hxxps://cdn[.]discordapp[.]com/attachments/1285296575316361331/1307787336200880158/RivieraBootstrapper[.]rar?ex=6740309e&is=673edf1e&hm=77bd707f2f3dbdf74bcb80fa9acd084dc9549451c4b44d9b5191c66b043237f2&

Analysis

max time kernel
310s
max time network
307s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1285296575316361331/1307787336200880158/RivieraBootstrapper.rar?ex=6740309e&is=673edf1e&hm=77bd707f2f3dbdf74bcb80fa9acd084dc9549451c4b44d9b5191c66b043237f2&

Score

8^/10

defense_evasion discovery persistence phishing privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 14 IoCs

Processes:

winrar-x64-701.exewinrar-x64-701.exe7z2408-x64.exe7zG.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exetaskmgr.exetaskmgr.exetaskmgr.exeRivieraBootstrapperV2.9.0.exe

pid	Process
2776	winrar-x64-701.exe
3612	winrar-x64-701.exe
4876	7z2408-x64.exe
1448	7zG.exe
1064	RivieraBootstrapperV2.9.0.exe
2972	RivieraBootstrapperV2.9.0.exe
1892	RivieraBootstrapperV2.9.0.exe
3092	RivieraBootstrapperV2.9.0.exe
2972	RivieraBootstrapperV2.9.0.exe
884	RivieraBootstrapperV2.9.0.exe
1448	taskmgr.exe
820	taskmgr.exe
4944	taskmgr.exe
5292	RivieraBootstrapperV2.9.0.exe

Loads dropped DLL 1 IoCs

Processes:

7zG.exe

pid	Process
1448	7zG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

7z2408-x64.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exemsedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7z2408-x64.exeFileCoAuth.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exe7z2408-x64.exeBackgroundTransferHost.exeOpenWith.exemsedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c003100000000004759b964110050524f4752417e310000740009000400efbec55259617559a03d2e0000003f0000000000010000000000000000004a0000000000fb1f2801500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\NodeSlot = "4"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2 = 560031000000000047598a62100057696e646f777300400009000400efbec5522d6075595b3d2e000000a6050000000001000000000000000000000000000000ce1bc300570069006e0064006f0077007300000016000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe

NTFS ADS 7 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 693978.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 902754.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 494614.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\taskmgr.exe.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RivieraBootstrapper.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exemsedge.exeRivieraBootstrapperV2.9.0.exe

pid	Process
4840	msedge.exe
4840	msedge.exe
3076	msedge.exe
3076	msedge.exe
2196	msedge.exe
2196	msedge.exe
5052	msedge.exe
5052	msedge.exe
2068	identity_helper.exe
2068	identity_helper.exe
3704	msedge.exe
3704	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
1132	msedge.exe
1132	msedge.exe
1064	RivieraBootstrapperV2.9.0.exe
2972	RivieraBootstrapperV2.9.0.exe
1892	RivieraBootstrapperV2.9.0.exe
3092	RivieraBootstrapperV2.9.0.exe
2972	RivieraBootstrapperV2.9.0.exe
884	RivieraBootstrapperV2.9.0.exe
6096	msedge.exe
6096	msedge.exe
5292	RivieraBootstrapperV2.9.0.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid	Process
4104	OpenWith.exe
3700	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

Processes:

msedge.exe

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7zG.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exeRivieraBootstrapperV2.9.0.exe

