dcrat | hxxp://mediafire[.]com/file/fvt9fpe00w9iikq/BootstrapperNew[.]zip/file

Resubmissions

01-02-2025 16:54

250201-veg6xa1mgw 10

01-02-2025 16:26

250201-txnwqsslgm 10

Analysis

max time kernel
1499s
max time network
1477s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-02-2025 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mediafire.com/file/fvt9fpe00w9iikq/BootstrapperNew.zip/file

Score

10^/10

dcrat defense_evasion discovery execution infostealer persistence privilege_escalation rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4780	powershell.exe
4108	powershell.exe
1140	powershell.exe
4504	powershell.exe
3900	powershell.exe
3216	powershell.exe
1464	powershell.exe
3136	powershell.exe
2680	powershell.exe
1048	powershell.exe
4596	powershell.exe
1564	powershell.exe
1396	powershell.exe
3148	powershell.exe
544	powershell.exe
4668	powershell.exe
3912	powershell.exe
2140	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	providerFontHostperfCrt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3260	BootstrapperNew.exe
3296	providerFontHostperfCrt.exe
7544	sihost.exe

Loads dropped DLL 2 IoCs

pid	Process
7552	MsiExec.exe
5936	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	mediafire.com

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mfc100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\atl100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm100u.dll	msiexec.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\dllhost.exe	providerFontHostperfCrt.exe
File created	C:\Program Files\Mozilla Firefox\5940a34987c991	providerFontHostperfCrt.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\explorer.exe	providerFontHostperfCrt.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\7a0fd90576e088	providerFontHostperfCrt.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e6e32fa.msp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DF4.tmp	msiexec.exe
File created	C:\Windows\SchCache\sihost.exe	providerFontHostperfCrt.exe
File created	C:\Windows\SchCache\66fc9ff0ee96c2	providerFontHostperfCrt.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3529.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e6e32fa.msp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4807.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2136	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\FT_VCRedist_x86_KB2565063_Detection	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches\2D0058F6F08A743309184BE1178C95B2 = ":SP1.1;:#SP1.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches\Patches = 3200440030003000350038004600360046003000380041003700340033003300300039003100380034004200450031003100370038004300390035004200320000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	BootstrapperNew.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2544655 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\Net\2 = "C:\\Windows\\Installer\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\ProductName = "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Version = "167812379"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList\LastUsedSource = "n;2;C:\\Windows\\Installer\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	providerFontHostperfCrt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\VCRedist_x86_enu	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2565063 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2524860 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2549743 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\Patches	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\2D0058F6F08A743309184BE1178C95B2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C025571B2A687A53689168CD7369889B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C025571B2A687A53689168CD7369889B\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4812	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2136	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
4852	msedge.exe
4852	msedge.exe
3500	identity_helper.exe
3500	identity_helper.exe
984	msedge.exe
984	msedge.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe
3296	providerFontHostperfCrt.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
6212	osk.exe
4700	taskmgr.exe
7320	mmc.exe
7544	sihost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	880	7zG.exe
Token: 35	880	7zG.exe
Token: SeSecurityPrivilege	880	7zG.exe
Token: SeSecurityPrivilege	880	7zG.exe
Token: SeRestorePrivilege	1948	7zG.exe
Token: 35	1948	7zG.exe
Token: SeSecurityPrivilege	1948	7zG.exe
Token: SeSecurityPrivilege	1948	7zG.exe
Token: SeDebugPrivilege	4700	taskmgr.exe
Token: SeSystemProfilePrivilege	4700	taskmgr.exe
Token: SeCreateGlobalPrivilege	4700	taskmgr.exe
Token: SeDebugPrivilege	3296	providerFontHostperfCrt.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeIncreaseQuotaPrivilege	4780	powershell.exe
Token: SeSecurityPrivilege	4780	powershell.exe
Token: SeTakeOwnershipPrivilege	4780	powershell.exe
Token: SeLoadDriverPrivilege	4780	powershell.exe
Token: SeSystemProfilePrivilege	4780	powershell.exe
Token: SeSystemtimePrivilege	4780	powershell.exe
Token: SeProfSingleProcessPrivilege	4780	powershell.exe
Token: SeIncBasePriorityPrivilege	4780	powershell.exe
Token: SeCreatePagefilePrivilege	4780	powershell.exe
Token: SeBackupPrivilege	4780	powershell.exe
Token: SeRestorePrivilege	4780	powershell.exe
Token: SeShutdownPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeSystemEnvironmentPrivilege	4780	powershell.exe
Token: SeRemoteShutdownPrivilege	4780	powershell.exe
Token: SeUndockPrivilege	4780	powershell.exe
Token: SeManageVolumePrivilege	4780	powershell.exe
Token: 33	4780	powershell.exe
Token: 34	4780	powershell.exe
Token: 35	4780	powershell.exe
Token: 36	4780	powershell.exe
Token: SeIncreaseQuotaPrivilege	1396	powershell.exe
Token: SeSecurityPrivilege	1396	powershell.exe
Token: SeTakeOwnershipPrivilege	1396	powershell.exe
Token: SeLoadDriverPrivilege	1396	powershell.exe
Token: SeSystemProfilePrivilege	1396	powershell.exe
Token: SeSystemtimePrivilege	1396	powershell.exe
Token: SeProfSingleProcessPrivilege	1396	powershell.exe
Token: SeIncBasePriorityPrivilege	1396	powershell.exe
Token: SeCreatePagefilePrivilege	1396	powershell.exe
Token: SeBackupPrivilege	1396	powershell.exe
Token: SeRestorePrivilege	1396	powershell.exe
Token: SeShutdownPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
880	7zG.exe
1948	7zG.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4852	msedge.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe
4700	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
7544	sihost.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
7320	mmc.exe
7320	mmc.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe
6212	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4728	4852	msedge.exe	79
PID 4852 wrote to memory of 4728	4852	msedge.exe	79
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 4848	4852	msedge.exe	80
PID 4852 wrote to memory of 3444	4852	msedge.exe	81
PID 4852 wrote to memory of 3444	4852	msedge.exe	81
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82
PID 4852 wrote to memory of 3032	4852	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://mediafire.com/file/fvt9fpe00w9iikq/BootstrapperNew.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbb0ab46f8,0x7ffbb0ab4708,0x7ffbb0ab4718
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2096393603707988602,14575724105742679691,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:6404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1660

