hxxps://bonzi[.]link/

Resubmissions

07/03/2025, 01:45

250307-b6lhvssmz6 7

07/03/2025, 01:35

250307-bzy6da1xht 8

07/03/2025, 01:14

250307-bl6y3asjy5 10

25/02/2025, 23:16

250225-287f8atjv5 8

Analysis

max time kernel
443s
max time network
457s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07/03/2025, 01:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://bonzi.link/

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
183	2700	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
183	raw.githubusercontent.com
182	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4308	4732	WerFault.exe	127

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
4728	taskkill.exe
1076	taskkill.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2700	msedge.exe
2700	msedge.exe
228	msedge.exe
228	msedge.exe
2968	identity_helper.exe
2968	identity_helper.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4696	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 828	228	msedge.exe	84
PID 228 wrote to memory of 828	228	msedge.exe	84
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 1956	228	msedge.exe	85
PID 228 wrote to memory of 2700	228	msedge.exe	86
PID 228 wrote to memory of 2700	228	msedge.exe	86
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87
PID 228 wrote to memory of 1120	228	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bonzi.link/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff95d2a46f8,0x7ff95d2a4708,0x7ff95d2a4718
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=224 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7108 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,4939277997976896419,12037098165238393417,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7488 /prefetch:8
  2⤵
  PID:60
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1072
    3⤵
    - Program crash
    PID:4308
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:1076
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4728
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:2496
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4732 -ip 4732
1⤵
PID:3824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ca855 /state1:0x41c64e6d
1⤵
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0dfbdad47d1a5d0e150f7ce1c87a2c8

SHA1
7163d90657a956bec90a73af78c3393168a2c114

SHA256
d29eb9e2fceb8cf4bb4ed7b032efaf38d893586e0bc2cb672d7d5550603328f8

SHA512
aa60297fa8652377bf3e36f6caf10cef8e8be1986565e99c369fe92625059d36d1f4b23b8ec8cd4b9fc4133702d9b7fda189b21821d2019d4eb7fed4f997010d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
66KB

MD5
55aa4927a773c596f9aab248a2f3ade0

SHA1
f52646d7c496371c2b9e9f0dcfc18ed62a3c6d2a

SHA256
32d0fb08641fbf8e624947045283a5a73073187b157e6cfa891486b2f657363c

SHA512
82c03dbbefb1967c4c596be6ef9a3ba260d728bc7ea998de99fdf81e5ee3e00e2c1e0863e38a48a9ca2a1266cb80b971a0681b97be456f93f3e62f91a5130050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
20KB

MD5
06cd73cf8f1061b4ce71bd041b86387d

SHA1
2a8748c367341a6567e95b7ff20b03376984fd76

SHA256
7bfa01b996d17fbc74c26fd2943bcae1d3db319e2568d8c56a58b2937cbbdc65

SHA512
35aa866127826dfd675ef20e18744fff08ba1090424944a0d9e19d6e945f38ea29274d1199cf6d15b10ca77a897f1449e135bf979e9badc3da2d98d15a6c3eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
22KB

MD5
4b58230070cf24ab8c2b010cffee3185

SHA1
496378a376a43cd0a5a8815db779eb25d55d3759

SHA256
74d78c2c7dd4d9866ee4f5965ea6506b92e24706a0bee00b59b5c11d17b59da5

SHA512
a2310525437753fc184f97c1a5bee60c89f2441268848b8f87b93ddbeb8abccc4a83a2828f7b734b53098062a7d0eefc393f9d878e0babdaa0c323e153a2aa9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
64KB

MD5
54c07aff64efbfa7cc409c2c39beee1f

SHA1
484508546a33fc90e6b97f6240601ecc135c362e

SHA256
49c44a97498af5cdc2abaa89ab61f43895326914e942068e4bcdd946627ea065

SHA512
39c0bbe4cddd7eb1b17c6690b580a650640a1aed61ab004092af6cc870286c13dbdd59df763b724b7b022d6d071a18f02cfa751710d38954eaa1eada5b9a1abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
2adb973c13c04a4dae2be550b9a02ab2

