asyncrat | hxxps://mega[.]nz/file/IyIQFQgR#cI06edjpgHov5WQE9yKoPHxc0q-bMef6N4TK8Z3JDU4

Analysis

max time kernel
202s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/11/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/IyIQFQgR#cI06edjpgHov5WQE9yKoPHxc0q-bMef6N4TK8Z3JDU4

Score

10^/10

asyncrat xmrig default defense_evasion discovery evasion execution miner persistence rat upx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

hsaurcrgqwhjimnkbht

Attributes

delay
1
install
true
install_file
Load.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00030000000006a1-332.dat	family_asyncrat

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/4752-406-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4752-407-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4752-409-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4752-410-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4752-412-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4752-411-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4752-413-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe
1916	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
4500	Loader.exe
4880	Loader.exe
2376	Load.exe
3324	Load.exe
3180	nnegaqupnsqi.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4760	powercfg.exe
4296	powercfg.exe
2756	powercfg.exe
336	powercfg.exe
324	powercfg.exe
4700	powercfg.exe
2872	powercfg.exe
1112	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	Loader.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	nnegaqupnsqi.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3180 set thread context of 4352	3180	nnegaqupnsqi.exe	166
PID 3180 set thread context of 4752	3180	nnegaqupnsqi.exe	171

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4752-401-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-402-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-403-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-404-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-405-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-406-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-407-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-409-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-410-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-412-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-411-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4752-413-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1952	sc.exe
4196	sc.exe
2484	sc.exe
1924	sc.exe
3192	sc.exe
1928	sc.exe
3748	sc.exe
2424	sc.exe
3720	sc.exe
4876	sc.exe
2676	sc.exe
3880	sc.exe
864	sc.exe
3564	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7zOC4EF7699\Loader.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe:Zone.Identifier	7zFM.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1880	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Nova.rar:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC4EF7699\Loader.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe:Zone.Identifier	7zFM.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4372	msedge.exe
4372	msedge.exe
4716	msedge.exe
4716	msedge.exe
3896	identity_helper.exe
3896	identity_helper.exe
1492	msedge.exe
1492	msedge.exe
240	msedge.exe
240	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
3660	7zFM.exe
3660	7zFM.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
2376	Load.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3324	Load.exe
3324	Load.exe
3324	Load.exe
4880	Loader.exe
1972	powershell.exe
1972	powershell.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe
4880	Loader.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3420	OpenWith.exe
3660	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: 33	1600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1600	AUDIODG.EXE
Token: SeRestorePrivilege	3660	7zFM.exe
Token: 35	3660	7zFM.exe
Token: SeSecurityPrivilege	3660	7zFM.exe
Token: SeSecurityPrivilege	3660	7zFM.exe
Token: SeSecurityPrivilege	3660	7zFM.exe
Token: SeDebugPrivilege	2376	Load.exe
Token: SeDebugPrivilege	3324	Load.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	4760	powercfg.exe
Token: SeCreatePagefilePrivilege	4760	powercfg.exe
Token: SeShutdownPrivilege	2756	powercfg.exe
Token: SeCreatePagefilePrivilege	2756	powercfg.exe
Token: SeShutdownPrivilege	4296	powercfg.exe
Token: SeCreatePagefilePrivilege	4296	powercfg.exe
Token: SeShutdownPrivilege	336	powercfg.exe
Token: SeCreatePagefilePrivilege	336	powercfg.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	4700	powercfg.exe
Token: SeCreatePagefilePrivilege	4700	powercfg.exe
Token: SeShutdownPrivilege	2872	powercfg.exe
Token: SeCreatePagefilePrivilege	2872	powercfg.exe
Token: SeShutdownPrivilege	324	powercfg.exe
Token: SeCreatePagefilePrivilege	324	powercfg.exe
Token: SeShutdownPrivilege	1112	powercfg.exe
Token: SeCreatePagefilePrivilege	1112	powercfg.exe
Token: SeLockMemoryPrivilege	4752	explorer.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
3420	OpenWith.exe
1572	OpenWith.exe
3324	Load.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3872	4716	msedge.exe	77
PID 4716 wrote to memory of 3872	4716	msedge.exe	77
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 5068	4716	msedge.exe	78
PID 4716 wrote to memory of 4372	4716	msedge.exe	79
PID 4716 wrote to memory of 4372	4716	msedge.exe	79
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80
PID 4716 wrote to memory of 2988	4716	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/IyIQFQgR#cI06edjpgHov5WQE9yKoPHxc0q-bMef6N4TK8Z3JDU4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb11233cb8,0x7ffb11233cc8,0x7ffb11233cd8
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1720 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4728639774697467129,16099129997858770539,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2500 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Nova.rar"
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660
- C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:4500
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4880
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2096
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4272
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3192
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3720
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1952
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:3880
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4196
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4760
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:336
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2756
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4296
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "KFUNOUIY"
      4⤵
      Launches sc.exe
      PID:864
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "KFUNOUIY" binpath= "C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3564
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2484
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "KFUNOUIY"
      4⤵
      Launches sc.exe
      PID:1928
- - C:\Users\Admin\AppData\Local\Temp\Load.exe
    "C:\Users\Admin\AppData\Local\Temp\Load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"' & exit
      4⤵
      PID:2464
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Load" /tr '"C:\Users\Admin\AppData\Roaming\Load.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp420B.tmp.bat""
      4⤵
      PID:1740
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1880
    - - C:\Users\Admin\AppData\Roaming\Load.exe
        