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperNew\" -spe -an -ai#7zMap4643:92:7zEvent20706
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\BootstrapperNew\" -spe -an -ai#7zMap28419:92:7zEvent29869
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1948

C:\Users\Admin\Downloads\BootstrapperNew\BootstrapperNew.exe
"C:\Users\Admin\Downloads\BootstrapperNew\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Browsercommon\IOhgPL0nkibUOseR8JwyIvVZWJDmloCdkfQ.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Browsercommon\inE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:888
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4812
  - - C:\Browsercommon\providerFontHostperfCrt.exe
      "C:\Browsercommon/providerFontHostperfCrt.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Browsercommon/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender Advanced Threat Protection\en-US\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Browsercommon\providerFontHostperfCrt.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzBRLZaSCw.bat"
        5⤵
        
        PID:5432
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:6836
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2136
      - C:\Windows\SchCache\sihost.exe
        
        "C:\Windows\SchCache\sihost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:7544

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BootstrapperNew\New Text Document.txt
1⤵
PID:3224

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x444 0x308
1⤵
PID:4212

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7320

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\windows-delete-winpe.bat
1⤵
PID:6424

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Windows\Installer\a47e.msi"
1⤵
- Enumerates connected drives
- Checks processor information in registry
PID:6184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5392
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 06D72A928B313227682EEF17401C32DD C
  2⤵
  - Loads dropped DLL
  PID:7552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2CB1D560DC6B5E0982D2378500654C17 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5936

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Windows\Installer\c46c.msi"
1⤵
- Enumerates connected drives
PID:4684

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /p "C:\Windows\Installer\c472.msp"
1⤵
- Enumerates connected drives
PID:4996

