rhadamanthys | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
632s
max time network
633s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2025 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Score

10^/10

rhadamanthys xmrig xworm adware discovery miner persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

rhadamanthys

https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000000445-495.dat	family_xworm
behavioral1/memory/5036-500-0x0000000000420000-0x000000000043A000-memory.dmp	family_xworm

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4536 created 2948	4536	DK.exe	49

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/files/0x001c00000002ae1c-384.dat	family_xmrig
behavioral1/files/0x001c00000002ae1c-384.dat	xmrig
behavioral1/memory/4188-392-0x00007FF681D20000-0x00007FF68281E000-memory.dmp	xmrig

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe

Downloads MZ/PE file 9 IoCs

flow	pid	Process
8	2140	Process not Found
46	236	4363463463464363463463463.exe
18	236	4363463463464363463463463.exe
57	236	4363463463464363463463463.exe
15	236	4363463463464363463463463.exe
40	1104	New Text Document mod.exe
43	1104	New Text Document mod.exe
44	236	4363463463464363463463463.exe
54	236	4363463463464363463463463.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 21 IoCs

pid	Process
248	TPB-1.exe
1680	TPB-1.exe
3668	TPB-1.exe
2836	TPB-1.exe
2180	extension_dropper.exe
4188	xmrig.exe
2956	whiteheroin.exe
3196	Doublepulsar-1.3.1.exe
2636	setup.exe
4252	setup.exe
4484	setup.exe
4044	setup.exe
1304	setup.exe
3160	setup.exe
4072	setup.exe
5116	setup.exe
228	setup.exe
1020	setup.exe
5036	svchost.exe
4536	DK.exe
2676	extension_dropper.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	whiteheroin.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	bitbucket.org
41	bitbucket.org
42	raw.githubusercontent.com
46	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 248 set thread context of 3668	248	TPB-1.exe	105
PID 248 set thread context of 2836	248	TPB-1.exe	106
PID 2956 set thread context of 4940	2956	whiteheroin.exe	122

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2636_13383802785101463_2636.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b787d5b0-ad47-4361-b621-a87d51ba60ae.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4072_13383802785831564_4072.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ca.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\elevated_tracing_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\qu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Latn-RS.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\onnxruntime.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\wns_push_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\eu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EdgeWebView.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\ffmpeg.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\vk_swiftshader_icd.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho_64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4ecf8991-9428-4343-a3d9-c4468e18cd8c.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\PdfPreview\PdfPreviewHandler.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\lt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_100_percent.pak	setup.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4488	248	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doublepulsar-1.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extension_dropper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whiteheroin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extension_dropper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1404	MicrosoftEdgeUpdate.exe
2144	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
696	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	taskmgr.exe
Token: SeSystemProfilePrivilege	696	taskmgr.exe
Token: SeCreateGlobalPrivilege	696	taskmgr.exe
Token: SeDebugPrivilege	236	4363463463464363463463463.exe
Token: SeDebugPrivilege	1104	New Text Document mod.exe
Token: SeDebugPrivilege	4940	MSBuild.exe
Token: SeBackupPrivilege	4940	MSBuild.exe
Token: SeSecurityPrivilege	4940	MSBuild.exe
Token: SeSecurityPrivilege	4940	MSBuild.exe
Token: SeSecurityPrivilege	4940	MSBuild.exe
Token: SeSecurityPrivilege	4940	MSBuild.exe
Token: 33	2636	setup.exe
Token: SeIncBasePriorityPrivilege	2636	setup.exe
Token: SeDebugPrivilege	5036	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe
696	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3668	TPB-1.exe
2836	TPB-1.exe
4188	xmrig.exe
4536	DK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 248	236	4363463463464363463463463.exe	103
PID 236 wrote to memory of 248	236	4363463463464363463463463.exe	103
PID 236 wrote to memory of 248	236	4363463463464363463463463.exe	103
PID 248 wrote to memory of 1680	248	TPB-1.exe	104
PID 248 wrote to memory of 1680	248	TPB-1.exe	104
PID 248 wrote to memory of 1680	248	TPB-1.exe	104
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 3668	248	TPB-1.exe	105
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 248 wrote to memory of 2836	248	TPB-1.exe	106
PID 1104 wrote to memory of 2180	1104	New Text Document mod.exe	116
PID 1104 wrote to memory of 2180	1104	New Text Document mod.exe	116
PID 1104 wrote to memory of 2180	1104	New Text Document mod.exe	116
PID 236 wrote to memory of 4188	236	4363463463464363463463463.exe	117
PID 236 wrote to memory of 4188	236	4363463463464363463463463.exe	117
PID 236 wrote to memory of 2956	236	4363463463464363463463463.exe	120
PID 236 wrote to memory of 2956	236	4363463463464363463463463.exe	120
PID 236 wrote to memory of 2956	236	4363463463464363463463463.exe	120
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 2956 wrote to memory of 4940	2956	whiteheroin.exe	122
PID 236 wrote to memory of 3196	236	4363463463464363463463463.exe	123
PID 236 wrote to memory of 3196	236	4363463463464363463463463.exe	123
PID 236 wrote to memory of 3196	236	4363463463464363463463463.exe	123
PID 4972 wrote to memory of 2636	4972	MicrosoftEdge_X64_133.0.3065.59.exe	127
PID 4972 wrote to memory of 2636	4972	MicrosoftEdge_X64_133.0.3065.59.exe	127
PID 2636 wrote to memory of 4252	2636	setup.exe	128
PID 2636 wrote to memory of 4252	2636	setup.exe	128
PID 2636 wrote to memory of 4484	2636	setup.exe	129
PID 2636 wrote to memory of 4484	2636	setup.exe	129
PID 4484 wrote to memory of 4044	4484	setup.exe	130
PID 4484 wrote to memory of 4044	4484	setup.exe	130
PID 2636 wrote to memory of 1304	2636	setup.exe	131
PID 2636 wrote to memory of 1304	2636	setup.exe	131
PID 2636 wrote to memory of 3160	2636	setup.exe	132
PID 2636 wrote to memory of 3160	2636	setup.exe	132
PID 2636 wrote to memory of 4072	2636	setup.exe	133
PID 2636 wrote to memory of 4072	2636	setup.exe	133
PID 1304 wrote to memory of 5116	1304	setup.exe	134
PID 1304 wrote to memory of 5116	1304	setup.exe	134
PID 3160 wrote to memory of 228	3160	setup.exe	135
PID 3160 wrote to memory of 228	3160	setup.exe	135
PID 4072 wrote to memory of 1020	4072	setup.exe	136
PID 4072 wrote to memory of 1020	4072	setup.exe	136
PID 236 wrote to memory of 5036	236	4363463463464363463463463.exe	139

