d30e6116b08fbad5d83b6e68d1527cb8b9e1b4fcb0202cb84d9203dfca8654fa

Analysis

max time kernel
146s
max time network
149s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/11/2024, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.html
Size

18KB
MD5

f434cd201bb8a1f0070d10d4d3759443
SHA1

b53d6d5db89b0e2347ef4ec60c313ecb3f061374
SHA256

d30e6116b08fbad5d83b6e68d1527cb8b9e1b4fcb0202cb84d9203dfca8654fa
SHA512

8ad634242ffa9c2bb3ee8c4a3c6005f0bd9d2196316f6502bfb7346dac616e768d6b4de7c00159c9dd05ebc566926f04e74faf7e865f93a2f3b2a2107ed74cb7
SSDEEP

384:M9xiYk+WisJeW3P2L4NmOf+55PpAhE5Q/FW0EcQTctdNHnpUQdgv:UxiYk+Whdnf+55qhP/FW0E5ctdNHpUaS

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
5428	FreemakeVideoDownloaderSetup.exe
5528	FreemakeVideoDownloaderSetup.tmp
5456	FreemakeVideoDownloaderFull.exe
4872	FreemakeVideoDownloaderFull.tmp
5728	FreemakeVideoConverter.exe
6016	FreemakeVC.exe

Loads dropped DLL 64 IoCs

pid	Process
5528	FreemakeVideoDownloaderSetup.tmp
5528	FreemakeVideoDownloaderSetup.tmp
5528	FreemakeVideoDownloaderSetup.tmp
4872	FreemakeVideoDownloaderFull.tmp
4872	FreemakeVideoDownloaderFull.tmp
4872	FreemakeVideoDownloaderFull.tmp
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
896	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
3372	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
4488	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
6032	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
5528	regsvr32.exe
4556	regsvr32.exe
4556	regsvr32.exe
4556	regsvr32.exe
4556	regsvr32.exe
4556	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
2460	tasklist.exe
4000	tasklist.exe
5224	tasklist.exe
5896	tasklist.exe
4788	tasklist.exe
940	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\Resources\ImagesBranding\is-130HM.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Images\DVDMenu\is-AVMSL.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\sk\FreemakeVideoConverter.resources.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\LoginApp\is-G3L3C.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-HJJNQ.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-LDBRB.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\es-ES\is-T8JGE.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-JT6DE.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\is-11CJ8.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-D6639.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\Resources\ImagesBranding\is-DF30T.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Images\DVDMenu\is-H52BP.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241119183530.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\ICSharpCode.SharpZipLib.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\is-CQ3VI.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\fr-FR\is-6E1UC.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\LoginApp\runtimes\win-x64\native\WebView2Loader.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\uk\Monetization.resources.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\zh-TW\is-OLUPD.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\LoginApp\is-MN703.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-V6QTV.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\is-TEM00.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-1DLHU.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\ForFlash\is-L96NB.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\is-TABPJ.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\uk\FreemakeVideoConverter.resources.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-GL16I.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\is-3L11I.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\FreemakeCommon\Resources\is-AL8J5.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Images\Visualization\is-MJL8T.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\is-LPF7D.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\COM\1.1\MilkdropPresets\is-F19HU.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-0EQ7T.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-G7QMR.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\Resources\ImagesBranding\is-73MAU.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\pt-BR\is-3NRMO.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\ForFlash\is-37LUV.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\FmUpdater.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\FreemakeCommon.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\FreemakeCommon\Profiles\is-KK7D5.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\Resources\ImagesBranding\is-0OVT2.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\is-EG07O.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\el-GR\is-50PB1.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\FreemakeCommon\Resources\is-2E4S6.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\x64\is-K878N.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\FMProfileManager.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\SmartThreadPool.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Uploader\Microsoft.Threading.Tasks.Extensions.Desktop.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\YoutubeContentLinksExtractor\Toolbox.DecipherExtractor.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Uploader\is-E7FHL.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Images\DVDMenu\is-KEKTN.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\pl\is-TGBG6.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-FB05T.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Images\DVDMenu\is-28PVR.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\ForFlash\is-S9IK5.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\COM\1.1\msvcr100.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\COM\1.1\ffmpeg.exe	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter\Languages\nl\Monetization.resources.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-B380V.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\is-FC0D8.tmp	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\DataCollection.dll	FreemakeVideoDownloaderFull.tmp
File opened for modification	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Uploader\NewApiYouTubeUpload.dll	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\Resources\ImagesBranding\is-A1ITV.tmp	FreemakeVideoDownloaderFull.tmp
File created	C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Uploader\is-ID59S.tmp	FreemakeVideoDownloaderFull.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoDownloaderFull.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoDownloaderFull.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoConverter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoDownloaderSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreemakeVideoDownloaderSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DB4D5B3-08CE-491C-87F7-380365818D80}\ = "IMediaDataAudio"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50ffaa60-daba-4875-8193-c404eb8ee4f8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8f75e71d-6ce1-43e2-a8c2-2ef1a320955b}\ProgID\ = "FMTransformBase.TransformResize.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F8E61A0-49BF-4AF2-B706-CDDA94C2BE01}\TypeLib\ = "{E5CD553D-2B25-48E4-A1A8-E685F79A1A54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE2BE5BD-32C2-44D6-8F7E-81AFDBB3AF66}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9620AAE3-7818-422F-B3B3-73699E27F0C3}\ = "ITextWatermarkTransformBuilder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.DeleteInterval\CurVer\ = "FMMediaSource.DeleteInterval.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceMultiview\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4E4C544-E74F-4896-9F6E-A900AB0AAD59}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMTransformBase.TransformResize\CurVer\ = "FMTransformBase.TransformResize.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22E65E8B-7B25-470B-84AF-60A058C4E9B7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.DeleteInterval.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2336008-3212-4AD6-AE5B-946F70058E38}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{bc65c060-872d-4256-aafe-e0a882eadc8e}\ = "FMDVDPageFormat Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4E4C544-E74F-4896-9F6E-A900AB0AAD59}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F8E61A0-49BF-4AF2-B706-CDDA94C2BE01}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceContainer\CLSID\ = "{2c69b6b7-7c30-47df-b341-f6e679442021}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b16d8c7d-d69f-4de9-a6d8-805b2141d1b2}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FMTransformBase.TransformResample\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62B3BFE9-670C-4888-B58A-93FE5B084731}\ = "IMediaSourceAudioSilence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FBD481C-2888-432B-BAD8-BD4CFED30DC4}\TypeLib\ = "{21365BB8-55E5-4D5F-8FC9-B56D5A1DE903}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaUtils.ThumbnailSearch\CurVer\ = "FMMediaUtils.ThumbnailSearch.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B9901A-E176-409D-A104-0445AE7FF716}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FMTransformBase.TransformRotate	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{677850FF-6078-4A4D-8DA1-BC80C2B519DB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{375BE98B-6804-43B9-BD47-3C86624B8E37}\TypeLib\ = "{E5CD553D-2B25-48E4-A1A8-E685F79A1A54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1c31318d-138b-4a67-bc66-941651c81bf8}\TypeLib\ = "{21365bb8-55e5-4d5f-8fc9-b56d5a1de903}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CF8DC390-AA77-4989-A7DE-BF06FCE8B18A}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaFormats.FormatCodecBase.1\CLSID\ = "{6870c3b7-4b37-4de7-a5db-f0b51ac0c9b8}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b666a837-ba9d-4894-9977-1037c562a1ff}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a539dc29-fe52-433b-81d7-34d79149e534}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{25B18B5D-F441-4713-9E25-2DCC22A6102B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2336008-3212-4AD6-AE5B-946F70058E38}\TypeLib\ = "{21365BB8-55E5-4D5F-8FC9-B56D5A1DE903}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e70dc386-f683-4abe-87fd-54fdf344d7f5}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaFormats.FormatFile\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{352839CE-8082-4F09-86B7-C6DE1E7215C4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B444E952-E506-47EF-AF88-CAF57EF05BD8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSource\CurVer\ = "FMMediaSource.MediaSource.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1c31318d-138b-4a67-bc66-941651c81bf8}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{644CC3C4-0600-45A2-8EE0-577D6149CA9F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{dc3e97dd-3607-4915-a2d0-0afbbd73c2d1}\TypeLib\ = "{e5cd553d-2b25-48e4-a1a8-e685f79a1a54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2c69b6b7-7c30-47df-b341-f6e679442021}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62B3BFE9-670C-4888-B58A-93FE5B084731}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaUtils.SceneSearch.1\CLSID\ = "{bd566b56-3483-40ce-b476-d1d28cdc5f2b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3777ecf9-632b-4580-9963-0e71c60c64aa}\InprocServer32\ = "C:\\Program Files (x86)\\Freemake\\COM\\1.1\\FMVideoConverter.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaUtils.ThumbnailSearch\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3AE9AFCE-7D22-45F6-97E9-3F551E1ACBC1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ECE1ADF4-FD0F-4B72-B848-8138F480BFB6}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F67ADAE2-607A-455F-8555-FF6E55D64E5E}\TypeLib\ = "{8F935BB6-1360-4F01-89BE-8D394CA9E36C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E7F52AD8-C2F4-4AB3-8BAE-AB1EEBDB29F7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMTransformBase.TransformFrameRate\CLSID\ = "{a539dc29-fe52-433b-81d7-34d79149e534}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{677850FF-6078-4A4D-8DA1-BC80C2B519DB}\ = "ITransformBase"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceAudioSilence\ = "MediaSourceAudioSilence Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMTransformBase.TransformResize\ = "TransformResize Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1898BF5-3C61-4CDE-A901-CAA80516CBF2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceCache.1\CLSID\ = "{efc4e7e1-4351-4734-bdd3-cca00402e4d8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FMMediaSource.MediaSourceJoin.1\ = "MediaSourceJoin Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7C8D439-92C5-4BFA-BBD1-7BF00B9E363A}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBE0A0CB-38B8-4BA9-BEAC-C26CB95A5C5F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{a539dc29-fe52-433b-81d7-34d79149e534}\TypeLib\ = "{e5cd553d-2b25-48e4-a1a8-e685f79a1a54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F7A154C-8FBD-4692-995B-51913389EB52}\TypeLib\ = "{780B9AFD-5231-496B-BD88-94DC8C9F4749}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F67ADAE2-607A-455F-8555-FF6E55D64E5E}\ = "IFormatBase"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0E6A82FB-E403-482F-9793-14E96FBEF369}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2768C270-27B9-45D0-8C4F-72E6AFE7A67C}\TypeLib\Version = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	FreemakeVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	FreemakeVC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	FreemakeVC.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 864262.crdownload:SmartScreen	msedge.exe