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Windows\Installer\e49a.msi"
1⤵
- Enumerates connected drives
PID:3712

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Windows\Installer\7a03.msi"
1⤵
- Enumerates connected drives
PID:8152

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
- System Location Discovery: System Language Discovery
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Browsercommon\IOhgPL0nkibUOseR8JwyIvVZWJDmloCdkfQ.vbe

Filesize
195B

MD5
7bb6676efb12a625a6875579da55495b

SHA1
8320aa0275bff95fe26c36e27567894ca9df20c4

SHA256
a85701421c08b83b63110e3b1147977a990e67f65c86dd05550407a19521a897

SHA512
7d5e05e2cdec14a945b567e5dca472d80980bec3b2da5d89285149176c24183faec41936abceebdeae3a086194afdd84349f54d325becd4556ef1d6f374ee370

Download Submit
C:\Browsercommon\inE.bat

Filesize
216B

MD5
02e00b747d143f33ea8a2e5cc4f3d750

SHA1
f9749c87e2a87e2ea8650262b3816a1af4eaed4c

SHA256
fea81fac5cda164ee511df6c067d71aea46baec472f85e28832de53877a799ae

SHA512
4bb6c99e45cc9137274db3ffbee974edc4a932c03756d28f751e693cec567e9e877f2068f219b23b5003e99b32fcf113d90ed3f0559c418b8666dfdd58732fe3

Download Submit
C:\Browsercommon\providerFontHostperfCrt.exe

Filesize
6.4MB

MD5
1b0d778848c272d9371b8416993ac51f

SHA1
b314539920bcc9e92512ba3f660bc8cebb4d133d

SHA256
33097f4a8833f96fa33cbca96df83d751dac7406152cfcd41a20b95d2035f120

SHA512
a59c4edec00bf8d1eaa5c0dc70f6d30c2f3cca0f81017fa5318feaac85a554a7ff0c25c097ad3c3932bd7dc8995594e164814368f953815db93780be9155bdbd

Download Submit
C:\Config.Msi\e6e32f9.rbs

Filesize
3KB

MD5
de58a5caeea33d3d6f0b41c1a9adf271

SHA1
fdfb1c6f5b58e50f50cb69d0dd5d1fb8a377a2c9

SHA256
f4e9a3482e91986bc8385759009a902ce331e19f658532e58b742be1cbe1de41

SHA512
aa81e8d11c3848e57c638754b5a4cda4c19b02398647b35134ed153ea8178138aba699af2e944962001f3102b6a1a4761df9bcf6e99e89a6aa37471a542cdbbb

Download Submit
C:\Config.Msi\e6e32fd.rbs

Filesize
31KB

MD5
553846dffbc138cd1eac6f5d61085304

SHA1
3bbc4bf5e3e89372c23bac95bc21b054411bf0f4

SHA256
3eabadd7f267a93149a483661032f28db0248990fd0f8d1e244b579ed66f7f02

SHA512
2ead07ee7cbfe57de5e503c12a052b173816514e5ed3f1e057e32ae623bde9c29878a1d7620cb500738a619630c732f59a422ba10de8ac54ad0aa20fa82f7e94

Download Submit
C:\Config.Msi\e6e3300.rbs

Filesize
3KB

MD5
25082f507dda49ba488c188e9e71b8de

SHA1
f5a8221c1621d0d48aa5dedc0966dee4e5e1b918

SHA256
a8570aa8c1434a29a04621ad373e3572825d2d98cb2c1c107d95121bc32faf68

SHA512
a66c7baa7f4861a6dba142fab300a28a22e5b7d19620672d4c3437cfa280e81d2fcc10873e63041299b3d9f2fcfb500745334ab625bd79c790b4db3a246f5495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec94745cd72f974e0497aa41415bad9b

SHA1
d21ff8668515f2a51aa6a746b3fa15336fc62b5a

SHA256
af45c7c9220e3798ec9208de192ca021515dfba1be3caa38836c6d6d5d3d75b5

SHA512
7ecc68f20c8cb104aacdcb02ed78225d55ac97fe617acac03a4da1650e0066993660cfc9d9d164a71f4e4713f11754c1006c7a43d3462bd41b9f3775a7dc65ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
792d3ddd660d3404e3bf24541d44561a