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2948
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4276

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
1⤵
PID:5012

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjFCN0M3OEYtM0E2Ni00RTk0LTk3QzItQTA2NUI2ODRBMDYyfSIgdXNlcmlkPSJ7NkUwRjM4MUQtMzU0RC00RkY4LUE3N0EtMzRFM0ZCRTAxMTY3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Mjg4QTUwQkItRTA3OC00RDY1LUI4RTMtNTRERTQ2NjEyNTE0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMjk3NjY0NzAiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:696

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\Desktop\Files\TPB-1.exe
  "C:\Users\Admin\Desktop\Files\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:248
- - C:\Users\Admin\Desktop\Files\TPB-1.exe
    "C:\Users\Admin\Desktop\Files\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Users\Admin\Desktop\Files\TPB-1.exe
    "C:\Users\Admin\Desktop\Files\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3668
- - C:\Users\Admin\Desktop\Files\TPB-1.exe
    "C:\Users\Admin\Desktop\Files\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 840
    3⤵
    - Program crash
    PID:4488
- C:\Users\Admin\Desktop\Files\xmrig.exe
  "C:\Users\Admin\Desktop\Files\xmrig.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4188
- C:\Users\Admin\Desktop\Files\whiteheroin.exe
  "C:\Users\Admin\Desktop\Files\whiteheroin.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Users\Admin\Desktop\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\Desktop\Files\Doublepulsar-1.3.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3196
- C:\Users\Admin\Desktop\Files\svchost.exe
  "C:\Users\Admin\Desktop\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Users\Admin\Desktop\Files\DK.exe
  "C:\Users\Admin\Desktop\Files\DK.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 248 -ip 248
1⤵
PID:2128

C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
1⤵
- Downloads MZ/PE file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\Desktop\a\extension_dropper.exe
  "C:\Users\Admin\Desktop\a\extension_dropper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2180

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2636
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff623806a68,0x7ff623806a74,0x7ff623806a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:4252
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff623806a68,0x7ff623806a74,0x7ff623806a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff749556a68,0x7ff749556a74,0x7ff749556a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff749556a68,0x7ff749556a74,0x7ff749556a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff749556a68,0x7ff749556a74,0x7ff749556a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1020

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjFCN0M3OEYtM0E2Ni00RTk0LTk3QzItQTA2NUI2ODRBMDYyfSIgdXNlcmlkPSJ7NkUwRjM4MUQtMzU0RC00RkY4LUE3N0EtMzRFM0ZCRTAxMTY3fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntBN0Q1MUFFNC1GREM5LTQ1MTItQjJFRS01NzM1OTJGRDI0Nzl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins1MkQ0NjVGOS0wMUYxLTQ1MTQtODVCMi0zRkU1QjVEMzlERUZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTMzLjAuMzA2NS41OSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIwIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM3NTczMDQ0NzE3NzQwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDcxMzI5MTA4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwNzEzMjkxMDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyMDA5MjI1NDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTczOTkzMzU1OCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1QMGFKWlBMdDBtJTJiaUFGSlRkMlM4blVDWiUyYiUyZmdGUmtmOFhvQ0pWQmxVVEdpTTRGSkpXd3NnMm5XaEolMmIlMmY5Ujg4S3Y2dEFhempzT2NHOXBGREk2MUw4b2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MjAwOTIyNTQwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mZWQ1NTgwNS0yZTg1LTQxZDgtYjRlMy00ZWY2YjVlYmY2M2E_UDE9MTczOTkzMzU1OCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1QMGFKWlBMdDBtJTJiaUFGSlRkMlM4blVDWiUyYiUyZmdGUmtmOFhvQ0pWQmxVVEdpTTRGSkpXd3NnMm5XaEolMmIlMmY5Ujg4S3Y2dEFhempzT2NHOXBGREk2MUw4b2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzg2MDQwODgiIHRvdGFsPSIxNzg2MDQwODgiIGRvd25sb2FkX3RpbWVfbXM9IjQwNjM4MSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5MjAxMDc4NjA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyMTQzNjAyODEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk4NDM5MTEyNjgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxODc1IiBkb3dubG9hZF90aW1lX21zPSI0MTI5NzUiIGRvd25sb2FkZWQ9IjE3ODYwNDA4OCIgdG90YWw9IjE3ODYwNDA4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjI5NTUiLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjE2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9InszQTQ2M0FEQi1BMTUzLTQ2RjUtQjYyMS01ODQ1QUUwM0NCRTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC41NyIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjE2IiBwaW5nX2ZyZXNobmVzcz0iezU2NERCRjZELTM4NTMtNDQ4NC1CMTY4LTU0N0RENDk4NjQ0Nn0iLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2144

C:\Users\Admin\Desktop\a\extension_dropper.exe
"C:\Users\Admin\Desktop\a\extension_dropper.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{03977F22-AA2B-4C83-B560-8AB270F62846}\EDGEMITMP_F7555.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
ad5f7dc7ca3e67dce70c0a89c04519e0

SHA1
a10b03234627ca8f3f8034cd5637cda1b8246d83

SHA256
663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

SHA512
ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

Download Submit
C:\ProgramData\WebView2CacheTmp\any-url-query-text.8d96bb67.js

Filesize
149KB

MD5
44a8d1879eae846ee5d8a4e004b76a69

SHA1
bf7284086205197d6e4f43916f3a51a63234b94f

SHA256
f9e92028dd9462648374544cc72331c2f206e3e58739e822b0a9795f5e8adafc

SHA512
1efc134d4c6bafaf318cef2f8f79e2d95e6604902425ec016550c21c869f49f670555bd72bc0f5245f52aadbaac14caf684febc2aebf32b96e83cd86c74e31d3

Download Submit
C:\ProgramData\WebView2CacheTmp\client-hub-main-world.26398054.js

Filesize
4KB

MD5
52f0f7b38b83e8277b315c0d360e4fae

SHA1
78986a52219988738bd06c7e6bd737a26bd992b5

SHA256
24005dc10ead7889c2aa4102dffa7a76c0c0a62ad2cadbcc6f02c3d66880d35a

SHA512
b53d6e73111070180cc2b1a27df982a6063bff6eaadc7dcc5a4cb6df1096ff65454e777a1f9335ebd3350142bcb5c0eac7f944f0913d4cd3366dce9c50409f6d

Download Submit
C:\ProgramData\WebView2CacheTmp\contents.d42e7fcf.js

Filesize
5KB

MD5
eda20564c77b4a108e960ae63dab0e24

SHA1
51b86f097e40a7d4e17e988312e64809d3862db4

SHA256
1edad074f66f7d7f03151c5e3eaa621955883bbbedf1b19398199b45c2dcedde

SHA512
de78922f9ba541ade6c296009883c6901855568449dbde32810a677a5bbe100c72aa4b9a45b34c2349ff74a0a2435fb595c69952b1cd54054e1790fc7efdd72f