description	pid	Process
Token: SeRestorePrivilege	1448	7zG.exe
Token: 35	1448	7zG.exe
Token: SeSecurityPrivilege	1448	7zG.exe
Token: SeSecurityPrivilege	1448	7zG.exe
Token: SeDebugPrivilege	1064	RivieraBootstrapperV2.9.0.exe
Token: SeDebugPrivilege	2972	RivieraBootstrapperV2.9.0.exe
Token: SeDebugPrivilege	1892	RivieraBootstrapperV2.9.0.exe
Token: SeDebugPrivilege	3092	RivieraBootstrapperV2.9.0.exe
Token: SeDebugPrivilege	2972	RivieraBootstrapperV2.9.0.exe
Token: SeDebugPrivilege	884	RivieraBootstrapperV2.9.0.exe
Token: SeDebugPrivilege	5292	RivieraBootstrapperV2.9.0.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exewinrar-x64-701.exewinrar-x64-701.exeOpenWith.exeOpenWith.exe

pid	Process
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
4104	OpenWith.exe
2776	winrar-x64-701.exe
2776	winrar-x64-701.exe
2776	winrar-x64-701.exe
3612	winrar-x64-701.exe
3612	winrar-x64-701.exe
3612	winrar-x64-701.exe
724	OpenWith.exe
3700	OpenWith.exe
3700	OpenWith.exe
3700	OpenWith.exe
3700	OpenWith.exe
3700	OpenWith.exe
3700	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3076 wrote to memory of 3252	3076	msedge.exe	79
PID 3076 wrote to memory of 3252	3076	msedge.exe	79
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 584	3076	msedge.exe	80
PID 3076 wrote to memory of 4840	3076	msedge.exe	81
PID 3076 wrote to memory of 4840	3076	msedge.exe	81
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82
PID 3076 wrote to memory of 1124	3076	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1285296575316361331/1307787336200880158/RivieraBootstrapper.rar?ex=6740309e&is=673edf1e&hm=77bd707f2f3dbdf74bcb80fa9acd084dc9549451c4b44d9b5191c66b043237f2&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc19bb3cb8,0x7ffc19bb3cc8,0x7ffc19bb3cd8
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1828 /prefetch:8
  2⤵
  PID:500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3704
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7284 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1960 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7208 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7000 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2548 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,6613116292131072113,9657517068758638725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6096
- C:\Users\Admin\Downloads\taskmgr.exe
  "C:\Users\Admin\Downloads\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Users\Admin\Downloads\taskmgr.exe
  "C:\Users\Admin\Downloads\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\Downloads\taskmgr.exe
  "C:\Users\Admin\Downloads\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\138a8175d0ce451faee0e2c85cacae70 /t 972 /p 2776
1⤵
PID:3408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RivieraBootstrapper\" -spe -an -ai#7zMap15778:100:7zEvent2818
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3936

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1596

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5200

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5236

C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe
"C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8ed992e9-9717-4cac-8d23-466b5cc61cbf.tmp

Filesize
7KB

MD5
ce059a76e5b9837f7f57d6a9e1324ecd

SHA1
9803cfff524e7d7cd534261158ca740d32da7dee

SHA256
528910f1ca66ae25d69305109f84cb56ad8fc2d65082bd9ebd08cdf30aba244e

SHA512
4cdfd695d4eee2fc65d84ef3d0c3b7db6f268508d8a495e34b07a24ce4db4859813f82f27ede2467a728335a4db869378a839f0d315d03bc5e5adb7a827da493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
25KB

MD5
a0914bc7fb19bf3ddf3ff50958a69e42

SHA1
24b38738128b1efa1dffa433b25d5b1dc19dc124

SHA256
8b7bde3c9555d7d20aba60467cdb0e5901bf9112ac781562fe9cf442fb08cd43

SHA512
7693c9bbafdea30976470b3ff95bb6551f7cc2234d8179e820764ac4ec8e1a8368eee71a8804e07bf0278d636be08bf14f8cf4f3bd586328c8e9a12834df2b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
28KB

MD5
2abbe41cef4a2b69ee1590a47547a2ee

SHA1
e3c1a42939537e529d4d2a615f9d58787f04c68f

SHA256
d844d4744bce70db9b85e8b2152fcaec4858e927b08e88a8dd876afcc1611560

SHA512
9c6f0f84fea282ef31b7651490def6f9300200faaebdf4902023be6b84b2667849a86a847c74535e5f48705272635d3d12e4c1934d60b95c7b3c497d34304db9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
79f2343872cc12c127bf43e5fac3d89a