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	80	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	104	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5064	msedge.exe
5064	msedge.exe
4068	msedge.exe
4068	msedge.exe
2140	identity_helper.exe
2140	identity_helper.exe
1672	msedge.exe
1672	msedge.exe
5528	FreemakeVideoDownloaderSetup.tmp
5528	FreemakeVideoDownloaderSetup.tmp
5528	FreemakeVideoDownloaderSetup.tmp
5528	FreemakeVideoDownloaderSetup.tmp
4872	FreemakeVideoDownloaderFull.tmp
4872	FreemakeVideoDownloaderFull.tmp
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe
5324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	tasklist.exe
Token: SeDebugPrivilege	5224	tasklist.exe
Token: SeDebugPrivilege	5896	tasklist.exe
Token: SeDebugPrivilege	4788	tasklist.exe
Token: SeDebugPrivilege	940	tasklist.exe
Token: SeDebugPrivilege	2460	tasklist.exe
Token: SeDebugPrivilege	6016	FreemakeVC.exe
Token: SeDebugPrivilege	6016	FreemakeVC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
5528	FreemakeVideoDownloaderSetup.tmp
4068	msedge.exe
4872	FreemakeVideoDownloaderFull.tmp
6016	FreemakeVC.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5728	FreemakeVideoConverter.exe
5728	FreemakeVideoConverter.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1468	4068	msedge.exe	81
PID 4068 wrote to memory of 1468	4068	msedge.exe	81
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 4832	4068	msedge.exe	82
PID 4068 wrote to memory of 5064	4068	msedge.exe	83
PID 4068 wrote to memory of 5064	4068	msedge.exe	83
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84
PID 4068 wrote to memory of 3928	4068	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\download.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa141346f8,0x7ffa14134708,0x7ffa14134718
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2888
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff79a855460,0x7ff79a855470,0x7ff79a855480
    3⤵
    PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Users\Admin\Downloads\FreemakeVideoDownloaderSetup.exe
  "C:\Users\Admin\Downloads\FreemakeVideoDownloaderSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\is-JANCO.tmp\FreemakeVideoDownloaderSetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JANCO.tmp\FreemakeVideoDownloaderSetup.tmp" /SL5="$180022,492360,402432,C:\Users\Admin\Downloads\FreemakeVideoDownloaderSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:5528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C "ver > "C:\Users\Admin\AppData\Local\Temp\is-MC8UC.tmp\~execwithresult.txt""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe
      "C:\Users\Admin\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe" /LANG=de /dotnet=0 /skip_welcome locale=GB /DIR="C:\Program Files (x86)\Freemake" /autoinstall
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5456
    - - C:\Users\Admin\AppData\Local\Temp\is-U4S3Q.tmp\FreemakeVideoDownloaderFull.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U4S3Q.tmp\FreemakeVideoDownloaderFull.tmp" /SL5="$202C2,82389001,402432,C:\Users\Admin\AppData\Local\Temp\FreemakeVideoDownloaderFull.exe" /LANG=de /dotnet=0 /skip_welcome locale=GB /DIR="C:\Program Files (x86)\Freemake" /autoinstall
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4872
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeVD.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5828
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "FreemakeVD.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeVC.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "FreemakeVC.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeAC.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "FreemakeAC.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeMB.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "FreemakeMB.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C tasklist | findstr "FreemakeYB.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "FreemakeYB.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-CVEBB.tmp\CheckRunningInstance.cmd""
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr "FreemakeAC | FreemakeVD | FreemakeMB | FreemakeVC | FreemakeYC | FreemakeYB"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMMediaFormats.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMTransformBase.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMMediaSource.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMVideoConverter.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6032
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMDVDMenu.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5528
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMMediaUtils.dll"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Freemake\COM\1.1\FMPlayerLib.dll"
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
      - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=Admin
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=\everyone
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3164
      - C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter.exe
        
        "C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter.exe" --AutoRunType=AfterInstall
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5728
        
        C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVC.exe
        
        "C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVC.exe" --AutoRunType=AfterInstall
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6016
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=Admin
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:5540
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" http add urlacl url=http://+:11425/ user=\everyone
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6090408491549176748,1609787133501903037,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4708 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Freemake\COM\1.1\FMMediaFormats.dll

Filesize
412KB

MD5
c7de33588da58ddd871aeb33d203575b

SHA1
af285aa822611bbe9fcc0c06965600ba81db1a55

SHA256
ecd05fddf8f5a8ad0f6c2e46be8a7c3604095e8b37140088f9c8824f1693a61c

SHA512
b78e04f1350221beaab56a2e649b42f587afa8bf4d617e36c7547b473aade46a651e72509e8833525afc542fb08cdff7f1de3c9dcb332cdb877467eb87cf52e1