Download Submit
C:\ProgramData\WebView2CacheTmp\grabber.e414ca58.js

Filesize
4KB

MD5
350bd9526cc63111c73fbf18ffd17773

SHA1
61b6d7b89c255f2af4f2dc98f00e9d00d2de0bff

SHA256
049a92d925649d06501f8013a085f4b05cf4f521e021ae4780ebf60740823236

SHA512
7ebf20207c8ec251ff6ec96ef27497a8ba9194a15a31567aa224886465f53a47f30392b311302ee523a57780ad13a0b227e098e2264e583fc5aa1bd2e37601bf

Download Submit
C:\ProgramData\WebView2CacheTmp\handle-main-world.93005d24.js

Filesize
6KB

MD5
45b11bc3e19d9f95b4de721542a36ece

SHA1
bade25f972632dd02339d298559ed6e9ba31267f

SHA256
53f8ba55e4533b10dada87f93165ef576db785e3a1e5c8c584c3e350a522c45b

SHA512
d957c25c6182fd9226b8796ba257cac0e700967fb2d65ea4885b4d1ff111ef08e071792dda6f9dcd0b2f07ef642b06b1f59478350abebccaeb73721843c4e9d8

Download Submit
C:\ProgramData\WebView2CacheTmp\hides.19587cd2.js

Filesize
5KB

MD5
2e33db41b459cd1ca995393c314624ba

SHA1
9a95b4312aae31e309bf3aed32c93a975486f6ba

SHA256
943def311521a714c1c0963ab7784828aab2f7afd6ec7d42ecf0216243253aa4

SHA512
ec31185e5131d4b72b267d28cc43aaa5fc73ea0d3ced8e633b802b42b4ae86cc216c701380b8279005ff540cd9e730eb3d9026c5788170c6b5a714a91deef724

Download Submit
C:\ProgramData\WebView2CacheTmp\icon128.plasmo.3c1ed2d2.png

Filesize
1KB

MD5
5e65f1cf3dd4bac3f6af18b860007c19

SHA1
2609cefb78f4a83d6ed007ab8a63bf1f91fdb67e

SHA256
0ed91152a6e82413ed77085bf26f5c61ee78004300221b3f84b45d45ce1511f2

SHA512
454d1bc54facb2bf0ccb41732cd0a51e60549ed92d027cd3844c3177c1a9dd4a91886e42dc68410621841a423629ab12ff2c08590f561534a2f841337d5bf825

Download Submit
C:\ProgramData\WebView2CacheTmp\icon16.plasmo.6c567d50.png

Filesize
327B

MD5
94d2e2354bf04af0080e3be2e6868c1b

SHA1
2e00629950011bca4cfafb126bb0f31b7da9c999

SHA256
08c4c5b077333482e6601354889737cec917fa5f4c6b4fb0b939d83a1532cd1a

SHA512
55cf44e49f9e8b23166d87216235638b59b874f59976d3e9b388a816662a6ed9e586fad2226fc5cb937eaea1c4877392d0de475d5e3fa4e0cf21100dbbd5b26e

Download Submit
C:\ProgramData\WebView2CacheTmp\icon32.plasmo.76b92899.png

Filesize
364B

MD5
a7635de53826e30e81d490f96c725d4c

SHA1
8da9e89f6b73933847d4289dff7933c325d03532

SHA256
3ef54730891935310e9d028a1d842575423b663f5ec84a295e388e47a4dda392

SHA512
b0a2d832a9f1cbba0fd64904bc74679ef1c9dcf1a0bbb55015adc31e09e39a566f3d3538b2e1425d64bdc791a458ef2e72430c1d883201ee0e74fa58feb410a3

Download Submit
C:\ProgramData\WebView2CacheTmp\icon48.plasmo.aced7582.png

Filesize
540B

MD5
47e56736b888016a74dace11c51101a6

SHA1
ee087300552a179259d91b8922e72e5cd73f1409

SHA256
e081a2f5898e69f52ed5e443ec15654693558db199da496ed3b49c1789a39a52

SHA512
eea84da43efa6a6cf47ecdeb06255903142b4c6bd34f05ada3e85f003ddc640dad71495b17158f8a181cf6783ebddf6500cac1a82ed4e8ecd48910d7cce5b242

Download Submit
C:\ProgramData\WebView2CacheTmp\icon64.plasmo.8bb5e6e0.png

Filesize
448B

MD5
b3f24e57e4231cac6c1a10826299f2fa

SHA1
f8b9d6e96b92bd4a5b97fa8544bbd422590142d8

SHA256
a9f842e4201ab72c7993257b6072d41c358d4b1d1d4da554ed1aa9d386b27bf0

SHA512
182796edfea44ac1c27ddb66496dd43fb5132e408ff65be2a17b7d92e50d5f6ab62dbf98303da54b668b23316e8de97721c7f49939ee19dd7c2ab1fc228dc485

Download Submit
C:\ProgramData\WebView2CacheTmp\iframe.739970f9.js

Filesize
149KB

MD5
092240db356ab56d2cce1be86f22d4dc

SHA1
6db0003d46db04dcbaf8abfc68b8b23f38d69211

SHA256
3fd510d20bff70d40ef3f0ab55a35ba406739ffb4320c558b8e830d8394c6710

SHA512
e79e97e3c13112df1b4aaea3bbdbd8e68c605e860fe4ebc97b003a02f0c7f38d08f0b457463d9359c837ecc43559515c91dd18e0225e0ce61f5d279b9cea79cf

Download Submit
C:\ProgramData\WebView2CacheTmp\kkOLZS47b1.zip

Filesize
840KB

MD5
9c60fbd4a1b10aa8307dcea3e5953710

SHA1
2c4d485267af959fadcc544022049366cf136760

SHA256
261a4df76a8b4214340ec6142b5cbf5760dcd7a3d3da698fce55ffbdd791267b

SHA512
ec54c6df3923c8e8b94e890fbb9c766215adce84cb6af6cdd3249a508719c5b9148b1b09c4b8dc9ebbb4f2f3232c30ef54eec6b4bd9532200cd24ac0bba2bf97

Download Submit
C:\ProgramData\WebView2CacheTmp\main-world.af72fae2.js

Filesize
54KB

MD5
9469e673f24233175c9b6df0b5713cb2

SHA1
988a9bbdacb87254ac4b5b8ed68c46514a5ba62e

SHA256
f7993a4ec00adfb1805c2965445b05a4ef7146ad6b07462a653b4cd53cf321b5

SHA512
729ee0567c553a1b129ac0041d67aa0d529203fd1d96f5cb75456ff29a21c22e5b5208b0c8231137efa8a55e6b5f546e9271d578a6f686c3a6fea7090a025de0