SHA1
0bf8d79a5774a471907eeed0e36cdac15c7a9beb

SHA256
7744756330e7e37d6fe8801345e02133241aded440a000579807182b69ff364e

SHA512
7b657da40f526351be6079baeac0bd8c4ff410728663dae2703e4f180f337dc55926fdb18a859b1f8d11eface2afdbcf19ead16a14a9a7a089d59b6949281bda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f2a34db9b74fafde0abe79c006ad6805

SHA1
85700b5514ede194362b1a912ebf634ab192744c

SHA256
fbfd909f919b808dbe645ad0b81fa80e2d0295a4367736267f93189bef5e9c5a

SHA512
055027ac19b6f94d6e2b9aa7e87fa6d4f22fff3f17b15d38a17bd87a9bedff794a9e6b5d76423115a5f319c0e4af397e764494a42675d8657600f584de6f6cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
551B

MD5
333a58540dca6d6ad9d98d72c7e225a9

SHA1
4ed482ae8a23ecbfcbfa664d35e3f4a669daecbf

SHA256
0d81b07aa05429db3d84c9824ec6a9b1f98735c51dcf91bb02fa94dddaacbc70

SHA512
dfe9caccc94bd7b6863fdd15720c41dfe952621c4cbef863bf11225c74266ec5c15f6cccefc984b4aa0c31c30a4fb296511798beb59863342c960dba3d6593b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
511d29d5431ff3bea67a6d820c7b2e19

SHA1
3d98174fe3393191ad6390363767488d610663f0

SHA256
37303b1af1d95e23a8ff0add31478dbcaf4c0f67fcf4dc5f1ac046697b2cf2ad

SHA512
35817e650a9885a55633a64b20caa6d1894db005d74ba54407cf9b56b05181ea2b2dca97c6ec565f5879f4ba362f6c12de268d628e9c6a73776250ae9f9b3600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0d03c8910a47ff5ffc7f06f5a773990d

SHA1
91cb8e5454b8bd937df139b2abb09e8662c3ea96

SHA256
e0d7796c90e657890af3544f893ca142e34856e2a3bfe54fe25b4996c300ea2c

SHA512
95b406411b0b76a677c0d27dfa77ef1c33cc7146aee0b05bd9ab48eb91b798972f18d2f76f8686139895510b33d44f37b30c6268dbfd53825e82d7f9e03365ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
16408b97a197f040508ce4d03da5ceb9

SHA1
ccdf36caf7951642b45de38e951ec8c9194144bf

SHA256
9a00568131dcad2da77d7590c63a07325e1f4f97a6249cae5ecd1a5a7654464d

SHA512
705151754b84974adae5a1d554e9962647511cce65ff420650cb297c5a7e5d4332980e958b98958e5d91b739774dd66034214882343d76a91af4b9128220fc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94d560ac20900e2bd6f4ece3d52b3003

SHA1
c196b27b37bdb313318ae87aa29e8ca00e706333

SHA256
a5f9035ff49eca864f5ffe8f04096a88da4bba48bbb2951f3533dd13f3c67c45

SHA512
09edd9cd55ba5429aab895802b17c935c495521d49ab80822d0a2a2a6ac707e66b4a8cf5f382e48f68c9e531e21e31b65fee212705702ca6497ca0b945b7657a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e659f4e388df1c8ba1304ed233809475

SHA1
eb92cc11b148be9297de80546c02c696e85558d9

SHA256
d6da550a37f239ca072079622b06fbbf7d0349a16732d6b6cf152d9440bbb849

SHA512
c8d793a5a158bdc988c92a73415c7901f807e19a21355d1c0cb30b6caa059a25e32f3782c6a07aa6bb823db577a2a840c799067778e9c98063844071942a77f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50458a0e0bfc02a80a65e64f2ac0edf2