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\FMMediaSource.dll

Filesize
812KB

MD5
ed4b352774314f1e90f0b5cd7356ea0f

SHA1
a19da6c47809103a95b1766160440c2faf4fcdda

SHA256
1202fd6d6ad7aaf4b104051a57a16c42a24a84ce3d4ddab2bee232020df53e15

SHA512
2ed3d8dca07887021bd948f5892bb115836219b5691d2ad5967cd8ab936b0c04aebfa37ac69268804acfa1f176842944f11bbf940ccc928ce328f79a15ded0bc

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\FMTransformBase.dll

Filesize
459KB

MD5
769632480c8ddbda1c625da7c31f7788

SHA1
5ca12bffadcaaa70bc169c947e02b03c77905488

SHA256
0ac2636ca9b45cd456d7bcee242db09fe9ba3c2594d52109d7181fc6f5bb954e

SHA512
8dd46b470f36e7398900ff171982399d3f95a3bc1697c6eb1ab96155130a5c73578259598372df08afde41c49b77f3ce54cec9bb6a5b3719de97d001dd40f2b0

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\MSVCR100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avcodec-54.dll

Filesize
13.8MB

MD5
23a378f40b92364e51e7b12cfb0af6d5

SHA1
8224dd82e02a3bb83cb4ed84a6265c370471a850

SHA256
8742fd389e9983594a24d5599e4d8f418c5454f36d2fd8d9cbc07bee08d4ea54

SHA512
529ca2c531626174451cd8d103b442a66aadd87edd5d03af44eadad94b59d9aec0b60380fdbf4aa213544dba7d3b2afa6abd7201484e9072538fbc9fa8b65581

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avformat-54.dll

Filesize
2.9MB

MD5
7396db8ff8a5977ecd76220d14f0ee04

SHA1
c815b965c7abe368e4f49394b2512eef60dc0ef0

SHA256
8bf698ee1d89f687bf32f4e1ac4908379479456effac70038f949c548efd18bc

SHA512
6442532a793e0b7fb1be1a022ce0d082487bc598085fcd8b10483bb90e5c0010789c580350bed35b69e2759d768138b489b270478b7f2a3b887826062e506a70

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avresample-1.dll

Filesize
135KB

MD5
6d02a67f1a77371dcf16a3dd70ae3cb8

SHA1
5bdd8a649e35686362ef010420d85eff624d00a5

SHA256
9d23781f9b54a3f37e872ce23df6ac64a695dcadf794d388f9266861ef7f790e

SHA512
bb0c7ddc280d4d518a925e92706d5f567220a07181dedc4c1c3a6a745d567b7461590063304288395fdd61312d121d384568e89e94464ff4937137d9df7f1ea1

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\avutil-52.dll

Filesize
186KB

MD5
97809a2431bcc50fc718e2ced1e306e2

SHA1
a3fcac6a8034ccd9392063f57325051aa067ee85

SHA256
2f2ae85d42415914eed564acda3ffae7b1f3627e871913c0349d73526f3bbf55

SHA512
4ec6c69fabc49d30db9efff9ea72387f4915287b8b231f37d7cb8a062246dfb67c180cc6fbb586bfef95ef0615fe793d2f5167d0aca4cf9068522c3556f1479c

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\swscale-2.dll

Filesize
326KB

MD5
d06d733f491a19bd76379565ffbf0556

SHA1
1125234bc8a4702b515bc0a12c9ca82e9583bd63

SHA256
05cd12a6f470b271cf47bd2637136e8720a00e67668df8d8499f406f0c52ea14

SHA512
e52ff24705db9fcc02571132e4d6debe329031c5c65a70de47e2f163e0c8f6e355d74abb9a24ad3cf888c8e7cf9f3df56df60dba4a87743f362624bf58a97f35

Download Submit
C:\Program Files (x86)\Freemake\COM\1.1\xvidcore.dll

Filesize
1.0MB

MD5
eaaa841ed3c3df66aba354852d2c7baa

SHA1
55e4707d4b66086da1595a93dcc02c6b62affb40

SHA256
8f3ffde67a530df8f5ecaca1ef2e3bf880a94e68b3a7f183f1313343418235ae

SHA512
ccc5ae4c8f4d5882c3140869c9d985f37945014a243aca72a5b7aeb2076686a89bf9b4f76f2d12c5513bc843451e56b3be7e40139166d69b96f435108851b6db

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\Analytics.dll.config

Filesize
2KB

MD5
8a853f42e7c751884e1170cdb3e51c03

SHA1
9070cc71ec48fe79ecb1ad861d98b5e356ebfb65

SHA256
a03cd8e15c36be07d2a24a7350939e6ef729a20ea1b1c9ae429c11aab0069fff

SHA512
6a710052b182fe3b22b15977b5a55fcdb42c18ee965094b4e46df017fd8db25e93d378b696d9232f3c1a3d214a5f32bf4e409ab20bc20b7b440d544f11717026

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-1IAGQ.tmp

Filesize
186KB

MD5
3002e884c5c15a15b68eaef3c62ff254

SHA1
d7e053ac51f562b92fd4032ad769adea7255230c

SHA256
3e71eb02ae8d01cb8159cc5f9ff3ff1976aec5872298ed45310b58f18708eac0

SHA512
0789fb15f8e062ac2af6785a240b9b7d482b5f179fdb2e6b5ef9f841092c1a631b27f3db7738163f73cb609d8f5918fe2bb166731107061ece21c7a18a2a3989

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-45S8G.tmp

Filesize
30KB

MD5
a41a4d6f5059bfb1fde0d5572c2d28c8

SHA1
36111f64e85e595f0ad9d6826dcef3b163d9e6f5

SHA256
0d098ae9db14535359c375101be042a6eaa95e0f659a886832e240e651c3444e

SHA512
f50d1db659c6ef4c623f36482db6e48ef46d737186a35d412adb94def4e14fbeb90ab671c00f50f424ad85e4cbe24c55942131c04592a35697a6251778d9281d

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-54KRH.tmp

Filesize
34KB

MD5
85f6f590b5c4b8c7253e9c403c9be607

SHA1
d5a9db942a50c8821bacd7f6030202c57ec4708b

SHA256
d20552fd5c8c8c9759608a84db1e216da738f5e9f46de9e8a3f39a0d6265cb8b

SHA512
9c78cb444e28618d44e9deb23571fc7bbce268882c2803e0ccc0e84b3e6eab89c6af2aac0d81ef0d2c9fd1e9611cb35334ef3304fb16c5ba0481f6a7273c3660

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-7QT3G.tmp

Filesize
26KB

MD5
1925e1654510ee0914ff3360c6c94765

SHA1
a032c1456dc199189310ef4df533bceeb6c41a92

SHA256
6e599d81a2b8d803ca794c25111fea54c34356c4ed853b926c9ab42a4b0d6454

SHA512
1995a5f16aaa62d23d69022b613362b7cf952059cc9c4fbddfcbe0905b94b02599dd4b5a784344a2b541457ec255b8f38baccb7919f04f323d35b59b2e10d0d1

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-CPSB1.tmp

Filesize
137KB

MD5
dd1a0ba4b324868707bacb85a2507b44

SHA1
ef99a519ad0938ea514733bbecaed914fd14e7aa

SHA256
7ac9371324659312c0d3b8f7c7b5e0b078c8d349ac4ce2c732f776e8f4c4e1b7

SHA512
fdd35f48b6a7c3b306d81467f29d55b51fdb757cba44a92bec48a10a437a22fdba5c4c63e26d6871c7085bc4433287eb39ac79c83c567f59336eb7cb6a2fbfdb