Download Submit
C:\ProgramData\WebView2CacheTmp\manifest.json

Filesize
1KB

MD5
8e53813f6ebcd8d6884a9dc5077a8f64

SHA1
20519aaefccf1f2f7d2a73dcb96f5c2cb62676eb

SHA256
0366bda1d618819fedfeb8c7575883569f80f6356d5b15bfc6fa893f58787aa5

SHA512
06a392f9b9d4f85ea24836946f7eab7ea94ddee7669469681f8ac2bed16e2ff191bd12b16423054513c9186c5ce93fcf300e590d33abccf47b0ee304ddb45cdd

Download Submit
C:\ProgramData\WebView2CacheTmp\popup.100f6462.js

Filesize
146KB

MD5
3a24a98241ec38af95b5d0dbadda0c6e

SHA1
8a08a9930d8da9f9d063967d0a0ed3f26f7d1f50

SHA256
8c1622d13783deaa48cccafce3bdc36c7a479ccc27f40b1d3ffa7c2e6c632508

SHA512
1b7b47f40d9d616ca9b525dfac65477071febe417fe131ed5d7df93faf43650015570b27164744bda7f46d8bab603f4d97bfc5fa0059522d68c693340acf4376

Download Submit
C:\ProgramData\WebView2CacheTmp\popup.html

Filesize
255B

MD5
37c2fd0ea2ea0c017396b32d90861831

SHA1
04ab4eaddc57e95f134ad55e7223f2a211405646

SHA256
cdc2391ad9d60461e792b013734f1fd7ea74c22ec7b8d2f4cb3fa26c02589322

SHA512
604d385eff3220191d952fce531a31a8fa19ccf88d70b67fdbc1bbe45f2d530090c177b83c14be10d3e14c2b81bc2129f90452ab2e3a5eddd8c7a6282c1ca0cc

Download Submit
C:\ProgramData\WebView2CacheTmp\porter.66760f70.js

Filesize
149KB

MD5
c21be6a02a558cd4a6eb44e3e7f30bff

SHA1
c049acab0b3cb1264949786e2d08921f3366355c

SHA256
da8dcdd8f8cd333304af915bc269642b6f49a517ab86a3960ec607f07ef0c616

SHA512
9146eb32dbd27f91ba9be9519c5c27dbcae145475acd6dec7187e55115606e6011f586f5cb5a00327ed9197fdf65ecddd6bad5af69bbd6515ffc952f74ab9f56

Download Submit
C:\ProgramData\WebView2CacheTmp\redirect.aba114e6.js

Filesize
148KB

MD5
df4da15349463a4de7c46e80a527d702

SHA1
a7e497711385def5ed1b42cba68fec7f8032da7b

SHA256
4b29c7b0939946d8b3dc3b3b3ee98a9d3cdf2434146327876733e48f70097a8d

SHA512
ec0e2813b6558644072d4b75bcc28a35f84670a7117f6bf2b275a7af6fad9bbf916d0755fe7774f225805df45ed01321c9ca08c8f2617c98c3694e948093bf10

Download Submit
C:\ProgramData\WebView2CacheTmp\script-injector.92f3fc68.js

Filesize
3KB

MD5
eb3a0a5b4a1d3e5c0286ffd1864fe57e

SHA1
219245a0cec8f8bf0c43959e14d0eecf88df8414

SHA256
ce81ac60e08f1303a624a20f61bb0cfc21a3d58eadc818caefc305211473cefa

SHA512
7a574a58f6c06f2bf63163c8749917d1941d19e4468618363a07b944f6266ef4430b83cb3cc83c3bc6d2b8c0af97d6d79e44337815ef083ed3a2cb68caa0ff30

Download Submit
C:\ProgramData\WebView2CacheTmp\static\background\index.js

Filesize
3.0MB

MD5
2849a7f4cdfdc537f0e11f2a67d6eeff

SHA1
1529f2c71bb339429896d452a0e276feefbef19c

SHA256
60ed7efa2e4326ec14141f7db5d7fb60e187b8091ca8107fec431e7072e09a3e

SHA512
ccfd3e164df5678b5316de41410a820ce210ae754ebf9e714b01681ca7410e8748e98c15ad7874bb3d070b085bf3ed0b51a071b7347b50920d929abe9d11a6cd

Download Submit
C:\ProgramData\WebView2CacheTmp\tracktor.39faf6eb.js

Filesize
5KB

MD5
755c079ce625ffbf85efea667009ae4a

SHA1
d08afe21c3727780785af49d65e68c2bdd144c3b

SHA256
8d6bf000def5e035426b6416a15aa089ebb26833089004b7064a220c23371d06

SHA512
476d6f5c8fe3d49d952588f499c91e07a75d3e4c05d6b1088a582bbf488ac96acc36c95b731d023198032d554811c890f7a558c0ceae949b4d06c61d1b775406

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
765KB

MD5
4bb92f145d95b180e356baf280e283f0

SHA1
05e6167c0af3ef8c01724469f1ad815f3b6a665d

SHA256
7438b6d40f44532a6fdb0bf2e4c936d672a10e5b3f8f3011d37736c51767f949

SHA512
548b9080c7ab9227c4a6f41507b5488b1bb2652537596fff9208a40131fd59f890e4b97773b511353679c934c3a869666c79ba3a26600cb30df5e1e5d84b9644

Download Submit
C:\Users\Admin\Desktop\ApproveShow.docx

Filesize
18KB

MD5
9757a5b8330e30e80e8afe2598bf8d66

SHA1
4c203e268ef90bde43433105554cbf59290b16ab

SHA256
694f2ebb55780db18d1ab07333d20ad1e553080c1bc9f1727ee0eae23f3a1bb1

SHA512
9f793c8e0c159d7528468520bc7281d1aafca23c0d1ed5bac4e78a56fd89a07a24d822e8e5e9730a7bb2a059ced03633575b48da768b2342661edb98ca39bc47

Download Submit
C:\Users\Admin\Desktop\BlockApprove.jpg

Filesize
532KB

MD5
cd659b34a4546d3b18dc24591b38f817

SHA1
a20b770ef1ab1017a93335ca5a3fb9f7f37de3a2

SHA256
cdcdaf7f7cee6e736779e112ba015b53a4493faf9c73b956e2f5ff8bb5596f73

SHA512
d08acbaf56d86a8ee8bce1592f61a2da5ca328d73672c35e5e44e9b620dbc730d3d060f498fcbe4b528be57e6074f6270db5da4a258162cae41ec0ae1772aa9f

