hxxp://github[.]com

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

8^/10

bootkit defense_evasion discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4252	Birele.exe
1972	Birele.exe
3528	ClassicShell (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ClassicShell (1).exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001d00000002aca1-634.dat	upx
behavioral1/memory/4252-706-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4252-707-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4252-709-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ClassicShell (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1968	4252	WerFault.exe	112
4680	1972	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClassicShell (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 319485.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 691022.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ClassicShell (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 7504.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 268529.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
2424	msedge.exe
2424	msedge.exe
2336	identity_helper.exe
2336	identity_helper.exe
760	msedge.exe
760	msedge.exe
4536	msedge.exe
4536	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
4420	msedge.exe
4420	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3232	2424	msedge.exe	78
PID 2424 wrote to memory of 3232	2424	msedge.exe	78
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 1928	2424	msedge.exe	79
PID 2424 wrote to memory of 3076	2424	msedge.exe	80
PID 2424 wrote to memory of 3076	2424	msedge.exe	80
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81
PID 2424 wrote to memory of 3420	2424	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff87eb83cb8,0x7ff87eb83cc8,0x7ff87eb83cd8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:4576
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 280
    3⤵
    - Program crash
    PID:1968
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 248
    3⤵
    - Program crash
    PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1848 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,12841838109275810537,13718955237265751951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Users\Admin\Downloads\ClassicShell (1).exe
  "C:\Users\Admin\Downloads\ClassicShell (1).exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004DC
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4252 -ip 4252
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1972 -ip 1972
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
7c1ba414db9f5ea7b45c52b28f6a4414

SHA1
2cbde5c5df2bafef243ecc147fd9a3c5bf6a33b0

SHA256
f7b59e2be7d9df532aaea51e3120b2a687aee9e81395a9d330ed88b243ec55bd

SHA512
9e19577906b62e9c5866370c76e1edf328c2fce01628f6f003e3a9cac4de6aa8c916263742470f5259dcdf576e78b98da974f25323df4b0137dfc4b02a3577a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a8afee674d5309009feae1c0385d445f

SHA1
88187b31f84a505090d47a4cba2431fb0b526a3f

SHA256
91891119b27d9ed2d49c0d4f833dbb385c0131b5c086af9a29b83ed9ab372602

SHA512
85a8ef456488bcd8643c069727f792a8289d8d6b307c767f7bcc0d83f5c4487a05fe8bfaddcab100421fb81f7721686c95013190a967c30f845ddc0c8d1c512c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1014B

MD5
b890eec55de94ca45f60c548b48690c6

SHA1
f75c90c58e1aa185f69f81f44363afb664b80869

SHA256
aa8d7df9e4496f48338d581b98b0fc9994bf92acbe17f3f25f48304a9d73c8c7

SHA512
7cf2d07aeb1920f72e6572c1810131edcd106b2ef7b2f0cad3ac25a35149877fc0601ca0244a44037467a8a073f344d377c75c219f639d1ff6e105447fc0f386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89a17e51f48eb1b854539620e4ccfbd9

SHA1
d5c0e56316aa55438b6c478ac3bce30cca7109f9

SHA256
364f57b62531e103cde988c644f373eb042fedfc1a78a2472b965512ae26a4d8

SHA512
e1ba6f8df8656304ba44126e3ad9d102ba050333ba048fbd8b42efdee091e81cff3480d12e4d298ced1271c0598b4a63f05a58aed41152e7041115be4eb7ae48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
567a4927ce27c44854abf49df5774fe1

SHA1
64f2ce0e377f04635ed2c9fd1fed3a750fa9a82a

SHA256
fdc854b90583efb9bac74562ba3444ff1b912d75cf4d374eb64e5a479ad635f2

SHA512
61c6fcf2d579153b55c08c9ccf1915fefe0593a61be6e30ca752cfe8aa53ee1229f7cba71423d5d4d2cad725180a1bb79407a6f6fc1de787750aa40c62e7c84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5e988d3b5a235891107d2d8b10b0d77