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-E3TBC.tmp

Filesize
2.2MB

MD5
8c7aa0a20f143169699c3d04407ef0a1

SHA1
a7488d0dcd25aa1557e87887ed63c25383ec4b70

SHA256
63789560d1befcf77137b58993d83431d5b151fbc2ec4acc7f8dc25f5509e8e8

SHA512
5d00032a0117938243c2950135457dc5dd644e6c4833a309d9156b3421df8d3941faf43a4c2075d0f7d7a2006e970c9343cf4decd6689a64b27561b723347ef1

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-FB05T.tmp

Filesize
11KB

MD5
56ffff823e568604ba16289b62948462

SHA1
d55054cca1d69831b1f9a8e1b1e5b0b6559d7287

SHA256
08a00ed709c47d9a2674ae62226ed2b4fe0141d70876d79645697d45f006d7f7

SHA512
5c0e469e7d82e8e29cd398d02aa89fda5a4df872ddf499725015cc1f27dd6db41487fd200735acea59b52b5782b800fa6365ae0cc498e1353773255ccb7797b5

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-LEK7D.tmp

Filesize
56KB

MD5
48e01b57a96b02213f639475b1a04f64

SHA1
71d02ad4a470efb4bf6781807176c19f5e856d2d

SHA256
e517458991e84866836b3be402c40d57d2e41abf769790e025a1b76f415f2521

SHA512
37d95af68d9ca9145bbe630594df1b3f2da6e49de6cecf906f61b35df2ba045b74b5b603338028c7c95811ee829b7f8c2809495af22afefb9cd5ddae5dd7df0f

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-LKU30.tmp

Filesize
367KB

MD5
313defd8ed9a742af1ff8a16fd508f3f

SHA1
ab14db48b983fd431eefb2ad98613ab2ce90cd8e

SHA256
e608a0c3236e6a833a994a3d251d85fb12648b76f834d0d9fd9786dcc613a368

SHA512
462125725a7954bda2032cb4f54324e892869ddd01f9355a13b32d394d70a6e2858a49aa27f8f7770dc9d6d77c4d2da8bde337a1c6cefd63643820914954056c

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-NKN7F.tmp

Filesize
21KB

MD5
8e4e0ea396b5452bed54e6888cb07ca1

SHA1
1a7afcdd7f118b3ef8f1d9761fa71faeee16fd2c

SHA256
dfeab83e6a9555a6c18070c611d868e117fa2fef6f815da26e622feb2e610254

SHA512
e160570f598d5fdd637725a70595a7ddc247c20aed66c031ff9816142231c8ea58c69fef7f5eb8e10120e5e5ad68ececb1b584054832464046209c9e04cc1aae

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-O6JF9.tmp

Filesize
100KB

MD5
fc3bd6e569eca92b5c57aa67b9ccaf7e

SHA1
1ae7cd63a312146d467180ec2a092a109802bb77

SHA256
4a6da21b14f87a4b829ba8a1e6c0857df777b024d578319dda5b2686af8aa10e

SHA512
c1f4698cb4d689f810abc6a0c43040461fcfe80aadaeaa13543e52c20cad8c18a33340e1b071db54e3c97f5773768ec0daca4500f1f8ba19b12b9b86ed9ecb0b

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-RQULD.tmp

Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-T8ECV.tmp

Filesize
21KB

MD5
018841345cfbf45eda4cd1adb74fd68b

SHA1
f9928ef8b78f7cf2d3eb3ec68d28f36c89fff3da

SHA256
acf0e0555afed095cf12f719a3cd0e745435ced2575840a46a40ec61ed632265

SHA512
7dd159dc1d64e49a9106c2f04a46643c9aafb83fc017d4f98f63b63d6317fc4ab370fafb63bb512bfb6b4ec7ef2b2e6b362bb7f035a23dd1046d6dc2499ea5ff

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\ConverterCommon\is-TIL3I.tmp

Filesize
20KB

MD5
d552de7d39179b914db7cc2dbdd005c2

SHA1
044329c6c335224ba05a4e398a5fcb204f13ac36

SHA256
24bd076d31dc9d363eb2adb8b27a7d45d9f975aeec565132d27901537e31f239

SHA512
b82cbd6c4b3d378fba1793858c556ea1fdaa405905686ce219f192d16041e79aa063145c6d469aa7c15aa945d3ef344618fa0996d6611282a8718dd0de77d64d

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\Freemake.Effects.dll

Filesize
7KB

MD5
f3ac305f4d428f1f9c7a1960447c4d29

SHA1
7355215fab1d6a656a235a45f3692bed2ab523e3

SHA256
5acfab07f4ddd5ac67ebbcfb405f2ef821c6733962338e16e0aaeebd79d6a5d0

SHA512
73f58f0f72679c789671d8933db6ce789a7d1f9239aa66c923af372e3f2ef102599bcef845941a5656ce4ba52f6374ea530c12d3deb3070c24ca5d99f773c34e

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\Freemake.Themes.dll

Filesize
1.3MB

MD5
d140626aef5e050670786a254de851ea

SHA1
f67511fe0a4c99c63ec9c383b369d9613f348d7d

SHA256
6c712db15e3085b3c13402c67990082054f31324c1da960a64980e787e78ce0c

SHA512
091b00bcc5c851ed44122adf0ce77a33599454ca856c3666b9211737b64fa99c6fb549b168a31436b6e057ab1fd5ccfba216e2c2210ebcecf886581634b4ced8

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\FreemakeCommon.dll.config

Filesize
1KB

MD5
3697a5a5ac898016cacef26a8cb8bb76

SHA1
91360f7323937f6bd5778bdadec8463d82c887ad

SHA256
9f22124e2d13d66218c40509e4118bb6641eb704ee5389c3701553cc5c0528a8

SHA512
6984a2fde5ea05b96649c9a3bc1aa63a60fcfbc8a3700162ebec33948a6d886e3eafdadfcc7c60777bdfb4de20dde194f482a6e173a0410172eab9e10e715abf

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\Newtonsoft.Json.xml

Filesize
548KB

MD5
928ed37db61c1e98a2831c8c01f6157c

SHA1
98103c2133ebda28be78bfe3e2d81d41924a23ee

SHA256
39f6a4db1be658d6baff643fa05aae7809139d9665475bfca10d37dca3384f21

SHA512
f59387bfa914c7db234161e31ad6075031aca17aaef4b8d4f4b95c78c7a6a8d0e64211566ca2fd4549b9da45231f57a4191fbcd3809404653f86ee2abd4937a4

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\SplitTesting.dll.config

Filesize
1KB

MD5
2d411a37fb5a9fa13dc4a8cee4baad64

SHA1
25026e551b626ac47c06c84269867093daf21fd7

SHA256
44a773725b20dba32f795a2e1672aaa2bdb16d6e283c2ffbd65df90c4a988839

SHA512
2599ea9e3a8ebcdbb5c25c399823cdeed5ff216d13c283ed94c0a1c17bae691ca91e25f8eb0cd65bc4cc61f15daede1e90f5c92d65b3a2b821eb964f83a8aa1f

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\System.IO.xml

Filesize
134B

MD5
aaaeadeccc87f11ab4cb0b3f99cbc8b5

SHA1
b4ada91fc4ca233e22019b71726d0d03a7e15660

SHA256
64581d357f68522f0434eaa8eaeeb8cb48b8cf8f578ee542e2033929c8ecaf16

SHA512
f46ef11572e6164f935f0a78798833d73660a03c900a6fdc8486218668980fd047e05afa749eedafb275a4d87ca189cd01bc5ad847575e1872c72bce44d5527b

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\System.Net.Http.Primitives.xml

Filesize
151B

MD5
6553c6b30bea53316bd2c9114be149dc

SHA1
3433b0f22c537576333d70739638f784379b66e7

SHA256
8b5fe6f65f3cdba25bb72da6d6bd4fd47857d41643ecf47fe1baff59f9a71f6c

SHA512
18e9178c464fd86cd00effb8b43a15fff235c96ca654b468a443baa5cdb0bc1445db0448cd5c0369ef32bf3e125277376f82e881a7e4f19339eaf83e86fa2738