        "C:\Users\Admin\AppData\Roaming\Load.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3324

C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe
C:\ProgramData\xqgefzhhbtbb\nnegaqupnsqi.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3180
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2176
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3748
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1924
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2424
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2676
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4352
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Load.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d5254c028d9c532fa49408d730f742a5

SHA1
7e085754c1a0ec148f124951a9d2eecaf6b1c5f9

SHA256
c848a01e456e27b673772754124b200dbb9292e17033a329b710ee46c130b19d

SHA512
2284d550b87a93c3a53b934ee6f3093cc0ee6bde86d8b6136eb0c7703389222e04a813ef77acafa13e3050600c9a6d4d504f7666b45901beb88489079b61bdf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93a50223fd94909564afc2fc1e30476f

SHA1
11c7f32d37d18ace0e5d7da4a045ce847ce9fd5f

SHA256
19830130f99cbb4c82123edd4772896ba303a76db2f5daef8ad0d604a7d65c02

SHA512
ee49b7091144f0a24021c278aefd79726576c2ddfd008d49f5a6d5d6772699363d5f5cd9a206abac06a0a4f46a5d72e9e6470031464456af8b01f3d49d59583d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37ae146732d1517361c0fefa41308064

SHA1
7a69c482dc601a2f0f3770c3e77a059333ac63a7

SHA256
194763e10aa92b58e13845ea5639b5e154eb6a8bb08f3e6a0df2318a36980de8

SHA512
10f72776f4757419b50e9128a94ba09320935a78b74880ddffe207ac28532b858486e3899df73d443ccf5763a9b69df84552fa7845e1c815ca2970adca27b298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31c4ab723ff819e83ef389e09e2c84e1

SHA1
4543e02259632f0e454ce441b4a8e30c83529b23

SHA256
5629cc134e059d1540175f846dff27b0ebfa57fed71420ace7980f205044b832

SHA512
91f5374af75a76b98617e2ff386f826b8fcda46a6095e67e4db3fde2851a5f0d89d83d47cbd68e95532fdae5ba7ae9f6604150cd3b97a816b97c366fb7a16eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb09ce0f69ed83b64398b71536e2ee8c