SHA1
94ef5a48fc868090ea639ee7472731b2e198a50a

SHA256
e388dbbb1414f5091b48b183aa598b934806b80d677c812f9f5ec52e4616312b

SHA512
246161d136fc412b3ac3af6d97be2002d2b285e895e9446a1083b5b199657d61340ee7ec05e02018341fdf9fc22c95bedb592d290bfddb6828d56a5d7a1d49f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91180375342968fbea17be70847aa414

SHA1
3e2ccec0f33f9ea62a879c8bebd8df60b316bf35

SHA256
706d90af55207e76cf684658a880aaa1367bf4ad783587fad436fe47eb1c0dec

SHA512
7e6e20bb278a37933278be4a86ec8f07864b3213539c5fe1c359b77d107e42d53dbff78e8b47a2d3d9fc0437dcbdbe4346ee772adceb1c5c1281831cb41ce402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
903d2a99176a9c2db8bdeb864a94803a

SHA1
e9b6f874ab02d99b5bf3d238622f9c3615b72df9

SHA256
a83e2f276a287019f32b345b5db09622ae2e8cf600a7d5ade8977e6fc6e8de22

SHA512
baa77e2722d4435ebaa0a06013e93546ef141afef2a33adb521f33a58bd5f07ca3590d50ef1431bbc6e33c84b8bb6fcf390a197693914e15bbe3cecf35dcc244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
821cf3517bc6bb32c56938cb70b1b28c

SHA1
2a5d0fa8e91f0c1fdb458e685d56e43e4e192b6f

SHA256
445afafed72507f667c5536b908ee01884c0628456ad8df057cb4a85f9682dcb

SHA512
2e5f70f4bdfbd8a24059926527cebfdaa8ae24c650d97449512102be7f968abb2bbebb089ec324df5c5bc2b2413c1f3e0608df60f2755b52b9dde20fbb9fb37b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
85c7fb148b5803b42e423f44e6149f62

SHA1
f51faab7d16873620f67390221798454a2c6c10a

SHA256
40bdc570cc6433a883b5232b2edec182de2d266bbbcbe066d0d1d8a095aa4868

SHA512
10cc00532654c9de24f203367ec3b601f567879c026ae0fe1d4d7b1c9b0bcddb0f19420c70369d96018075363a7c02ec8df3fca2eab44cfceec400d82db5fee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ecde9523b43da0ae471e3c4d5e61c29b

SHA1
d62c01075e998d7184929c517381021c0268e446

SHA256
ae675387ff3bfbbad77f54ccac8d090e5563c1c656cfb8107ca61dc4fd936962

SHA512
b1c055a08725da582b29914694ab6a0c03068d89fd612cd4cb5688f010bd649d1ceab024e368f383e09147b60c59fdd592d34f96a0a738552d984c1c578a236d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
45a4ef8f4f7cf10de4dc03fafa7ce679

SHA1
e40549bb0d1a79f1e2e76c377e9728422fef2aca

SHA256
61c0d9dbb79eccd86cb462d256b1c304b1afe690318401d019e72d54f82d62aa

SHA512
917077cde426c718ea6c88b72042eace736bb9cef49a9ecfa1e4cc9e2c57a8d0c712f5e2ba6b7549385745044584979c28276465a060ac48a15bd29594095c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0cd306da63edbe54c05dce6b9767cb2e

SHA1
0e21b0a5eb3d4555d9b22c2ff403b85f1b11aa5d

SHA256
afff71fae9ed37253835f373dcd052ef6bcd13835a65183b0d9ba254abd3ae96

SHA512
65921aaa590793eecc24a012da720cf5c5d3927bd7842a487931583764681d5b497009f9f82bdb2295b309d2e984e05e68e28a0f3f3623554aba4743dee3633e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8161b91d2754f935a42e7be11af47aa7

SHA1
cc581939e25812c7b3bcbb36a09370b27a88e1a5

SHA256
0fd0bcb55cafa1bf54b7b767404bfa4516a96c002c1dfd3eb516660d74fe93f5

SHA512
2c96a6bc96a69b9d7bba9723218a5881c2a1813b5b2e55f1c7178de07be8b8fbf6b48190b49a87bca6ba0e780cbd258573413a7f2f311b85dc5aa5a0f75a9055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
388b3b896ab592e611356c73c58397c1