SHA1
f35e5316e5c036f80e46e16f91114d6b6f0fa7d7

SHA256
bb03bc9d56de44f61f60f395cd5b5f31f52d8e44cc5361651db3c8d1c64841f4

SHA512
a1d1718075ed3e878e7cc802f3397d50ae2add965ba4b13290743f61ec992e1af32f3c2a710d93a76d41a958597dfaad0f0698f17a8bc101e445b81109ab3bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2993b3928be8d673183651e7563b1085

SHA1
f9157cc45c9adb491ed7cb4ac28c8a778f85b1f9

SHA256
d92d8b6063447dd422496b579819d848e296a7df55fab8ac5dcfbe5c70f2bfc4

SHA512
9b61611ff5514f4557d5dd77fc8534c4cdd28ac3bfb2708b677822f87a69b40a4566891e0e0199f3ab0e8babd1216a3260a76cead04b1f93d897e8b5e937c3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4c3ec3f6606a29474f9f21b4d06459cf

SHA1
cbfbbcd4fed5955473859c5df21711ac366c5716

SHA256
9c82e6607e0ef2577a0ec5609ab8a961ad6eada3c5528786ad4c4ff544ed9aa1

SHA512
28f4a48b8f2dec851e23de56b720813c66f12914c4791c8f9a8f32f12426ba920fcc45324a6fb13da8ff67a9b0b055dc879b7f2b99fd99987b8ce83a431a688c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a36bf3090dcfed67790b1af88d99bbec

SHA1
9fabbab7524a73cb9d7487716a091811fdfb6375

SHA256
9d36fadbb0cefd7f75196b59e10273f625b5c8a845701e09f7246f3513f0b45b

SHA512
0e7575e13236813ad764b1d8618ac980e306efe23da8384cc038b355f7d81494446e4139b9a156b58e5ea3dc6aeaf04bbbc94f668e268a7e8202979c0548d305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a0e1b.TMP

Filesize
48B

MD5
f998ecc49f3e6ed27ba32bbc3aa1f98f

SHA1
4807b18090e909c5ee35ca02671ff9b9332f7f10

SHA256
0b1d00ea333a79082f3912493a68009a64dc555c67d847213b7b3a18731ed9cd

SHA512
670d5901c0470a01ebaf16fb11e9ee4488a17f15f020342e80c41567e65b179d24873dd74c1369ae7718ef446c2cb2d66ae835d5bd76d97b79a25a3ae9c7c70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e4e2955e644a82b5b99b69c39630159

SHA1
c741ea2ed59f7a438fa120a17c6308f5827c1de3

SHA256
35bc50422d1ab12da0c449f3ede963108746a4098c284ec8df802307a6e45664

SHA512
6b9dd5579c6947bb3206427a6a31a6b8cb5a21909cd5fecb3dedcebc895ed7b9265756d5ee885ab7c40f43d7da9549cfca95062f54a87f59969eb10025203996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b4076fa04270686f5c06efccad3063c2

SHA1
2b8506d4fc3d6470ab31050f8cd791c1d9079491

SHA256
5894cf76b3df09e434dbab1600849b1f44c3204913adf75cafe77bd57790dd77

SHA512
5c6dcc4aaad49b8becf398c09d92812e2d8d29e6c52571689a86bbd5ea8e2d15f1dbf34ffb1fa1b4e031da7fb010b5b37fcccfe0e34e3f3f9197f0234a4e4ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
a0b5cdf13ad06c8e4cbeb45ea47b3852

SHA1
49824af05d6a120c83ade7596376e39aad130415

SHA256
da2da3a8918d9afcc949ea262ac3417a173592eba3b0ad523e65c66be605d8a3

SHA512
9b6698124009bb2622f4da5ce0cdb242343cb952502e5ab2b580e31057ef8484bcd6b00f6e02b4b65804bb58c312d4c74443613cae3bab4ef4995af5183df3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581519.TMP