SHA1
c151cc6001747707b05aacd98cdf743e2f9b3a26

SHA256
6baa6d4edffd91b3a72ea30467b0bc784a3e6af2b066623dd58dde8a18e53f6b

SHA512
c629a05162045d096ebc2f2f0df05f62fc8747e8ab9b76d097f8371fde543df966513b5c4806b33c2d460de400b25d9032aeff772bf26edca44dcd398a855a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2b91488d542a81ad15bd568bdd5c9173

SHA1
bfcd739fd8d2bf59550bcc5092339641da1c76ec

SHA256
44dfbee2091b15b0d0a4020c89df033711754d2a2f23b94f5bf809b1b67ae232

SHA512
d434ff741a01708e5025032f54d76cb3fdd7891a53da29048afce6f9a2d6606df8998e3651f322b1c933267ff616dd176c6b9a1bcb1b06528f3beb7acbc11a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
91777781574284962d8e967fd54fb62c

SHA1
2c90e0950d5950d395cbce2af7c5e69240ddd9b3

SHA256
bce7600abe5e9cf3f6992e742e9c4434923477bdd6a2f822672f92c622172dae

SHA512
a164e803363c5d7d8d4bd0c31b20a6a0e718af3e4d313d01b7c0fd243958488ca0971dd05ff278524754fd6444f356dc4f8caee0386be71b3e8294c223a92f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583d14.TMP

Filesize
48B

MD5
8b98c438666e49a91dbd7b041119b708

SHA1
aa150aac30d128032f5b18c7c4b200e2c4faf879

SHA256
6e7cef4d6fd71f072868fb8620a6a941746cdf7372bd7d2a33fe803085ae5f4f

SHA512
d879b0dd1a629ecc386cea2619b5a500e31dc2a57a52da31419b3baf93102cd6c27468baccf870dfa58c99334dc3a1ecf270e6ab3697f117da3af8a76ec24a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dcb1594ec84770b2b8b8c85be8a412cd

SHA1
d8d60fb3dd6edae915775c02fb63e5ea340d9a5d

SHA256
e519140f8cabbaecaa721f8e4c169db8ae508ddc13f7622238e2f51e6153a604

SHA512
37c9aa05f7e33a6abf1bf474eff9b3b4b2f3cb741976dfc0c5e602212fa5abb1a9abd2fc3d2acb2e03e6f64a4cb5f9b05ec938a3a8cb51b2c3909836d3d62a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
69e75a1e7dc22c51b73e362060d9a87a

SHA1
955d403ecef864d2a459d85d5d97199cc73475be

SHA256
806c6f3833c292da64c878a5a5453a7e14aa1845cb402e5380ddd3a4dde2f104

SHA512
fb57919e18d722f2d4d83dc96fa02acbb01be519a633bfdb5ef23d5a013ae4f49c5cee59e5072c2ca6c0968d9ac732ed1adef3222dc72c2054f5f55d8dcb00a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
243aac74208b1c941448a6e4ed086774

SHA1
f4e7e31e9435d8edf25f16f9e1523956d489f925

SHA256
9995fcf01ec5ef600ee547164075bfb6e14bb04c41235cfdafb8f59e2881a509

SHA512
eb76a8a94c2a681b4bf1510f9c9e4a576aebb3cfeb36407747b3d135faadbe43f317fd0e7087f892ec2e31779452248c5e7a660c0d5b53f2cd352d0efb5a1ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC4E633E9\Loader.exe

Filesize
2.1MB

MD5
a07c79f9e2dd72f3b884928ee384344e

SHA1
88df6b54a3e53a501b09b32de2def406820879fa

SHA256
35c4d936db755868a37561663cd4b279b338413db5f89c2f9df71d74a6d35b61

SHA512
cdb6957a1e59b053fdd8f0d43d9b1ba575da2140c5d2c547b87e8a5b1199f2d071f66152ade3cfdb5294903cf42f395a948b28ea87aef9d9aa6eacdeaffdd1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Load.exe