Download Submit
C:\Users\Admin\Desktop\BlockEnter.vb

Filesize
237KB

MD5
8a6f86d5c5fd7b0b3c27c249e9054278

SHA1
63e1956459843f9c85da00e7b6b206b3b8ca0148

SHA256
6fadff38451e92de652710bc210bfe46cf4444468dd244dbe77dd292a6d409fa

SHA512
16d1a947b09a4296ce5f5e2c9cce112c70caee8cc4224a92741eb7ec7620b7fc29c24a39384d4044b6778a63edcafba9c0a15c585222573b6a3470151c908d23

Download Submit
C:\Users\Admin\Desktop\CompareShow.M2TS

Filesize
499KB

MD5
4539ce887164412d733551abd2360c6c

SHA1
2036ec2fe93d9ddb8ded41fbd912c3d18e9b06fc

SHA256
b50e8f6bc0a22a4d5ad3475828aef668cb6392173b45241ab2ded4c66654d8bb

SHA512
ea8ae7fe520c205e92b08bf8b8847294237f8bce660906b53cb5f601a664d94a6792785fec624714d761d3bbba6aae7cedef2cb2ecd0df5f15a24bdd76d778e8

Download Submit
C:\Users\Admin\Desktop\CompleteMove.nfo

Filesize
385KB

MD5
9697a8014448ecd75685905fe3a9643a

SHA1
78e85765b5f1af82ff04904032efbeb5ee79ce5e

SHA256
cb27bb3dbd254e74cd60a13200b0dc9537cbc910507246f3e6bb78728fe5cbbd

SHA512
c7d53a36be7eb8a32c1ef4b582f9e2e06880e3f899edf3944055c3542019699e458883492b09a6ab2dc6c33b2ecd89845c9b209c7785d6501c542e1805a8b149

Download Submit
C:\Users\Admin\Desktop\ConvertFromRepair.mov

Filesize
286KB

MD5
da7ee2aee5a10efa748717dd7386958d

SHA1
75e80ea9913c7bb4e1c0414be305cdd2b1a3ee0a

SHA256
bb766e592f65c74c118655507bb18569f9061afb2b019e7b247b229a52848e9c

SHA512
cd65ad93ba535b0e67e64ec9a6049561c2668537833ce4cc3402e7e4f72f77a54206bad1685ed189abd508cc306bd912ff1ab40c0120728f8dce214701402709

Download Submit
C:\Users\Admin\Desktop\DebugMount.xlsx

Filesize
10KB

MD5
29fdd049cfb1828291d0882211180800

SHA1
2569b2fae9fb30728154292e45b5e3443ce3fcbd

SHA256
980c8b751f3b2801365b63d7b7b6a88a1880688a19deb486f90451a3952b5afd

SHA512
7f78c2f6d344e6c658ab82fa2daf1d47f60258756065d0c5339c4ae63dcae2d15afb84869ff845ed36272e933711caafd9703bb21d01a99601fa8ae14292440d

Download Submit
C:\Users\Admin\Desktop\DebugStep.ppt

Filesize
450KB

MD5
ea56458db927e8ef1e47306435b7b0e6

SHA1
4d9cafe5646fd5a0eaa0da9c2be134359cdfd16d

SHA256
582c79f2110c8914dc3f51fce54939a86698931a03cc58b7641e1519fec1a7a3

SHA512
f11951780be6a9422da5255d88ff5811ef4d79171a9179146572cfcdff84c8ded5fbecbb1c317a8b864c9080b61ab987621f617e5b8846b31762b194a6522951

Download Submit
C:\Users\Admin\Desktop\DenyUnprotect.odt

Filesize
434KB

MD5
9c0245659257be91070078cfb858578c

SHA1
c4585b835922122e92efda15ae50a7122b00e307

SHA256
21fbd9dd256dc1976d2da4f9bf9291a99120cddad7797847917d6dfe5b589d85

SHA512
7d41a25753c783e9d25542e9da2ba7862b8d17c161fd46460fd13644ac08f8b45b73479373cc2bc35b795e2aa6a6e821b40c6ef547948b49dce8b521fab13ca1

Download Submit
C:\Users\Admin\Desktop\DisconnectLock.doc

Filesize
253KB

MD5
a0c673e193a06f68219d9024e2109936

SHA1
44f1b98ff3106f2b09fd832581596badb70da074

SHA256
2eb6c66396b7060476a509e02ed9e4f1dddcf1705098b7a3dacffc258d8e1e78

SHA512
7df03e211d4013dde16953c34d5049b668360b1dd306cb058d0b4b3fe3df83626bdcb579128bbbcdcc0bddbfe8b51ffee9802e8481105959985cbd209f991e70

Download Submit
C:\Users\Admin\Desktop\EditReset.xlsx

Filesize
13KB

MD5
f5ce4691b9121f6957cb812e03288c65

SHA1
16011f5813b8bffc10021107720b6f24c24e3a35

SHA256
141bcdb9c2456781224c0713abdf99629862eecdee7557d17e87d7b43aaf55d0

SHA512
375f0d9ff598fb2a4bf93b334020a93664f3da8f7c2d0a3d05e5bc8e2d35e98060ab215f52b5022e7fd906952ad21e431c3c4218df15190f3de8d8e258f106ae

Download Submit
C:\Users\Admin\Desktop\Files\DK.exe

Filesize
423KB

MD5
14988e9d35a0c92435297f7b2821dc60

SHA1
8c00da2ab4cf6da0c179f283eac0053231859f8c

SHA256
677b8ff45ebb9486a99aecf8dd2b4b362010573ecc4d0d082eda6a36a7cab671

SHA512
808401d94154a10a5e531b51af6f0a4876b9bbc0c288c33eb964101b30780766a4d7539cb146285d0bceddca4fbc77e072aab91224ab66c29c3feb04a13c2221

Download Submit
C:\Users\Admin\Desktop\Files\Doublepulsar-1.3.1.exe

Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
C:\Users\Admin\Desktop\Files\TPB-1.exe

Filesize
397KB

MD5
d7cc70050313b6ac928a516957342346

SHA1
87ebb959c7f27892466abd20cca68b705019e6bd

SHA256
8bc4c1e92cfffe6d52dd7f5c65263e24dbc7bc470dbf631e782afd5e90ef5ee3

SHA512
f930483f2a0bcd394addd8103affe8bc52f491d24e034d68c55a09012026b150eaa5be4cfdf2313ad31b3b7d00d11fabdbd53b146dc0b6a0b50f16e877003846