SHA1
28c3c023add32f9d86b73b8503d102ddf02fe3a6

SHA256
00756c241d080a96d38fd39b9a7c76980d2512934d9833f03bfd4c470b84a76a

SHA512
9a9d2c8d418f272b245264d0ff33a29698eed307f25a29db3d29cad192f63d40f08b4fd13fd9654188ae59dcb697090594596b150aa5e037a7f1d19decce3c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6ee067acb220794cf1909b6373852430

SHA1
b0760b973f706de1fd755babaea882e21f1c5d26

SHA256
d56b06b9a0d600c51b09740cb670e7d5ee0e4cdce2cd8b0bea4d65a1068ef89f

SHA512
fa0904dd2158da2cb9f7394c3d71d3ca0ab7ac2d3745a88421cc88752d178b8a808692e35657090b325530f492890cd53888990b3fb3d093f89eb3a00e4c8747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2621cffb015a44e1e45b7b59eb479613

SHA1
a3f3fc6aa13555f3b467aeb5d9e19a3145836559

SHA256
622bb032fa2c6427fb859482db4e63e59a874284add05a30834167eb011e6d8b

SHA512
1b9e58911177534aec2bb1c4b9a1aba9168da80707ef4d7f485850b2a470ffc29ed40b153f2d926f59f1f5b1c2376055e0cc367a887fd095d3a6a66b5bace74f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
552046a7785c91e89dce2d7c6e8093e4

SHA1
c242c49e677dc74d80fbc8951834e63943075849

SHA256
314e11b30095048faa33343bd92767016e9e534e32898d107392ed3bcd3e507b

SHA512
63210c9c9e0de759873bcddea452da2eaad2369533986cbad783993bdf73c313cb05e0077fd140661a7b7cc08433bf6ba90fc292c701e2de56874456bca6ee3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e3263fc3893874468e41d9dcfc8dee49

SHA1
8cccb9c051e15ffdfd57fbe0ba82f122f709d114

SHA256
07111c3c9fb6f3a8295458f4210f7394557cb150c430e077c0cc2017f9cb3dc7

SHA512
46676b4418bdc65274d5f8f928c2a3956d428287a45e4648454d76e3146eb54ecbf5a0fa9cec03a595339f03f765f9234fbc704c0fec97ddf6b6d1e858b75e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c85644e59fd88a5b9d6a3c8e7df76c4

SHA1
5a399f47dc863de4f35b7f82b0c2adb5baf3f858

SHA256
639454a8a2c3652198ddd73f47609c43ec5b9fdb1dab827824a05bfe0a8bc644

SHA512
12d2c537177b3921ef6624a3d6d0799300d8c01723fb9a318acd238721977f7035056671d4df898d99ef269a03d112c98220f0c1c51cfd26bfc84a9c011dc393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bced271a2ad65b94814e5a93f09a9c62

SHA1
33acadb7b72810409553def03a74563735fba18e

SHA256
74a03cbbbbc982fb2cd2ac66e814ef1bd7e6064ad37643b056f9c3a5498a82d9

SHA512
6f2a08fcaec50fa2d2c32e1b919b4f8ac0cb109a0f7ad55883eb2396fa3b0c632171b01e48d96f3f61acf4c9eeeff866564ddd5aab17224802572cace06eadad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
943c9031f28e7c27d21c833a1292a5f8

SHA1
777de659306432711a86084657de1e18df10a2bd

SHA256
93c8490b2083dfdf694ba2e35a4aba348f49a3bf7c8bdb8e46d5d7ce597b15f1

SHA512
005c9c7260e9f8f788f761ea764fb9789aba0a6014465fe7fd3f7c3487e4ed58da468010131b5f10b7db008b4a73d35f8780936f59d105c8b085949fd04ad011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6c1e8f89ccf234355a470f3cf6f2eaf7

SHA1
6ad5b11f206645722ac99a6a2beb31da81d8f718

SHA256
8b084b0d78477f8701bfa9d7c6f1b8acc3d866757c05326d57ea48cc47ebf2cb

SHA512
b5a8b2873b32ea8451843cc0d6d1af178da8f420ffed2ef508978c89fa421b91610f3fa4ee2a54f05d95dcb72280f6e2fba8bc89660d450589c52b875be65aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c425c1c68dcd342281df1674fbdfb2b8