Filesize
74KB

MD5
4fc5086bcb8939429aea99f7322e619b

SHA1
8d3bd7d005710a8ae0bd0143d18b437be20018d7

SHA256
e31d6dc4d6f89573321f389c5b3f12838545ff8d2f1380cfba1782d39853e9fd

SHA512
04e230f5b39356aecf4732ac9a2f4fea96e51018907e2f22c7e3f22e51188b64cdb3e202fe324f5e3500761fae43f898bf9489aa8faa34eff3566e1119a786d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
2.5MB

MD5
35c54b6a9227ccb7149698254dc8dd52

SHA1
33433b0716128f7c887d7929ec50fab495e45f38

SHA256
db7744a5e7567b151e15c6159b03eb71974233db90716b38d7bb726fd61798e4

SHA512
492de363f0252005a303b7b169721f8536d131bbca71ef37bae59b4b17427dda869c14eea72fd3ed69efc0a3b19b9c3b18e7d6ada1721fbf9b0ce3bfaa57cc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swgui5ta.yag.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp420B.tmp.bat

Filesize
148B

MD5
1a68bc4f7b643e389ac36caa688f2759

SHA1
9751f4790ee85d43d742f4a4766c43344352bb50

SHA256
3557cecad070ac93bd90dc0772d624869ee0c6d61912e0888efe3242909686aa

SHA512
b0545a4e38552a268614266bbcf16f5e215b184aa0edab4c745ccd578849c9046351b0edafd0cb09a88ad547c8d511cc36f8d5d78d9096d1e03fbf4b1dcf62aa

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\Nova.rar

Filesize
2.1MB

MD5
50ee1cf21948c6015354e9c1a94ca5db

SHA1
f2f6fb19a2db75d2d5515fd3a20c66eb8f3e6d42

SHA256
8fe639c3cbdcb49a5246f85ce136f14c8c0ad5150c6e38b5eb66eced9d4c4329

SHA512
46c8a6e2818972ec363b5905838e05828a87b10c7991ae5124c485ccf625da0cff4985d675bbda08a9eccf1fc1027c5db0a22f8e99c732f7593f66c68f3654dc

Download Submit
C:\Users\Admin\Downloads\Nova.rar:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/1916-382-0x00000246CD010000-0x00000246CD02C000-memory.dmp

Filesize
112KB

Download
memory/1916-390-0x00000246CD240000-0x00000246CD24A000-memory.dmp

Filesize
40KB

Download
memory/1916-383-0x00000246CD030000-0x00000246CD0E3000-memory.dmp

Filesize
716KB

Download
memory/1916-384-0x00000246CD000000-0x00000246CD00A000-memory.dmp

Filesize
40KB

Download
memory/1916-385-0x00000246CD210000-0x00000246CD22C000-memory.dmp

Filesize
112KB

Download
memory/1916-386-0x00000246CD1F0000-0x00000246CD1FA000-memory.dmp

Filesize
40KB

Download
memory/1916-387-0x00000246CD250000-0x00000246CD26A000-memory.dmp

Filesize
104KB

Download
memory/1916-388-0x00000246CD200000-0x00000246CD208000-memory.dmp

Filesize
32KB

Download
memory/1916-389-0x00000246CD230000-0x00000246CD236000-memory.dmp

Filesize
24KB

Download
memory/1972-360-0x000001E5356C0000-0x000001E5356E2000-memory.dmp

Filesize
136KB

Download
memory/2376-340-0x0000000000C50000-0x0000000000C68000-memory.dmp

Filesize
96KB

Download
memory/4352-400-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4352-397-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4352-396-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4352-395-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4352-394-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4352-393-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4500-316-0x0000000000A30000-0x0000000000C4A000-memory.dmp

Filesize
2.1MB

Download
memory/4752-403-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-402-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-401-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-404-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-405-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-406-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-408-0x0000000000A00000-0x0000000000A20000-memory.dmp

Filesize
128KB

Download
memory/4752-407-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-409-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-410-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-412-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-411-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4752-413-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download