Download Submit
C:\Users\Admin\Desktop\Files\svchost.exe

Filesize
75KB

MD5
1ece670aaa09ac9e02ae27b7678b167c

SHA1
d98cffd5d00fe3b8a7a6f50a4cd2fc30b9ec565d

SHA256
b88c6884675cdb358f46c1fbfeddf24af749372a6c14c1c4a2757d7bde3fbc39

SHA512
ad8b877261b2f69c89aa429691da67100a054006504a2735948415eebdc38eba20f923d327347560d066e65b205e80ea8f0a296e586107dc051d9edc410b40c5

Download Submit
C:\Users\Admin\Desktop\Files\whiteheroin.exe

Filesize
729KB

MD5
ca0a3f23c4743c84b5978306a4491f6f

SHA1
58cf2b0555271badc3802e658569031666cb7d7e

SHA256
944113e85a7cf29d41fbbb30f87ea2554d036448a0bdb1e4e2b2ade3f99a9359

SHA512
9767f2afbe92eddc46a5654f7f8d6eb10da305df5b009d7407ba9822e5d0f9cc374728900e5ebed15e9849f155a77f44d96f16b4bcca650a42257bdca7f29cbd

Download Submit
C:\Users\Admin\Desktop\Files\xmrig.exe

Filesize
7.8MB

MD5
6f4532e49d65c2be0355b222f96e06e8

SHA1
268e90ce25e01bbb205f6ae3f493f8da36a61480

SHA256
acaf8e844ef7f4f65033ebe9546c394cc21bce175dac8b59199106309f04e5ab

SHA512
85f495b0bbd0673df376f44e912f9a0a8d201c2843f1a9efa64d93703a2d8ba2b6fa2638a747e79604715d26ddfc07de26ba43d03adf86290d928b442bf09207

Download Submit
C:\Users\Admin\Desktop\GetRedo.docx

Filesize
16KB

MD5
a393b4a9e732fa8813006ae924fc2668

SHA1
f25f91495a83c87551f1bebd4063b5ee00b60d19

SHA256
8c1135b40efea3d0cc3058199632f4b4510c7698db754a0c620ecc8db0c7b229

SHA512
63a54cf74a4e0a7e184feb987cdc57211612fadc794bb8b76e3b4bf4484541211346de9877905fbfb14bec6ca6e2b511681f0755753d2d1fa4d9461d8dd5f8d9

Download Submit
C:\Users\Admin\Desktop\GetSave.wav

Filesize
270KB

MD5
37db4670f6164cfe321973d91e7bcb3e

SHA1
0e15c6effdbb9d2ce8a88ea80257985078401b17

SHA256
6993ffb97d20bbd3eddae2b4a9d3d3200433138244e19de3c5cbece376c5d98c

SHA512
97e243d8cf0bfe304dce7bb6b55774f65d3227987e704525410c3338d8248ea92afc158c18f304a8c745122b2076481cd2781456a447577dc13d10f1ee59e0cd

Download Submit
C:\Users\Admin\Desktop\InvokeWait.vsx

Filesize
802KB

MD5
f34dc3452979f0fef919aa97d9e6a63d

SHA1
c3c77e4389cb9db2de03351914f5e92647e83d27

SHA256
8b5a0fbc40fa5a696205837948b67b64a381be9d0ca5777db7121969eddab735

SHA512
646d28e155cb482c4313392e7d27f297415cdfb5ed85e78aef26a5d83b2e98a973ea121d52eee55094089fffe8275d9acacc420475fc4d738d621e9d052f9f72

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
0b4cfcad705f51e0d5575792c4f92dd1

SHA1
bc035d85c558971f29cf6d82cf126a83d576052d

SHA256
d8d079acd57b2d87fe3be2ad466d24cd5c7e3f9907c83c27441258f0d127ccf5

SHA512
094da5c914716797884fb4b139f57443bb4a689433e5ad57240a998bfdf24087776bad566ee398528a4068ee0e2aee68e8b28b4e26a732cbfe2f4158deb21fe8

Download Submit
C:\Users\Admin\Desktop\OpenBackup.docx

Filesize
483KB

MD5
0c3beb521a2d68ffc421aa010d045aa0

SHA1
c6f71d4decf312803c0b90c795105104db61ae20

SHA256
2079669de0cd6ae4dc7f6bff77631b850b171ec68cd611671a893e4a71b0317c

SHA512
4275195b776e3521f5955fc191497dd26e347d4d72e16b4e567a03681b690fff021ef7719ffa2cc0fdea857db80cfaecec920b967ba8b426a57d14b4438c1fe3

Download Submit
C:\Users\Admin\Desktop\PublishRequest.bat

Filesize
352KB

MD5
d77bd2506d9953d1f64e87cec34980c3

SHA1
5fecb4193341e9173893aa03ca17541fb7c38b1b

SHA256
cedd78a9b52d6ab988391b35aad76f084811b1df4bfd19320d1d6c0badbe3f3f

SHA512
bda6b757420118ed80fa1693d9b623f54c488057cd4bbb2e4bb2c0684e665cdfa732b83979c28350b781b6a196d929a9cc5ac2e6bc3b6cb666aef2a9b5359786

Download Submit
C:\Users\Admin\Desktop\ReadMerge.kix

Filesize
466KB

MD5
7c649c641ed8d66c80d30bf8cb53e49a

SHA1
27e117fe7fc9d0e14347835106f92a753419f22d

SHA256
36c66c062d39d021ef0d170494368ccdf7ee1191ee4ff9996a7d311f340f2570

SHA512
f6fbd4a9acd4515f4edc113416be657b27e3f6fbad3e4d6c63ee5f369abc4699116608cc2807a7851e3205bf197be49bf08c17b3b98da46d33f0ca684d079926

Download Submit
C:\Users\Admin\Desktop\SetReset.css

Filesize
401KB

MD5
493370a44629ebc170d8e629fc998ed0

SHA1
d31e9e9560b13c216b18a842b7d9b327ced27cc9

SHA256
9fe0bba4c22f6da22425aa7be6b796b533ccc6b8f029ec642db4da46d862d319

SHA512
7f2f2522212f111fb2cc1981e4488cfd951ed214c4ea356889796b528ae201a54375d3bb7980700dcf77d4f6ba7f1b136827631aa1221dbee92e66a442f7af04

Download Submit
C:\Users\Admin\Desktop\SplitGet.kix

Filesize
565KB

MD5
12e5a50a553cc58a9d698210f67250e9

SHA1
f7600a6caa16dc21e8df2149fb3d38ff1e4d7cc3

SHA256
d3722313b5dbed63ea368ac9629cf12241a4c26fff9077134f28aaf3928094c1

SHA512
e6f573a39917ee68260171dad2b5e3c33f10619f549eb502c48c37d49a518544c244d22438d6e2f7c5e0678d6d6a0f59357a2469c8954dccd0c58d5b07716265