SHA1
284fc041ce3af883ef80aeb23c0f733b71b838c7

SHA256
95daaabfdcd9fd2c8287074a28083c4802ea4c7f77760edff3e169b441759062

SHA512
63c87c2180e4482261aa1a6e638f81cc040fd5ed631ce90f914fadbcee91f7d6e0421449e68ed1395e99d829d6d29eca1d63b57934835eb3564734ae59b69dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
2fc2dd07ed29f2ebbf801f251d421634

SHA1
c7f3e64dd2dbf25ad70eb192836492e75a2f6a74

SHA256
010ad52ea051fe22e53a2224712bc86aaf6e1498197974d858604d2bf8373656

SHA512
5861c2f366cc8b52a9a91969239033e199da718c05f383ac75d2a8462ff5dae32b08a7104265db2f494c2e968d93608556748e3e3f85e33c0bd8e383878cda90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1388ef29fc4f107aa0823fc9d0920fe4

SHA1
8c16f837797cc5f87461a24e449314c2e9ce8942

SHA256
3577ae561d270214b9a938c8c352bd7ab8b5e8475e336d4ffe925e531a823719

SHA512
0c7a50b1817396c7ae213e94a578ae95d0af81794098367c2761953b0b2d63dd3923f6c7bad300c0bb4573ab05a7d12f6fa144191280ed22fd347c4b27d0f061

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
652a255a257b970dbe48797e820478d6

SHA1
35d2e1f652c8197ff4d76eb6f863079f8d61b795

SHA256
880cdaa9889f90f4d47089a44618ddf3f3d777ad488a8716233bc7119124b10e

SHA512
e5222980c4ce53749e733e7197908dac3cb9ce269ad740bc88ec0a0aa6a72faaf59a612ca3efabf50a85180998f4bfb283a864690dafa4af6993fabcbcde11a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d049e651c036e68b3ac793dafd154350

SHA1
5c244f499b3a54c4cb4de397f63744516ecc575d

SHA256
f0b7d4c05ea6b4abdb55357cc1faaca914847a389621941238bfc5dcde89f620

SHA512
9c2f1e042af78fcf5bdfa603dd5c20e5af7c8c39ffa05ee94cd397754f3b61201a45137db849a46a30b73d7faebbd34e4ce14bac26d9b616b2ccab485f36f58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc3a9cdee6dc551af5aedb1929acc77f

SHA1
8a6a48366cf0db6f5bd5548bdb0cdbe94c56fd9c

SHA256
f710480b8f54bc5ece6291d4a3172e7ccaa5e42e5e6188c5c536bb22af473d5f

SHA512
2af7d32b204121992752bd7fd5db881f4887f4be7020a4850b59dae1e2b54c02ec823eeed7de5fd8025b969d33b0b3f9b583f199e6a8861361fdeaea35203731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f30f41bae50b3dabbb78f69c9518c0f2

SHA1
14b8aa1ee51cc63eea45dc505e153207cde85d4d

SHA256
4b51b9f499ede272899680cfac161ec2ccdcc34495b9fa4571bb9a84c32c9657

SHA512
80ed88566c3dde7b9c5578f60d8e71f93c39646d226c63deaa439f279ac3f6535ab2fe2ba8dc689e3ba00d6900069ed10f9a9ebde8e4dcda44470fc67b05db00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
e03fc0ff83fdfa203efc0eb3d2b8ed35

SHA1
c705b1aa42d84b3414fdc5058e0fa0a3dc9e1664

SHA256
08d550d1866b479c6c41ebbda7b453dba198ee8744a52c530ff34458024ee1fe

SHA512
c0840930d7a9cf16e8fbefefd09c564eabfcfb6e9df1f9b906b830e8218a818c3f9721f9ce1fc2a96b2e6ce725baba0dcd5810a9b55d20b3c9d6f4569b9008a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e36af2fc989f16522aad2266b920aaec