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\System.Net.Http.WebRequest.xml

Filesize
4KB

MD5
2b9147247d97395de92222e26420723a

SHA1
be43e4cb996b20e9a56ef18c3ff74ff8ad8abd79

SHA256
21114128cbca29a451a42c084707da95dd852f54f31aae01f68704e6285196eb

SHA512
05a14b300c83a581c75f2bda273284b91aaafea83f3448a8ab5441c2aef7220bd3b96014a8f269c0d319ebc865c0d09c5bf25c4009217bc5e9ee8999b83eae49

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\System.Net.Http.xml

Filesize
112KB

MD5
2bf947b4b9995c61aa8a427644f602d0

SHA1
128f436aa4ba5770bff46f421ff957133ba1b4ba

SHA256
4ea6ba9d25137b29b906e90d66eb03122d5b850dbe7fb6dd5377cc5b11d5deb3

SHA512
1bd51c6b296a9400834173effee7e4cf98f3ae57914c7b7d293d11826fc5da6fbaf3daf24bc2202993d0dfde85c3e614f32e494ec56b23bed2146010535bc3bb

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\System.Runtime.xml

Filesize
2KB

MD5
8de41e9b6f4432008927db5335531bcc

SHA1
4a318fbcb6604db7d1da8cffbf4dafc8accd246f

SHA256
2f3b0dfcd441ea4ecb4a969747c907c5483b22701cf522e9e9825901f32e45ae

SHA512
26887ad184d8b848280b7a9d20bfa9b498bb4f22944a997650556a271d574805cdd4a7c67f2c023a80830074714e3f87f91f2fa60d23972320bbab51c10165dc

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\System.Threading.Tasks.xml

Filesize
33KB

MD5
e0b469a92184f91bd70be97893d8b772

SHA1
eaa04b4c6e0d66a07ea76112000cc2f728e9ccea

SHA256
0513b870a4197713372f80583b960f511b3158d2fc765f4869634e0ae318a8ec

SHA512
168a5365963be161f560474d1595f7ebdeaf47a8a7755e1b0989c29e5d74da3db5d963bd15655cc7365ce1981bbe485b04c3debd677af17bb7c00de8fa88a021

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\YoutubeContentLinksExtractor.dll

Filesize
154KB

MD5
aef6347d72ddb289802704566d8600f5

SHA1
37dd0e2a210f8f10d7a2cac2d48ef76e541302e8

SHA256
1d982e04633069f680a26e70fe9817e6addd1c96472cf9a8068bc301d58b2a01

SHA512
ddddb0ec8d7c2ac96cd5540191cb74685b15b10cc22f01a115deb316fada62688a9adbd811de9e43d7f2ae24cf115d1d6553c028ab597b4c65c46cc5c8e9ba79

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\YoutubeContentLinksExtractor.dll.config

Filesize
2KB

MD5
87ced3ac4a37a61822632af63f78f08a

SHA1
92a99a4ba8ce1d80ca36bdac022e651efe6b6178

SHA256
883ad6ddbbd931cfdc12e6fb080341779d6a48bd3a3d8f5bd77a7409e83ad013

SHA512
72c83e96d02b4bd12d7bcf703d98b1cdc116ebd07ccf562e5e0a5a19a49ae383e48d933028b60383bd2910fbf840671eb07f9ae3dda1648aca7da1bd41fe741c

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-0FLSJ.tmp

Filesize
19KB

MD5
a2468c49f8df52cdcf46484c9fc6e9fc

SHA1
cfbb534cda1bf49798b57c0b8a282e0fb62d7a3e

SHA256
1b6dd658beea901a1ee26142a2be60475c5bd168f7ccfe1e68dcb133934e9b9a

SHA512
35998afb3c19096a8149b38ff5c27d8d2cf89ea22ccaea70fbe6700fd16199b08bc8943684ab4c0848b9cd7ec8d534f24e7dea428ea0808e954ff32e4a5f4c6e

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-4V8AS.tmp

Filesize
28KB

MD5
bc934aa2d439fd6270781bccc96aee99

SHA1
b88aab76d73798801ea2f91c1bf00837e11a0790

SHA256
e301057b2b067cd80be10b69a92a8130262c938b937dd0de07a2110f40333c31

SHA512
7e733e227aa9b939440809468bf13933593baead50d581222f2609907ea35c19636eb9ec4fa7b78fce562fc066056bdcec3aa42cf6e36e63d977632ba882b0ad

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-80P1S.tmp

Filesize
2KB

MD5
4b6e75d7e279366baa742e583ce67d92

SHA1
1ca1c479a9143e2fff78ec6606df187c7e60e53a

SHA256
d0f1a3b3c161971280ed90f3b8b77a1018bcc5f8302ebd4bfb01c3fa3d50a7a7

SHA512
6efac695278fc675d6d6f0edc20b020c9b7b409b6abafb021ed5761e2ee4b1f348b4a3677f97397cd4177271e5dd51212bac6666cbfed4213502651c5a4b7298

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-ANHPF.tmp

Filesize
152KB

MD5
eb4010e0f4c56a1f094177a375a390f6

SHA1
5580b0fdcb3433f54b544f50646520bf3fc4320f

SHA256
620301287a5ea6681208c31751f5faa2929c8a8205ea98ac0623004537ef82bb

SHA512
f97fc046617a7e07056eb2f909cfc48acfebfdb28c51c18f93d9218b8e60cd4cde53fe9c3475d7d63401460881bf9a8b55b1832c030000be5e7185a5f4b90c60

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMCommon\is-P3NL0.tmp

Filesize
8KB

MD5
bcc67ee7f9027f21870c2eb04461810f

SHA1
bf9b45492900c2350a71385a593c0f8426ffaf43

SHA256
6f304f8a2f4515c790f4415fc115d86800f10b49e6ff7f32a3146169ff1ebf42

SHA512
4fc33f987eed26fa42caf5ccb59d04d47ada5bbe74169b77b32334d8a214d2b0dc733f1ee084455be0285a0c978e36e2e295859fbac93035378d0edb57979d14

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Downloader\is-ER72T.tmp

Filesize
432B

MD5
1f3aba959f7a154afb38dffb9068f028

SHA1
76d525771144cff4f89dc63ad5885d28752bade4

SHA256
85bc6b1493da8cba9ea57f9328a4066e8c5ace3b6fe8503244c5cd05f1ef000f

SHA512
77c38e7f3c2abac0e66321f8cd9d8046fa6df6699fb7e7417e7a9dc8765b0c6b0824e895617d6915e49293ffa115ae29ab318a18207aa9551dee871152c1cf41

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FMWeb\Uploader\is-F5EM4.tmp

Filesize
36KB

MD5
d01819bfe03222dfa9e35a36555b6b6c

SHA1
25f8069590b14724f28e6a04b8a42e4ef4a8562d

SHA256
5f29e16edff5379e93d5be9bee4cddf98132b84326027688511ac0f3157aaf94

SHA512
e63901f39315972e446768f2c14b4279cf1dd382f97ac90c444c4d858c2a486736a259c47245026b11e5c0846310e7da020bf2466ea91aa0a15d22cb67b37477

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FoxSDK\msvcp100.dll

Filesize
411KB

MD5
03e9314004f504a14a61c3d364b62f66

SHA1
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d

SHA256
a3ba6421991241bea9c8334b62c3088f8f131ab906c3cc52113945d05016a35f

SHA512
2fcff4439d2759d93c57d49b24f28ae89b7698e284e76ac65fe2b50bdefc23a8cc3c83891d671de4e4c0f036cef810856de79ac2b028aa89a895bf35abff8c8d