SHA1
b6cb6ec37bb3a425ff3c33bfdeb348af2f32bb83

SHA256
8ab8745a83d152f698642ebb16c2a78c80104e6939dba853e3e08500cd468ebd

SHA512
66f674d0de93c6c0f54dc50b9ea0c080740f86f50f320e71f992cb7804af30e88d0627c0dea831926f60129bf8ca8137b2012140bed22edefb33a1c84e904f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2c43c077cacae2bcb9a9497f95b9f46b

SHA1
f8e52255e3ed0c064f9614e260d5de6c61b785cf

SHA256
6dd9379236e432876872e4bcec3bad0ff81fc8cca5a8801addcf64fea3380a97

SHA512
b02cf50d2a1ed8876511e9420ca17f525a9e31bfeb8038f665c5cbcb9d7c6a4d7801cd5a04321bc93ba1ee5d61d564b0ab903f126eadff90bf5f895b89639db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
782cc30e5175642847ff8b566b5b6530

SHA1
d18f67ce53df5b9a9bb8adbb383c940104f5d033

SHA256
26358a66a23d35db165dd0ae8f8c1f86c423b2e7785610f03d2a58cc80509498

SHA512
e7735f1730fa3b73e23d900841b8dec34f639130d41a9ca4823968a9842f4f0fa55636e179df2cf6027383e2d380ad90dec19d58b08a8b004ef9b66916d7082c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
934be6c951ee11de3053d730cc01fbc9

SHA1
6169b11218f56df7776e4ee67dac85d90946e589

SHA256
6b92b3ece89578145d164ebb737fabfdf016bda7896907256760a91869f9312c

SHA512
27892b36535b6662ff1a8c55954bd9bbc547995c9a57ba3c3a5d139a4bde0478b3e99a4a94979917372c411d85f82302ef079e10edd4711e376453da1ffd3bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c347e10813ff316e3be1288bc5fa558e

SHA1
9425b70ef38f75502d573abee9870a82e1d5841f

SHA256
7fa6d2219a60bd4bd2fb07077870f95044820bd792e887500722ebd67bb60ab9

SHA512
3086622b3bdaf7aa73189ca19f78a04b04ccf1889ea90f3c2ddae871435bb97e31cf985c64a3c7c2b8a2b8fa83c236d5545b31c6a9d3c6b84ae453fe9b762205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
df19bde7c83b492d7d8591a603ad6864

SHA1
46522eca58ba4b2433158cce30c96514d5817130

SHA256
03ad8e78651b7ccfea42b7610abcaf78acf0a936da4dc73d4b44785a09376e8d

SHA512
956e7112862b09f0f1ceacfa9b633816d75809b314c7409be45ff1eda6bc563544474787146869c249b78d7a305fafac3b84eaadcafcea8ef31e720857ef6bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
71457796a6b1300d9897363b9a3d217a

SHA1
83230270ed1dc84d59370b8058f81f535aefe8f2

SHA256
76e8ef14a3986f91e7e76d1772ae71823a53a21bc8ff8f092eb573722bb7953e

SHA512
6c53688a7119ac72dc52ef7127366df9a52041c24d51113293c3030e1482e2275b6c00e82a9a26d368734f201eefcf0177c5938f704aace4f858519c5eb0056b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e127c3871b9cbe41103d209f2bf3bf49

SHA1
3b011c8ab84cfbca4f9041865e9569eeeb9eb03f

SHA256
6dd95b98173f4e62f634f777deaad6ee23729664d9ae7845fc20353674dbb2a9

SHA512
e278b615edfc29a5e37e338aac32936ba4bf3c0743b5aab2a42c7c399ff7695197961be6cbf7537427fbba4f4651051841b17e616b5372847bcbb793cae83880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592fd0.TMP

Filesize
204B

MD5
eb1348afef191c5ea7b962294e05f835

SHA1
6f7d5e8fe903896b991ce43646518493bf2d259c

SHA256
09e65861b4aa96f37c8bff435730063af419cecbe3ea1e65dde497d530158cd1

SHA512
5e35594e40de5ee1a9c4cf94ef2a4f2e287bf3213ffe3ff02a4cff90a076fc8e8aa2fd379988f4011620dc1a4bf6ec0a65ff1b506c6339540ed6ac35611e4286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46a739b0db19a7783d27cb9167110a7c