Filesize
705B

MD5
370f93108d87813bba2a9269f19ff3d6

SHA1
53841e76bc637176654b977639f976584a844ebf

SHA256
b03dc0b87c62b58efcea7c728bd89dcb7bb674eeffbe4731a484872b9d5458f7

SHA512
db3ecbd3f7a545eff8ea093a3faff1aba502359560490af599cc861b495c72ab7c1da8548b4dbe0d7e828883829f0d8ee5128e35bad457300caf17092976200f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
15b1176115bba9679511c18461f5b5b4

SHA1
23b84c3418d07f49692afe31a1ff08697eacb31a

SHA256
944906a5c0fadbb6e1daff429365cf7d89078ad9685bf0828e977c35c9002813

SHA512
f009cd7eff9da6619ab057f5a1e564aa9ee5a5897df228ce800183e518c8750798f077134c16d70d78ee27f420ece3baedf20482a99074c58bc37673468aca0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f27b5ab9cf6956b41a8e99d7fb3bb91

SHA1
3c481f75f1cbda02d89f513f091ea16780c47871

SHA256
062c9393c614208b6eb409159e62c008a7ddb3a71927b994555ef93e2205592c

SHA512
f8ada3b0fa86acc50ae0cc38bdb220c6a2955246b6aa3c0ecf7ac579e478ba2fb4dd94c5d8c82688184f97d95bd3b3fdebcea09570a4ddf56334cc9405b9d720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d6328755da4db016fdd27b1d0dbcdf74

SHA1
f6e26edcafa241a601515ccb9928ed691d5bd33a

SHA256
1fd5500d8a874c79d9e6b1bb427697852bb6112de43ef74fda70be70123737c9

SHA512
19c14a68f409e402f7d250bb022ec7d0944b45c3d44bb23194a5c101f9d2baa8c7408170a3a927f3c43e6ad81761f2b03fd32f475fa8780934b4a19e6e5a2fa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3615a630629f29ebabbc55b5c3608ab4

SHA1
113538c3534e10775451b4baae294be3ad77c9a0

SHA256
c5f30f655ec81aa2e9c2515b31b03fcaee57cb6b39aacd24239e0af9ee1e0181

SHA512
56d4a135402bb3aa3d48efda63a9d9718e2d3e73325dce39b738894beb0515a16ca5cdf42a08e2b7440c0323c8140623508ea8d480c1f18cfb502d59decb14b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0044b927fee659caa0c2439cc9f36479

SHA1
93f04120038bb0fd7a0b7cf97c69dc6ef2025753

SHA256
85a7a69afdb854fd2072a804317e549f666e923a6e07b6132d3ee2f66173366d

SHA512
70608f7c7c6984a5618198d0b7e49d37db773dd2dfcae3b7e70126a3ceb6ef676a5778e2357ff3c228e2f0ac7b2c7949a0a860c0ce5f3dd35c251980b6eb47d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b3c81ae03b1cd315dfbe90bdb4f678e

SHA1
a53fa5b969442fbd9a080a81b4efa4d6899be4f0

SHA256
dec5b5f3caf66b2abb6575fd723a6eb36f8f16a8577af4fd40845744d2aa90f0

SHA512
23257916f57d241100affc07c433f45ef05906351922ae2984e6c09a3903671cf3a2a7932addf7750002bde25a4c2d69375d85a1df9d28e1b8455d50b5cbebdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f27ce7d02e6ea2a32ef2aa3047d45984

SHA1
0bbf33825e1222910eade2964f6a20587f2cf9c6

SHA256
5bc0c69c738bfd84cc7f26fa31f1d2c4f6d28d64c6c026b638467fb805a8b9a6

SHA512
8b1689731cd91c0a73787e402dafb287ab29fc81d7ad3004aef3726f620f6581f51ecefe20dd6131fbd0fae5c6fdfefa1b2e2649019b19f3eb5f51ebd7daa939