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\FreemakeVideoConverter.exe

Filesize
2.2MB

MD5
d274b10ec6533bb47e2eadc03c96bb09

SHA1
76064534d1a124648ea258475f6cd69ec7cae9d5

SHA256
bf274a674bac240ac2c241ec73db1ed99a37c4fc326686fe0b8d4a0e99426be2

SHA512
886eacb400d72da239cb38f4ea5721b31544c51f90dc1d69c9f6b43804fb6e65b320612ba629bf669d0ddd6dc438f62e2fac875058e93b052d71ea90b85680a6

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\YoutubeContentLinksExtractor\is-38ELG.tmp

Filesize
21KB

MD5
7f86a47acd4d810ad673af81369f2f26

SHA1
cea8da1478f2dee41ed2ecd2059b73d1c161734e

SHA256
9c8b87e9a950deb7f28752f875ea82f1b55a70996ac8c12073fcea33664b2048

SHA512
372a61489665bd37c552c383faff971fdb2d581d45664a37e5d58dbd894b26b5cc8403800a559f489bb4fa47f088e6e06553eca65efb16ab9867e5a80a0a7aa9

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\YoutubeContentLinksExtractor\is-NUA95.tmp

Filesize
17KB

MD5
331547bed3e1134a8436f3640c584ceb

SHA1
e4d56207cc0f93333db9578bc5b2e98c679237bd

SHA256
3cd619421cca68442b9a0ced2bd31a8b65a60af06ff3a74496a03365a19fa5a7

SHA512
7417c489ad3c903de0668cd292c5240ae325a510b515475f4b25566d04e29b6c5b2ea1018a2e6019b05b0e5f3ce440e58ff4b752ed2e9ee93ef139e2299d0b35

Download Submit
C:\Program Files (x86)\Freemake\Freemake Downloader\YoutubeContentLinksExtractor\is-R54HR.tmp

Filesize
244KB

MD5
ccb2ac887c8bdc31fa9e7925b30876dd

SHA1
75de1482d2372d70abc558118173e2c05ba7dc4a

SHA256
abdcd54564e6c8c41967a9045b2f08e092d8c2dc7972bbca2b0ee9010a298ac7

SHA512
a74214d4e7668ad8faa561f2b6abec713393faea4d69d4f312567cf82d978608a04f2e1eb8a82d92824dac037a1f3bb6e0b271ae285e95e457ea109c5fdc9613

Download Submit
C:\ProgramData\Freemake\FreemakeUtilsService\ErrorReporter\FMCommon\SmartThreadPool.dll

Filesize
63KB

MD5
2408b57571f3669792ee4fcfdae033aa

SHA1
fc0d388e62ce3a89e0f4b73d547a4aa7081fad4f

SHA256
f3529ca5a5df91d24ed71e669277b5b34e339bc6de0b8964e059821ef54c873f

SHA512
699b3b9852182569a4f3bd061354ec82c0b5b33400572a065f66e16a938e28eba2efb35c89c22f540cfe698cc6c77220648f53edd6aa12de870f43d60480b836

Download Submit
C:\ProgramData\Freemake\FreemakeUtilsService\ErrorReporter\FMCommon\Toolbox.UriTools.dll

Filesize
21KB

MD5
651a1511aa7bcdcc1ffb0282fcdc7714

SHA1
b6d548796523f3ae53c127f9639bdb4119f74bca

SHA256
954538083d6a3228cbaf19f780996ab6bea3768ffb74ef305659270f982d9430

SHA512
4c20a84300810b77b8b19ba4aec5eb4f684fd68ca77327d5b79b555f887b62b48c931b25df8886f6a1343a2c3ee17f0983676751c0d9053c9fb7c6ed53e1df24

Download Submit
C:\ProgramData\Freemake\FreemakeUtilsService\Statistics\Targets\Icons\fvc.ico

Filesize
281KB

MD5
95ddd8decdca7098fecdad7b3c55a273

SHA1
3af0fa53985bb3aca30a15477d47913b86c68212

SHA256
16146ebc922ae259fca5c01162af03552e6ba390a549812905abef8917a5bb38

SHA512
aa537ed5b6c5b4a985209c06c54906f3a6564517381c56314aec11e66a7bc0cbd70424163590db141051dc3fc56c5e422a7ae4d6fcd93abad318dd84f4534f55

Download Submit
C:\ProgramData\Freemake\FreemakeVideoConverter\SummaryLog.txt

Filesize
2KB

MD5
a5f9f0f313dae99e68dc15fecc9f8eac

SHA1
34a8850fa177219fc28b1a4355baa2d96dbb244d

SHA256
138759a1332a79eafc8cba178561ed57c4c4283f4e9fce0690254509d0aba1b6

SHA512
99d5f53e98310f7df18a3bc598fae1d286d56b72b4bce577d07e77fc1468f4dbc5633a86abca5f71c601c0e10da11ed3d107b7a2884db47dcc9457048fdef7ee

Download Submit
C:\ProgramData\Freemake\FreemakeVideoConverter\SummaryLog.txt

Filesize
4KB

MD5
bbc465eac06bc83800ccae0bae44a218

SHA1
ae88cec0e5536ab204ec7b5fcfbd601cf004b94c

SHA256
466be22abc19b61e1f35dd0fd2e4aed00f457356236ba42096b0d3ed9321a962

SHA512
55b015abc4444da9274612268a9579caee75a1832266e3d7079ef8de759e20b6811ba41aad76abe57f6ba5e4c15130480d45b8ea2be0fc6c1e380fc5d2c3795e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
919B

MD5
8c2258b60dae78352522292d3ccf2201

SHA1
9250ad111c15b6e379ff1d9100df65d86ad55e5a

SHA256
8920eace6ee7d44182784e87637193db8219c18d541d6c003b7997b9b808def1

SHA512
980bbb4402dc0401ab3f753b242b5085e8cd0357bec14ecc7083944d25cf44cecb9a13dc71a0065f1016b3ae968890f1bc9a3ca23fdfd388cb09600d0410cac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58751b.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70a32e105d25e126847d2a4d2284f8dc

SHA1
78dde0e86c25c1843c3a8bbe5aa1ae14b1254f08

SHA256
88d8d2fe99fa4e317b5e9301d5dc1bde346ab3bc3f43d40113e917ea2b27b4e0

SHA512
c110dd3af5f36a26261a96faa3f83da1a295e550a007e7dee4a6220cd01d57d198906cb4e9ca883aa1c785497b7f8274ef59026428f2839a1d236591d653149f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9dda6c7b001471ff34d66b03eea714a1

SHA1
d6ea76879ae98495ef27cd5eea89ffbf58caf4e1

SHA256
9e900b0cd395ddc913b4689f0d4140a60b7f85ee51e5f5f814b9bc1bf6afe9e5

SHA512
be44e5786580d793397b5055c33a0d3eec0cc032191776ad347654816ed2629a4622adf3045a1c23af7b4f062940dcf217345753a03ad2775adea33725ee4d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e280c7eac2b5ee42b79cae1eadbac74

SHA1
1cf0bdbfacf3d35d7217ed928e0904eb43f7dee8

SHA256
335955a36e46271097ca63e267977c25251c4c0a03ebf655aa161ae202d926ff

SHA512
b4ed2f4fa5a8675b64ed607cd3f9bc63f1e34eab78ae7b8f437157504be5206d39a0380de8f16fa75cca4ec9f70bb8e9c1f9fa4d77c34e5bd45ba4e009836e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66e032fabd20a7dbe699beb8e9ab89a5

SHA1
b2292d606bdc01887e020c421b019d8c57f6d516

SHA256
6199102c0393eed442e49adc1fb4b2b9ca29bf52f23de83bb80bacb48daa3fe5

SHA512
4b2a2165ec3c0cd7e9db19d4d77f8d524ed9636eb6bc2c9abb530c774a9b720ae9f2561069a95ebb0f12b9e11add5d89f1c60aa81625a0da0ca350aeecf8d529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
66412027a3634cd302dfab2950d39652