SHA1
52b9736a04e3bc651f78c1cee341909416050306

SHA256
673ce088d7e09d7bfec7ec879edaed9a1abc8df0fc0dc66902b765d72acf1f76

SHA512
53bdaafae9e4110e6bcff839cd01718e51a84e6d41b9fd7d11036c84a74b6945fb3dbd0c41f1a598d4194a6fb1ceea07e7a8c5b31aba76cdd360ad51adc46dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f7ebf4ecbc02faeec7c81e9cdf93be3

SHA1
c43525382322b406f8ca97e831d9d1ddeeb26256

SHA256
f0bfc67508148f3e0f35f5edfadc33d09d66627def21797971818f41dd33c0ec

SHA512
2cdc9ee3cae7eaf80480a8c88773015c4434ae6c1a1fcdf6a231905cf7742cf556e8df11afdb9b76bb0e954ea0bf3500ed4e3a3f374b64c1e00620357abf391c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df83.TMP

Filesize
706B

MD5
3d0b12e26f2532e9ac1fd0f3c63284c7

SHA1
e6133c5d429708f2dcedc90cfd95cebf03156e26

SHA256
977c9bb8ae5fd77f3ad7482f7d1c852db6e5f12d37d68a47ea80eaaac7097d42

SHA512
cb4099fea5ada53755db62aaa74c67ff276587ef0975f6b3d3a32d96bc313a204a8c0bb699de203f76ccc363e8dfc0b333073e1b7620a67d983448c57581ce25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8369fe520a77e90e61e8b188bdf9f7d0

SHA1
cac5cafa1ba5078bc6afc567ea840bde6bc01398

SHA256
7a85c5e664f3b35907261ce82654e2ee840fb918100443e054700d5319f03ed9

SHA512
71b30e9ef8a42ec09c47797db70dfb6ab07dbe5150fcb16422ec3c20a167874abbfded6e4d522d9462592b77acad1f6d7e9caccec57c660eb0d22c37ce543661

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5155eb8bce70b67efc10184478748a1e

SHA1
caa02dc2374adc55ddafe04de02770cb73edcc5a

SHA256
8a2fdab0ccd84e2bc997fa8f1c0d3ee3c45aea7916d5d1634f05eb71d226bc64

SHA512
04c86a89790bb5ae0327dbec7f7d526f6215d9767a09bcc135d9a27e43df589d327fceda7fc95e7a8149349fe57a78891073601ae5e2ef588b28ba484310ea5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ee6872976df210038f0967ca064f2d3

SHA1
8a82603daac43844ba05943fa6f1f7b04735bfca

SHA256
e746eae1d0efe4fa12260738e432539b3fcb839b2480c55377092adaad7db095

SHA512
7bfa630695328f36ac3aad5d34191dcdb10a40ffc81d2ce7ac35f7b081eae4d978db19ffedb579760b72799732d0373f8a5812a2b56fe12d32f3b3886dcfbce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fe13328e-56c2-47e1-a59b-12c23d156e78.tmp

Filesize
10KB

MD5
8875d09ec1e2b767a9cf8ef78313457f

SHA1
a7c85aaf17c373669af220359389190a8f4ecc87

SHA256
661990af25c325f90dbe0381f6ee6bd2d070a1ff7659a9a1251b4e36f4862291

SHA512
57e13d502c28dda5d3133d8a67e5d567ce0537a0706bd65767f1588ef32977bbd0ea6555ea07c648b80a678c6e49d7cc75eace608c21873f293c2ec60c25e4d2

Download Submit
C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\ClassicShell (1).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 319485.crdownload

Filesize
6.8MB

MD5
c67dff7c65792e6ea24aa748f34b9232

SHA1
438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e

SHA256
a848bf24651421fbcd15c7e44f80bb87cbacd2599eb86508829537693359e032

SHA512
5e1b0b024f36288c1d2dd4bc5cf4e6b7d469e1e7e29dcef748d17a92b9396c94440eb27348cd2561d17593d8c705d4d9b51ae7b49b50c6dee85f73dec7100879

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 7504.crdownload

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
memory/3528-821-0x0000000000400000-0x0000000000AD8000-memory.dmp

Filesize
6.8MB

Download
memory/4252-709-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4252-707-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4252-706-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download