SHA1
b628029ecbd111f93232fc7556c0e800ee0805c9

SHA256
c480bf79240e479308e77fdbcbeb9f5e88edd07e37a57ce056d68bc7d2000b43

SHA512
ac8857684c75d6a62f6117f45159a4bab71bf8ac3dba8fa97ab9330935bb702acfc92e52fdcf19f5b7f1dffae276372a9b2d91a42d76e6b1f436cf220db81214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f3563b9cdb227d34394c7b650dd32966

SHA1
f6275211ceeab828c729066ab8eed5fb00c0b90f

SHA256
bf89b50eeb804b10b6f2edba8bab19900c26381fe533b4b381547bba3571f41a

SHA512
d1e407bad9d7c2e52abadc29682e222c4024cccb823d0a3abd4ab2a1a60451da82498b282498f8a11ff62820a4761ac6cd4e1d8d527f70955064ee32124af72a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
700c152fdd8fe4791c80152ffbed1739

SHA1
3c059b3b07d0d4cff341b56e958eb60a8e359dff

SHA256
c1dde61ca34b5248fe802f247496b228df1d94b1e59ad98e4b2c2178a992712e

SHA512
44f0d9fba46186bc42d3d3c679c2ef2e127f0d7f6cbe63f310821fe6d7de5fa347b6ae39e03d917c1ad190f7fd1aac243a94d070a61c669d794ae05a51fe1150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5bf6b0261deb53c0e3d422e3f83a664

SHA1
60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

SHA256
a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

SHA512
27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26E1.tmp

Filesize
908KB

MD5
2c169c625b6f35aab52b5bf76abbc27e

SHA1
6e10678a100844c40e071f462dba80a3db0a3db9

SHA256
e6597b902da4734352ed9c65172118221708597e414b4b687cc29c71b0e3f55d

SHA512
fa9b12cb88c61b689a797d5f378f92bbb09e81b9aae8ad2fc8640229ea6908fc426bd6c8f9f60b4724e76cd517d205ba939bec106061f339121b7168558b229e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5498.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIe45f2.LOG

Filesize
20KB

MD5
27f9a6d43af08e98871bf9ee66439846

SHA1
a61d84f5aa7140ea6400b1e92bcc38eacaea51aa

SHA256
7c657e5bdbcdb6a3c29903c967a45c33e69167f495159d8683979f5e27c82695

SHA512
62a2c628c519e42f6ee8490907a15582db191519767f39dcfae4be23b29a0a7863783e5107e52125e53f378522a32691d722a206fcf9f8eb3f9a0f697aecb5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzBRLZaSCw.bat

Filesize
158B

MD5
e8648bdcf2a9edff9fc41d65cefe6a22

SHA1
a6c4f5d527d225a4efc93797f0c2258210e7d1af

SHA256
0d89d2a530510f759ed3a64466ba5b9eb434443f0f7f2f3e7fe8b3518e4cda2e

SHA512
b26efec3d99f9ea1ec5fc70f30a2ea027b1923dd6bf4cd4c704ef018f79dba372b8ffaaee35f04dbc715e65820de0269b41c1649f286a1adb6f50ff62868fc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_payel5ri.faw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
165KB

MD5
e5cdb2ec4211b1cfc9e827ced81bd92f

SHA1
d8aeb745b09f3a1205abb2ca65d7a151db7b5172

SHA256
b566de3167a4743f092b84aac7d1e88144f4774c9f02ca612bfd3ae1f8b02a61

SHA512
c15a0147a24231c40b9f15ad26108b0dea6ee0ae4771a43f226a03bfbb8a615d5fa11bba73b00bcf8b1f629ee6564b6bf4b52d3fb8d70fbd6cb1e23be43201f7

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew.zip

Filesize
3.3MB

MD5
dd5e9614239c69c704ea2838d63bb743

SHA1
2a8e636928c86af5adcde714491c24e87fe0368c

SHA256
98cf9b7ae54dbc4cfa596dfe977c2742579cc5a7a4cf0a631a7bd4874d4ad9d5

SHA512
2cad91209d65bd58903239547912f29fa8165800dc321f5ebb24995fe72ac500a6a49ccb5bde7c124e31e3ac9be084b3ad8855d61141df9549bd15d1b7ec95f5