SHA1
4171db97a5d272f42ba92b5f6437160bdfeb048c

SHA256
47157bb269dfdcc7373c8ee707b296e727ddf86dfa50d403317200bb5e28b4eb

SHA512
bdd9f0b6e5090319cd72687210ac970da44c15e4103056b3ef48f1c0fe0ec43ed54e010db466e051eb4f3ce05994adbcae73cf2fda0afeefca9c2fa9ad3c8b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc85.TMP

Filesize
872B

MD5
4f988d491b78477711d7d62be7e1c08a

SHA1
7722dba480951f79f726961a3eb0bff8b29d5356

SHA256
53bc3508c71bb1af753f80748eea642f2bcd9a24cd3dc560ba89f3cf797ea054

SHA512
25e967854d787e7273b75cecd223476603b481a2f05e15af870975fe8954a4e6875d3e7189591dcc20f22f6e9444ee1e57e83b60f4c96f252bf6211e574cb028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d8bd9a1e3930f7c37fdb32e9d5eb26f

SHA1
b8ef63ebbeedf5012fc3d07d4c1baad8bdbd0783

SHA256
ac6920af306f87de670c9df530af61aebf940ebf6d3593f4c2d368ffa0a9ab99

SHA512
6ab4d34b450accb50f67f12324f661ebf076d8659cfdda066c5cf3205a40e1c5ebca89c3e08f83dd46bab7c2fea44ceccceb0cc985e69854b7afe9d0461c2ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ca0981a1b43c6daa2750ecb7e4997349

SHA1
3f10efb25f04a81617a7eaef9260876377efab15

SHA256
7b7b3acf8b1c16ff85bb701914997a3eca95e07544c6ce3084aefaf3b9bd39f9

SHA512
520a83fb70ad2ab739c8c08224b2be03bcf6471e982eaf0fe41586da868b30eadffed4048023a0e08fae8c5459f3fe33ca840bf7b622650f1067b7fc350348c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7eb2c6360a08ad97afbdb4c59c1e216b

SHA1
acf317119362b9bea44d435aa13ede414605b9d5

SHA256
cdb0007fc3378de2db2ae32ba50c1773605b79ccc1a5d5e548781a4a041aff91

SHA512
acb21fe330352fa6b2cadb044b9e10305bcee1da1725564fdcdf610f2c38594940d388e5ed53d9c4eb0de86649e66e9222cbd5d4b9dd107e33bb5acde88779ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e08cb522960c27c86416e94f1f95733d

SHA1
317abce2ab2c36c0a2310b8aa16a28f814456fb8

SHA256
c47ab2fe986f8280e296c9a3197b2357f289f28f0ee33ccad1456475f036e881

SHA512
e74e8f629dcd5bee739b610357ef9c8f7498864a51d3d3b916542621bb71248838a311f0f71aff2ac754a587b0b8c18872045c1437bb9aed6188942cd3c941ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dfc5930ce9f001892875105461ceeb0d

SHA1
46b388fa1c1b17561dc1d4c2cafc34f53a337621

SHA256
8333102a36aca33d48a489fc056406e036d708e7a11f9def80b1fb5d1234dd91

SHA512
1409fdc728c53e342f35149262a5eb0d5d129fcf8cf948a7c506ddf3e26e9cf6f4bf4683e56d3d2492f4e4018e5e4cf5ee625bbfddea0e1330449b134b57bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CVEBB.tmp\CheckRunningInstance.cmd

Filesize
96B

MD5
92dbcc7a2f8c552b1f541bd1018b44c5

SHA1
f9956c2066adacbd7cfe80941dabf46a4cc27db7

SHA256
5e314bf3f0a6e062a60d1b009e02f3128132de0206a3d197da27651a3d13fc32

SHA512
d393eb9b228f2ee74172ef28464b5b89daf14abc88135335a5bf364fa7bd4640c3b95c62296c6db15561ee010386a33120cf288446a9ce63a3cee0b3b82b7991

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CVEBB.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JANCO.tmp\FreemakeVideoDownloaderSetup.tmp

Filesize
1.4MB

MD5
7e4aa70d53b36013428377346e0e268c

SHA1
b45756feef67b76d1d0caa459f035c3c115d4b0e

SHA256
642553254d18fbca9150d18b8189a502fed5f9e625a7fc58d3aafabb16a76893

SHA512
1b23c1f532327c3006225f345251a907875699c063bc3a47843b8ceb67b473f5404d4df50543a15d6fac002c7109eaa155c0f00c017182b93d71208e6e3180b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MC8UC.tmp\freemake_dl.dll

Filesize
131KB

MD5
24bf0df17f94127377b47ba8df4d4468

SHA1
f213ae3a0e07666a49a54072fbc6fbb8f32f99c4

SHA256
8ec2f4b11c49b3d44f4e381b61c3a33fb2fd15559760412b94a9ac899c8d78e0

SHA512
ad7ddb2f4e2920ef5646b43a6f5c6e90bf61e427fa3f4a99ddd364f28587532d65363599fe73dbb0464954d3670e5a3e2fc7f1e57bd541491e02e748b7a274df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MC8UC.tmp\itdownload.dll

Filesize
77KB

MD5
b4efe1200f09cbf02f0d2ae326a84f3b

SHA1
83102a7f5465a14c78d04ca6d8703c68a5c599ce

SHA256
6bd9984dd28ce8cc13e8eb3b5ee9f6c8a6967e3b2288918665e2ae67fa1eb56b

SHA512
14c83df5ca8ce92efddb07bda1c6fff9cfbbfb1348ff6c2e6b523110bb1fd10023e09986bc7967824a5cf37789080d81f2a5deedc3df3925825f73e2a87b52a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MC8UC.tmp\topRightDownloadIcon.bmp

Filesize
9KB

MD5
f3a771c57b8ecbb89354e866513902b5

SHA1
b3d1920b61ebe63e1d1575ba94bf27d553cfdc59

SHA256
e365f80c415082488fb23de1f932bd29db50db2bca558a5072f5c393a14971a4

SHA512
d03d3021ac926df330ee072456c5aa2a489d27dc31a5065a36e67b8c5909e00c46a009bb7aabed890e30a4b4ac1530b225e4f2bf4000f334cc6bbf63df42a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MC8UC.tmp\~execwithresult.txt

Filesize
47B

MD5
c5b83dee12bc94cbc0e32815a41e0498

SHA1
e06549e4e4439432235736e3f95bd03a1e69ab92

SHA256
cd99d2e7e385692156c1190867fe1a37bd31dea83becfb3f202fdb108f3aa3bd

SHA512
11dfc3c6f84e97ed93b5f23d7cf00dd3e6e234ea8c997df37c07d658e2041013b50ac70d1960a885359591cb1821bf7aa1c804ea63557f3a106383b1fe0cab1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
bd0ae684fcb39f1e5c213d0b82b52bf2

SHA1
ea8ab85f84756b498a2c6c9049ce307602abbe63

SHA256
2c49117ff13054d58d624e8c749d575fa0d5da0c578c3832d15907285ea5a2d3

SHA512
6752e5ce89e2528340fe59947a840d9e7861e21030cad141165e7e08bed2c376538a0845c0310d83dbcf90ddfa5d9c660b3ccbfd2c1898c25fc4e702fa05b506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
dcb6b34c7e6d03e89f4952f7da3d2dcd

SHA1
de85fc0126610d9a8a1414dcdff9d8151b0c9639

SHA256
f157b9eeb8b1605bd72393b470e65327f508995622b3272d7275f8b33d6c1b3f

SHA512
9dfc7ce1501f4268642a8ca273a92b73b80ce4d763dbe923fdeaab76a333779a669a638dda24b3be5563eadb2666b74a950d9d554245c2492505be3c0ccf054f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 864262.crdownload