Download Submit
C:\Users\Admin\Desktop\StartUse.pptm

Filesize
581KB

MD5
3068b88f772027c08fc03e80bf9f5b79

SHA1
d37610ff87d7fa2a79a3a26923ec9685bc59fc7d

SHA256
c474d20c7dc3d8979cde3a210d3e2ccc3ee71916e7e23f5e54d255996528116e

SHA512
5dc8de8029700be8b1cc93ee0ccc26bbc2efa95f9988e3bf3cd356cbe84d12feb2cc75d5af36dc8bdcda93edb60b7e9d273891685c085dc64c291b54c431b5d0

Download Submit
C:\Users\Admin\Desktop\StopOptimize.avi

Filesize
335KB

MD5
8840ede72babe4822b8f856e8bf4408c

SHA1
80de6673e10f4c9a4bc2a174a98d971272957fe7

SHA256
435b9abf30027c3fb7a6b0fb72e9228a38ec083f69aee882559af74d53fe1487

SHA512
926258dcd3fb6c5df2bec29a95c9c19801c32fc9e98b49e773dcc3508b0a50afc30d0164c949f5c641f8ab6ecbe0dc5ca0093a402cc8c10d73ea8c1b1259feaa

Download Submit
C:\Users\Admin\Desktop\SuspendAssert.zip

Filesize
548KB

MD5
7cc630c040b82c762c06d482d0eaddb8

SHA1
1b442a8cfccc4187778eee291eef87f1fb3581da

SHA256
e5fab559249903da67ee8cdb1ad0de77d1b242df7e66d30793766c4bbe1ce1ff

SHA512
674895c2b7189c834446ea9d618767744bd66f782ce34134a1e71f4bf42664bc1833943dfad81bf5f282c970ca11b614fccdf36588ec26d2ffed2d5699ebcc2d

Download Submit
C:\Users\Admin\Desktop\SyncOptimize.html

Filesize
221KB

MD5
3ef290a16a2d040d009f94705d95c2fa

SHA1
3f1ec487c8b70aa948b5eda62ab10c319a66b804

SHA256
0eaffe3c1cb7c66acf5766e768435a3462b2a1812eef0b0ff8b9cd19649bf44c

SHA512
b47160ef46ee043823632c8a98c5b119f611e0f31eada8a007abbe466c01b4e808426334ef2a459098f35c45784821ceb3904f1aaa884f879de73ad9fe9f9bef

Download Submit
C:\Users\Admin\Desktop\TestUnlock.odp

Filesize
303KB

MD5
748ed0ded7f6f8441e25fe1a2c18f445

SHA1
a0445f0e09a60769adb8bbfa93c4e2e175cf9fcb

SHA256
b63a327042c21e2e8f8473f2b39a2c46a888af6a3c6ec6f656670627416c3574

SHA512
7d14ec8435d3b88980c6b20a5a7aa3328639db2f98803cd194dfb6025da57b31f010339fc28d89ca70c33f6f645595ebf489d1c11de2d56fd8a5dad0026722da

Download Submit
C:\Users\Admin\Desktop\UnblockUpdate.xla

Filesize
204KB

MD5
129747cf159f2cb93724e95dc5a45b63

SHA1
64b2482c6cd0305cc78d3014f4a3eeb4a3c6631e

SHA256
b112a27bea155a9148353ddcc943239efed9bf02bcaab86b757aa7594953eb8b

SHA512
3113fcb6fb6bb6cdf839a0ebe49fd40b1b199a73197df36b6260f2319d6fc1b738a4a4f8979e45112a28f95e664e249019ccb4515fe3438c41478c5d0c90f53b

Download Submit
C:\Users\Admin\Desktop\UninstallMerge.temp

Filesize
368KB

MD5
e27457337c3cc8a95e287324026e97f0

SHA1
309c3aafbbcee270bf5524b9c61eb01160a968e1

SHA256
78e3fbea33e7a3c10aa7f5995fc0d0ebd8fb370c21f675df0792f47e616981cb

SHA512
4a2e8b3eafa7501e0982a41b1dae6984400919758468fc786c295e2adf12fab08b685816d70673b6b97ad918d93ee3e626fb75b9de25b34dbe5d27b2fe12abf5

Download Submit
C:\Users\Admin\Desktop\UnpublishPush.wpl

Filesize
319KB

MD5
d9d07351ad687a1b3859b15bd5853652

SHA1
b8566d1a8a993c65fe94379c0c08269032a1685b

SHA256
316c706d287aab7ec1ae87da41903f46989a1c394062bcc61542a90fb96e0112

SHA512
bc6d2221702fc8f87693b7db7a31db1db6648ff9f23831c881d3399f7372cff84a6d28b027a68e6736b5833695388ef48ce9c482827d79a30e30e41293ccab57

Download Submit
C:\Users\Admin\Desktop\WaitConnect.lock

Filesize
516KB

MD5
054ed59507ce8c536d37ea481e06a434

SHA1
c5394b7d8d5e5fc4824536cedaf0cebd502a2ca0

SHA256
f0ccf1621fed47218b17b4b9c3bc721eca7c12821a62208197955b16ca91f65c

SHA512
78ce44f2ad2e26f6777d0f3244c3ade8b72fbe376a8ffdf3d04abf560768de8a543497fe9b93bb53ce58f5b3d1ba418121f6264452dd587c98d2e2b124be9c72

Download Submit
C:\Users\Admin\Desktop\WaitRegister.mp4v

Filesize
417KB

MD5
2c25bfcc8440f2147be5945befc370c6

SHA1
4c6461f5ce0a2428c722543723c89940ce66a809

SHA256
b79c54d803f29c8aae43a4dbff1a815e2546c53fc5cde32f4a80b09b28c1cd1d

SHA512
642e895348de071b1fddaa364d6d0b06a331844cb4bc51e580b0a084b3c93cef08edd5ec70d1c4ce6c6822837a03af08c5f04570050e08aee4bf20df83e1deaa

Download Submit
C:\Users\Admin\Desktop\a\extension_dropper.exe

Filesize
1.1MB

MD5
b4c1cb38678259fbbce4f5a1fbb3043a

SHA1
25af8f1e94b1e7a1a2c63af74c4040dddf80db55

SHA256
021c69f25f7cfeef0cd36094039940b1bdef3c98b9ee1937cdde8f1d4628ed4c

SHA512
5c440f7c5abe5163e730af786536ec0c00fb78ac69ebca560d8dadb5d78517bf02ae04e2b7949b0073dbd138683ea665d917aed9bfa9761c7e235061861d90e4

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
9fc3d8aa28af4ad6cfd975f7ff2dc408