Download Submit
C:\Users\Admin\Downloads\BootstrapperNew\BootstrapperNew.exe

Filesize
3.4MB

MD5
3464a5b313c658db47daabe25a3bbe1d

SHA1
ca50766a78399a5ec8a7fa5fcd627c5802a6c1c3

SHA256
fba233351d72e0eec9250babd033c7e82caaf8b6a1448d34e20cbce027575482

SHA512
05116d49a9ac3dd9fa959510150f7b853ab5c0469ddd11d3c9487d13cf5ea4635e4dba8c4622dcb41c4498b30d58bc73ec51ce6deab530e7159107c335af7b83

Download Submit
memory/1396-331-0x0000021EDAE00000-0x0000021EDAE22000-memory.dmp

Filesize
136KB

Download
memory/3296-282-0x000000001B190000-0x000000001B1A6000-memory.dmp

Filesize
88KB

Download
memory/3296-272-0x0000000002760000-0x0000000002770000-memory.dmp

Filesize
64KB

Download
memory/3296-278-0x000000001B170000-0x000000001B182000-memory.dmp

Filesize
72KB

Download
memory/3296-284-0x000000001B1C0000-0x000000001B1D2000-memory.dmp

Filesize
72KB

Download
memory/3296-285-0x000000001BE70000-0x000000001C398000-memory.dmp

Filesize
5.2MB

Download
memory/3296-287-0x0000000002930000-0x000000000293E000-memory.dmp

Filesize
56KB

Download
memory/3296-289-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3296-291-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/3296-293-0x000000001B9A0000-0x000000001B9FA000-memory.dmp

Filesize
360KB

Download
memory/3296-295-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

Filesize
56KB

Download
memory/3296-297-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/3296-299-0x000000001B210000-0x000000001B21E000-memory.dmp

Filesize
56KB

Download
memory/3296-301-0x000000001B960000-0x000000001B978000-memory.dmp

Filesize
96KB

Download
memory/3296-303-0x000000001B220000-0x000000001B22C000-memory.dmp

Filesize
48KB

Download
memory/3296-305-0x000000001BC50000-0x000000001BC9E000-memory.dmp

Filesize
312KB

Download
memory/3296-276-0x00000000028F0000-0x00000000028FE000-memory.dmp

Filesize
56KB

Download
memory/3296-320-0x000000001C4A0000-0x000000001C549000-memory.dmp

Filesize
676KB

Download
memory/3296-321-0x000000001BDE0000-0x000000001BE4B000-memory.dmp

Filesize
428KB

Download
memory/3296-274-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/3296-280-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/3296-270-0x0000000002910000-0x0000000002928000-memory.dmp

Filesize
96KB

Download
memory/3296-268-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3296-266-0x000000001B120000-0x000000001B170000-memory.dmp

Filesize
320KB

Download
memory/3296-265-0x0000000002770000-0x000000000278C000-memory.dmp

Filesize
112KB

Download
memory/3296-263-0x0000000000D50000-0x0000000000D5E000-memory.dmp

Filesize
56KB

Download
memory/3296-261-0x00000000028C0000-0x00000000028E6000-memory.dmp

Filesize
152KB

Download
memory/3296-259-0x00000000001C0000-0x000000000054E000-memory.dmp

Filesize
3.6MB

Download
memory/4700-208-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-204-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-206-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-207-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-209-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-210-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-205-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-199-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-200-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/4700-198-0x000001A0A08B0000-0x000001A0A08B1000-memory.dmp

Filesize
4KB

Download
memory/7544-549-0x000000001C240000-0x000000001C2AB000-memory.dmp

Filesize
428KB

Download
memory/7544-548-0x000000001BB40000-0x000000001BBE9000-memory.dmp

Filesize
676KB

Download
memory/7544-550-0x000000001DBA0000-0x000000001DBE6000-memory.dmp

Filesize
280KB

Download