Filesize
994KB

MD5
41520f0631750de46e74bb300dbc1c2c

SHA1
92df15f89e9b30f7590b33b5efd378c1ef7423a7

SHA256
6d6cce486cd9fab7e4e1c1f9ebc7b69ac2f9dd7c2dc2377f13fe9eb991483145

SHA512
f7cabf19674a32c196bba7314da5c1ba69d34d0a0bac9e6ae06764804a4748901ba0a24bd7bb0c82fed5dae8c71a58d5a16cc74aa704608b89061dd9f9734a48

Download Submit
memory/896-1738-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1775-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1742-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1740-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1745-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1748-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1747-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1749-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1733-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1736-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1737-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1751-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1739-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1741-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1744-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1750-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1754-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1743-0x000000006A0C0000-0x000000006B4CD000-memory.dmp

Filesize
20.1MB

Download
memory/896-1759-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1770-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1769-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1774-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1773-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1772-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1752-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1746-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1771-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1768-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1767-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1766-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1765-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1764-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1763-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1762-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1761-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1760-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1758-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1757-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1753-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1756-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/896-1755-0x0000000069900000-0x0000000069BEC000-memory.dmp

Filesize
2.9MB

Download
memory/4488-2298-0x00000000626C0000-0x00000000626F5000-memory.dmp

Filesize
212KB

Download
memory/4872-336-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/4872-1735-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/4872-1734-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4872-363-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/4872-341-0x0000000003C70000-0x0000000003C88000-memory.dmp

Filesize
96KB

Download
memory/4872-340-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4872-362-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4884-3335-0x0000000011000000-0x0000000011065000-memory.dmp

Filesize
404KB

Download
memory/5428-331-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5428-229-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5428-270-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5456-311-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5456-339-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5528-330-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/5528-296-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/5528-297-0x0000000003C80000-0x0000000003C98000-memory.dmp

Filesize
96KB

Download
memory/5528-271-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/5528-242-0x0000000003C80000-0x0000000003C98000-memory.dmp

Filesize
96KB

Download
memory/5528-272-0x0000000003C80000-0x0000000003C98000-memory.dmp

Filesize
96KB

Download
memory/6016-3659-0x0000000009690000-0x00000000098F4000-memory.dmp

Filesize
2.4MB

Download
memory/6016-3621-0x0000000005A40000-0x0000000005A54000-memory.dmp

Filesize
80KB

Download
memory/6016-3624-0x0000000007EC0000-0x00000000084D8000-memory.dmp

Filesize
6.1MB

Download
memory/6016-3625-0x0000000006D40000-0x0000000007097000-memory.dmp

Filesize
3.3MB

Download
memory/6016-3626-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/6016-3627-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/6016-3628-0x0000000007230000-0x0000000007262000-memory.dmp

Filesize
200KB

Download
memory/6016-3629-0x0000000007110000-0x000000000711E000-memory.dmp

Filesize
56KB

Download
memory/6016-3630-0x0000000007140000-0x000000000714E000-memory.dmp

Filesize
56KB

Download
memory/6016-3633-0x0000000007210000-0x0000000007224000-memory.dmp

Filesize
80KB

Download
memory/6016-3634-0x0000000007290000-0x00000000072A8000-memory.dmp

Filesize
96KB

Download
memory/6016-3635-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/6016-3640-0x0000000007A70000-0x0000000007BCE000-memory.dmp

Filesize
1.4MB

Download
memory/6016-3641-0x0000000007940000-0x0000000007968000-memory.dmp

Filesize
160KB

Download
memory/6016-3642-0x0000000007970000-0x000000000799C000-memory.dmp

Filesize
176KB

Download
memory/6016-3653-0x0000000008F50000-0x0000000008FE0000-memory.dmp

Filesize
576KB

Download
memory/6016-3654-0x0000000008F10000-0x0000000008F32000-memory.dmp

Filesize
136KB

Download
memory/6016-3657-0x0000000007D00000-0x0000000007D0C000-memory.dmp

Filesize
48KB

Download
memory/6016-3658-0x0000000009300000-0x0000000009376000-memory.dmp

Filesize
472KB

Download
memory/6016-3622-0x0000000006000000-0x0000000006234000-memory.dmp

Filesize
2.2MB

Download
memory/6016-3661-0x0000000009380000-0x0000000009396000-memory.dmp

Filesize
88KB

Download
memory/6016-3660-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

Filesize
40KB

Download
memory/6016-3663-0x0000000009560000-0x000000000956A000-memory.dmp

Filesize
40KB

Download
memory/6016-3664-0x00000000095C0000-0x000000000960A000-memory.dmp

Filesize
296KB

Download
memory/6016-3662-0x00000000092F0000-0x00000000092F8000-memory.dmp

Filesize
32KB

Download
memory/6016-3623-0x00000000072F0000-0x0000000007896000-memory.dmp

Filesize
5.6MB

Download
memory/6016-3974-0x000000000BB80000-0x000000000BBD0000-memory.dmp

Filesize
320KB

Download
memory/6016-3985-0x00000000093E0000-0x00000000093F2000-memory.dmp

Filesize
72KB

Download
memory/6016-3986-0x00000000093D0000-0x00000000093E0000-memory.dmp

Filesize
64KB

Download
memory/6016-3987-0x00000000095B0000-0x00000000095BE000-memory.dmp

Filesize
56KB

Download
memory/6016-3988-0x0000000009B00000-0x0000000009B08000-memory.dmp

Filesize
32KB

Download
memory/6016-3989-0x000000000C160000-0x000000000C1A8000-memory.dmp

Filesize
288KB

Download
memory/6016-3994-0x000000000C150000-0x000000000C158000-memory.dmp

Filesize
32KB

Download
memory/6016-3620-0x0000000005C40000-0x0000000005DBA000-memory.dmp

Filesize
1.5MB

Download
memory/6016-4003-0x000000000C2D0000-0x000000000C2F0000-memory.dmp

Filesize
128KB

Download
memory/6016-4012-0x000000000C9F0000-0x000000000CA56000-memory.dmp

Filesize
408KB

Download
memory/6016-4013-0x000000000C520000-0x000000000C528000-memory.dmp

Filesize
32KB

Download
memory/6016-4019-0x0000000073200000-0x0000000073557000-memory.dmp

Filesize
3.3MB

Download
memory/6016-4022-0x000000000D500000-0x000000000D542000-memory.dmp

Filesize
264KB

Download
memory/6016-4023-0x000000000E390000-0x000000000E494000-memory.dmp

Filesize
1.0MB

Download
memory/6016-3618-0x00000000031F0000-0x0000000003252000-memory.dmp

Filesize
392KB

Download
memory/6016-4047-0x0000000009CE0000-0x0000000009D0C000-memory.dmp

Filesize
176KB

Download
memory/6016-4052-0x0000000009CB0000-0x0000000009CBA000-memory.dmp

Filesize
40KB

Download
memory/6016-4073-0x0000000009D50000-0x0000000009D88000-memory.dmp

Filesize
224KB

Download
memory/6016-4074-0x0000000009D10000-0x0000000009D1E000-memory.dmp

Filesize
56KB

Download
memory/6016-4081-0x0000000011920000-0x0000000011940000-memory.dmp

Filesize
128KB

Download
memory/6016-4086-0x0000000009440000-0x000000000944C000-memory.dmp

Filesize
48KB

Download
memory/6016-4101-0x0000000012F60000-0x0000000012F9C000-memory.dmp

Filesize
240KB

Download
memory/6016-3611-0x0000000000510000-0x0000000000CC4000-memory.dmp

Filesize
7.7MB

Download