SHA1
a0307888aa794ce4fb65658a78cee2e470cf5446

SHA256
8c4c202bdd5336382cd12653dd38c0c88ea9287662df357bbfcd6240a09d0b12

SHA512
fdf24bd11c5f3d102955d0c2589ac62ad1d1c04ac393590dfa1a9a3cd5ec46f9ef068f1c0f8117a4c26aafc1b475de28311d2f5d2ab5f2157264df7f5b5eb184

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
c5218804508a69ab3338f915231cf925

SHA1
ca60fd67a93c0cd93a3b9d286eb28fca188e3683

SHA256
0c96207fe6ffedd82a3ad3626ac06c8993786482091432c7c086d306163ca777

SHA512
9e761c5e4a1d797b6cc8006ca368c7624c63a7144aab2fda7644af55f1468890a96a9fac68f7418e340d2dc27180ba062f269cb5b79ef9163ead156fd7e09570

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
4c3b016f0bb8052168e0544c3c7d2794

SHA1
9cb7c5525ec867c92ed3002dc4e2e7879f0bb04b

SHA256
c1778714571d8dda81458a87b165581d7a327d0975f730380dde485bfd69dbac

SHA512
b16d26e8d544588da98b1f956115d96145a385d6fd41ec8e10d63b0c33135cfdcc5ce7ffd13483f1ded2c357e586b83c31454232c8f76514605646cbe8c2fe9a

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
89460dfaa3702f5e30d7f117e1f503da

SHA1
46463864a788afac3b39db172cda2b7cd8694c77

SHA256
d3875b3f7771ed03e2bfe8006d6087c47f6677539e873145aaa7f5ea1e9c6557

SHA512
35775d23d03c3296105b99ccaacfa6c06e30a268e38d6138b5273a8dc37159177b14635372374034dd865ef55ae603ae519cfb5488c3bdbdf2ffafddbd70d46b

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
6f63c1d89d4e491f08c4d3a669703ab3

SHA1
35506791df0dcc8ccc704fc4b578540ddd6fea8b

SHA256
4f9bbe4a92c6812263dab95fc4552db27bda79fbfa5460c0615da9ddf14b3344

SHA512
c994b7ea864765c9f414e3f3974ca8b526f8ee43e998a5118282373f6761dfb1b856e9ae70baebeddcee3fa2bb1507809e85fe9d2c55ad21054fccfd6437b824

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
76KB

MD5
815e04e12e2dd93686a80f6b1c523ce5

SHA1
bac7cb72b49fd152954562b48b98b5e271147935

SHA256
080aa927c8b5cfa08c9229d90d5928fd3d67e54a1ec7c17a224324242aecc0d8

SHA512
3d54e21be0a428f2682e164fea0a0b1ae6336e63ec94934e542a008c94b8c1eca1191847ab848af0894daae8778e8fdb2996d1aaadd997313d09709ba7199f73

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
101KB

MD5
e4bd178bbda439a4b71dbc28027535c3

SHA1
43984967d6e021a5155bfa57db8f3fb202cae2da

SHA256
554860a4258a1f4099193286d50746e054e70fc671d38c94981e07801380430c

SHA512
88572f8fa962b7be002f7fc46cf0f6b44ffa5f176ec759c66db0912790db4d0f35ada5e9a0ce105cc2996d26b72b8323f539215d23a8807eae044b4e9ac97fc5

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
104KB

MD5
f96f4a2d879812526b704a4611f73a47

SHA1
e283bd14918e9ca939e493254008c4bd8ee2b01f

SHA256
da3d0c34d327ecb685b48aebde89e923f807826721e56f695896cfbb8b386c2a

SHA512
e7529a20f04fa06a416f73b3284810c967096b464a3edc14cbf131d2f06bf5e1a7aa020d0994f155253bd45f103dd7698b09de06b1cfa55acd2669973d1aac1b

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
106KB

MD5
3d417e9f8d0ddaa8b2b1e4e53fc94974

SHA1
b96700207ea2a6501d85e2d6d3a38251d691c251

SHA256
4f094551d512e62c65f82654b1922068fe58908a5cd21b72c45ea94b7e9ec0fe

SHA512
429eab20087626f3a395ce052e56bcbad3f62f4dadd19359ca3a0d916d0aeebc14bb353461980aae5a4933c5cd99a6253eb1cf78ee836cda3aa7e2005e6ed493

Download Submit
memory/236-50-0x0000000005560000-0x00000000055FC000-memory.dmp

Filesize
624KB

Download
memory/236-49-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/248-61-0x0000000005C30000-0x00000000061D6000-memory.dmp

Filesize
5.6MB

Download
memory/248-60-0x0000000000BE0000-0x0000000000C46000-memory.dmp

Filesize
408KB

Download
memory/696-43-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-48-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-47-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-46-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-45-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-44-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-42-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-37-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-38-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/696-36-0x000001BCB7820000-0x000001BCB7821000-memory.dmp

Filesize
4KB

Download
memory/1104-74-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2956-403-0x00000000005C0000-0x000000000067C000-memory.dmp

Filesize
752KB

Download
memory/3668-66-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3668-68-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3668-64-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4188-391-0x00000270C9990000-0x00000270C99B0000-memory.dmp

Filesize
128KB

Download
memory/4188-392-0x00007FF681D20000-0x00007FF68281E000-memory.dmp

Filesize
11.0MB

Download
memory/4276-522-0x00000000761D0000-0x0000000076422000-memory.dmp

Filesize
2.3MB

Download
memory/4276-518-0x0000000002BD0000-0x0000000002FD0000-memory.dmp

Filesize
4.0MB

Download
memory/4276-520-0x00007FF88DEE0000-0x00007FF88E0E9000-memory.dmp

Filesize
2.0MB

Download
memory/4276-516-0x0000000000F00000-0x0000000000F09000-memory.dmp

Filesize
36KB

Download
memory/4536-511-0x0000000003750000-0x0000000003B50000-memory.dmp

Filesize
4.0MB

Download
memory/4536-510-0x0000000000AF0000-0x0000000000B6E000-memory.dmp

Filesize
504KB

Download
memory/4536-512-0x0000000003750000-0x0000000003B50000-memory.dmp

Filesize
4.0MB

Download
memory/4536-513-0x00007FF88DEE0000-0x00007FF88E0E9000-memory.dmp

Filesize
2.0MB

Download
memory/4536-515-0x00000000761D0000-0x0000000076422000-memory.dmp

Filesize
2.3MB

Download
memory/4536-519-0x0000000000AF0000-0x0000000000B6E000-memory.dmp

Filesize
504KB

Download
memory/4940-416-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/4940-412-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/4940-410-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/5036-500-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download