SHA1
0c5468abf2eeb4b037d9e014eafb7364a15e1634

SHA256
0f5c3c1a836242fc7f2c5567c5681628f3a89a3fe464c7cbda48a03d8a361862

SHA512
59f422614e9f21ca201ccb07a8d9ba33007ab94c138173914f8a87a012f436c948a9269623227f13a02ae01b01174e8a8de173f56f03328060586e992f8edd6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4ea13c4d4f6102e642aeda6853649380

SHA1
aa159c145a9cf0c5174711ef9cb7f1ae51a231e4

SHA256
1573e44350d7c258094d4d9931512907eb1fbcb4c9982da266c1bfb5199bdde2

SHA512
d1ba9dffbe8bdf8fc1aec0fb16c62f9399eba56712d0e10a31bfa584c7549995d705c2de5244176fe114559f5029d1ecb20f74349cd725d71e644598ba29c28c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
83ac72e3bebc31f050d63b13cc763fe3

SHA1
df438d57cf7e1896aaf7c86c4a32f844a9c10d56

SHA256
25bab51a4934f1bda648b33410f6d7ed23613136840d712c6eec969da16eab0b

SHA512
0ed052b8f9fc754461a45cf78e69bf183ee790146b624f864c6def04431b8b63b37e41343e067316458e8a797ca3edccb9294dbcc08c084507a2ac1c73eff688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
50c09f2694e2b571c60486cfdfd372e9

SHA1
0953b665ee3eba86cec45fdb81124148bcfbbaa1

SHA256
31f766c92ddc5473412316d09d7bea0297392e33f2acdeec7f53d1a4b7f690b2

SHA512
ddd3a0e8032547cb835e831b9f4d7259d5211d72b2ecb724b4fb7c91db35995e2488d8e60500a76a6fc47e789145cfa60452891835e9289c1e0fa35a0956be27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\icon.ico

Filesize
361KB

MD5
a4b9662cf3b6ea6626f6081c0d8c13f3

SHA1
946501d358e5e3b10223431e474607e0eb248796

SHA256
84a1c2713642090523f05d9fb015c537fd210d3200cadaf442bb67cf1834b356

SHA512
4e94dcf9200bfd6d685f93acaa0bd93d49bb0fe2229f3105e22b8893e0d530ad15e8dce5be6db1c1db393fcc169defc43f12e35308be30b054631487d16cbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 48645.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
memory/4576-890-0x000000000D060000-0x000000000D070000-memory.dmp

Filesize
64KB

Download
memory/4576-885-0x000000000CCA0000-0x000000000CCB0000-memory.dmp

Filesize
64KB

Download
memory/4576-851-0x00000000068F0000-0x0000000006E96000-memory.dmp

Filesize
5.6MB

Download
memory/4576-889-0x000000000CCA0000-0x000000000CCB0000-memory.dmp

Filesize
64KB

Download
memory/4576-883-0x000000000CCA0000-0x000000000CCB0000-memory.dmp

Filesize
64KB

Download
memory/4576-879-0x0000000009890000-0x000000000989E000-memory.dmp

Filesize
56KB

Download
memory/4576-888-0x000000000CCA0000-0x000000000CCB0000-memory.dmp

Filesize
64KB

Download
memory/4576-886-0x000000000D060000-0x000000000D070000-memory.dmp

Filesize
64KB

Download
memory/4576-887-0x000000000D060000-0x000000000D070000-memory.dmp

Filesize
64KB

Download
memory/4576-884-0x000000000CCA0000-0x000000000CCB0000-memory.dmp

Filesize
64KB

Download
memory/4576-882-0x000000000CCA0000-0x000000000CCB0000-memory.dmp

Filesize
64KB

Download
memory/4576-878-0x00000000098C0000-0x00000000098F8000-memory.dmp

Filesize
224KB

Download
memory/4576-850-0x0000000000670000-0x0000000000D1E000-memory.dmp

Filesize
6.7MB

Download