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\52361d3f-6935-455d-8135-8299dbb3a24d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\RivieraBootstrapper.rar

Filesize
1.5MB

MD5
7c49d20bd5ed0971b6e281363fb2680f

SHA1
0793fe1b021dadc7f930126971c038a7e54e6322

SHA256
8f56df09b73d442f6ddb38db95847cf983bdc359b20835596e436eeb5a43433a

SHA512
beb883fc8a926ffacec8bd3906cf07a1f8f1c37efffd2e762fc3719b07e5fe14e2e28dae7507311502edf99f20bd2dc3ba3fed7ed02b4ffce4fd20820efb69a1

Download Submit
C:\Users\Admin\Downloads\RivieraBootstrapper.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.deps.json

Filesize
1011B

MD5
e357c507292eb787fbe5f21b263187af

SHA1
83fbff643276f47b54255173e47a8212a61a0fce

SHA256
46d966b2c11184fd44d42d9af1751e23cb62ea9d2fc21190ed582d1e202d6111

SHA512
c53627239090172b9f53bb33db231f27c27f278cc8b24d62e7b0c6db8573fb934218a10ddd5975b217072a39f476a1d254a201b0de16afb270e110f95568967c

Download Submit
C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.exe

Filesize
135KB

MD5
13b9cc6fa2a643cdcdac4942858bb993

SHA1
66070cd6645ce226daa485fce7e90410130b2c2e

SHA256
f8eea0b3ef2cd06676b33db67b279de64860824c802591519a651f4132f6bc19

SHA512
31ac095c4187ab7af2ff47dec789fed6d7d71001719e8c1f99d2022accb79438c1c3028bc9ee9d4f6343f8b4fdd90ead5b0e9e2ae6158c97d4482fde94d52d0c

Download Submit
C:\Users\Admin\Downloads\RivieraBootstrapper\RivieraBootstrapperV2.9.0.runtimeconfig.json

Filesize
445B

MD5
5a5a3b707e9d244eba3c70413bb015b9

SHA1
bd75a45da8038f2bf833eb8570236fbe74f467c9

SHA256
1596bac3a8dc283e51fc5243d973305ea99b4d7912a30f28af702509d8ab635f

SHA512
6c17e1f3617e36160a150fd2383fa251616b9655c5c8a1c1f89ab6772c515ba19500167ad539c62db2b3fd785b7e64ab955239d03faf0230382edfec4bc1b68d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 494614.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 693978.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 902754.crdownload

Filesize
2.8MB

MD5
6ad307f2c4bbd4ceaddede2ef728af34

SHA1
c2b423c4bc2a379cf3c40809d0230ed88155b331

SHA256
cd8101ef4ff962026efff97efd7abe38723d8e0f785c833ffb4e030a4d67650c

SHA512
36439867c6a82b00e4a9f63a9a0c303d342e1eb482fecfe8bf4cff206ec8cd943660de3e1eb695c89297396967c21d4197cdf71023db806b18c1873dd9110d0c

Download Submit
C:\Users\Admin\Downloads\taskmgr.exe

Filesize
1.4MB

MD5
85f06e7b3f8a078844169ee7b85c39b8

SHA1
2e513347ef73a78f50ec1c7e964c61e9cd82c114

SHA256
d5d9ff3aabfb524d80bfd5f457b40a3bd1ee757cd93806f88fba57b7cae88a2a

SHA512
dafe88cf11046b9bf379b8a5527c51b9b179962cc6570f5762b9110c0847b1d89e3a77a99893fe702faa176626a48baf96a205b7270330a759fc2776eaca3fa7

Download Submit
\??\pipe\LOCAL\crashpad_3076_MTYABTOPFVFDTVIZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit