf01971

SHA256
4fcbc1a8d273024d766976515329a20742a61c73ecf62b2b015b7bdc4c7d23c5

SHA512
a159cdb9e598d28c75bcf1c8a81b1d5dd9d2c3ad01d333c08ca5aa7709dcfcccb95088fbf918f1e0e3d826c19af8319de60948077fbe24ad930ae73c06317d21

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
71b5f2471a739f8acb641be15a76c687

SHA1
bdb00f9bef50f7dad0f5294354bfb0eb2787f1f4

SHA256
339d94968de1dd6bffd728ac7285f33d121d4f3674618825ffbcd856bfff62ab

SHA512
c4c1f0eb78a7c99161feedf6842ef71563e58ac6b9c1b531bcf8defc093f4ed8ee6c63f74f5af12b31c540e407f57ebf7bb800aa1b85b77305f1a747bc4d35ad

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
1a34d715c0c83dba158dadced9db3cbb

SHA1
c507452f0bc71fd37d3b274b3bbe08315129b6c3

SHA256
2a15f06e70c4ae6cec2f99d6670066a3adcc8245f6df78545d676d82be2deacb

SHA512
0aa7456fb4a026ba062f3804e192c2e0214543b2aa12d2d1a1ab5867f719294cd8932e7b9b0caca849cd506c920b7e8bf30145483f490a397acdff964c916ceb

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\index

Filesize
256KB

MD5
bf8d2dbaf1db6404581c2aa0af24bea3

SHA1
216a7bee49c04a0ff48dddd5f312160fb51c0e24

SHA256
9e42848c712583684ed733733f2f44cf2cd7b21d40fe912f896bf71052d9f642

SHA512
fc07dde273632488286e7d5af4442ed889d767349a50cd8e472981c58ad702253e6cc3574fc439e9762dfa9064f9a98d6c7b8d6ae6a9356c1adf8338153ddb19

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\ShaderCache\GPUCache\index

Filesize
256KB

MD5
784f4a435d311943eabebe072b76db4a

SHA1
6b869f4d5ead2dbda093d1f9f104c2f6cc8a53cb

SHA256
c04500c1e404ac769de96e4fe524e1a6a8d63d4214f2ab64e25176007dc9c4e8

SHA512
490dcafbc554250c343c4e7fca5d5e52261cace574fc727627b2762cb518017e84e2ea1908d8a08a2930dec00bb4b9b9d29c445b3004ac3affbe237429e02bce

Download Submit
C:\Windows\Installer\e586963.msi

Filesize
8.8MB

MD5
c094ae439f4a97409d752fa64f6eab86

SHA1
e607d4616a2262bb245c43269d7c3f769269e5d0

SHA256
9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26

SHA512
df8bd4db2130cdf94493caa170801cfc1e273aa22253d33b066db3be56b164c904f54172bb6f60afd131f9459a8e9895d718bb905420f067936862d86ed9506e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
68a6bbfd42009a47c4dae0aecc924de2

SHA1
01a3b258ec1f6867c3d4298ca518a469ee38924f

SHA256
cd6c6d4d2967ee010e582a9e72e8416799f391e0f9a93c060f67b6728ef5727e

SHA512
f32caee5ec497573bc6f044c2259dd41ae4953710de2384fa53875357bfac47f03b46762828288f8515c1cb12bcb9990cf124d5c3de700cb93e23aac05d4723b

Download Submit
\??\Volume{3f575a23-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1bd4d2b7-7725-47d6-bd03-e0c09fb0ebfd}_OnDiskSnapshotProp

Filesize
6KB

MD5
929763313901bac4cfa1d5c8ade0525b

SHA1
80cc16e2bd3708d0a23b152ba8ef9f3113112c2c

SHA256
1deed71c0915e6025ed3f5ffcab36a060857b705fe0a78186a5ff097e79df7ed

SHA512
7bb79310e09c487339a1c391f2fb308fa268ca4e2ddb8619963707f2ae1380115cba0439357f9b1c909497220264f73ee70d375b2999582c46ccbe33a10d5324

Download Submit
\??\pipe\LOCAL\crashpad_4660_UMOEKMZFJCMWCTYJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1928-93-0x00007FFA5DF80000-0x00007FFA5DF81000-memory.dmp

Filesize
4KB

Download