elysiumstealer | a3bf251467b84ebd22359e7b2c8b0d9c50fcbc035445116d596e063281872e1e

Analysis

max time kernel
1757s
max time network
1710s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VenomClient.exe
Size

3.7MB
MD5

98192e2673ebbe334213a30bde1beca7
SHA1

f1b9635b1b9f1c9b4b3e5410c20c434fc0547d16
SHA256

a3bf251467b84ebd22359e7b2c8b0d9c50fcbc035445116d596e063281872e1e
SHA512

46275356fead66f57e3c79a460546e05d515a353e7c61ea0a505990d916620320fd7a320e28f140b6a8faa94b40e2db195556f899bdaba1a891112057bb6fa98
SSDEEP

98304:abXkOKCq3dUAcvDPyK1N+HH1mAPMHE+mcgzzKIXlX+JSQuYHuOjwaWfDjxExnDYO:a7kOKCq3dUAy1NuPMk+mcgzpVX+JSQuJ

Score

10^/10

elysiumstealer stealer

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll	elysiumstealer_dll
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll	elysiumstealer_dll
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll	elysiumstealer_dll
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll	elysiumstealer_dll

Loads dropped DLL 6 IoCs

Processes:

VenomClient.exeVenomClient.exeExtremeDumper.exeExtremeDumper-x86.exeVenomClient.exe

pid process

1288 VenomClient.exe
3644 VenomClient.exe
2908 ExtremeDumper.exe
4216 ExtremeDumper-x86.exe
1744 VenomClient.exe
1744 VenomClient.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1288	VenomClient.exe
3644	VenomClient.exe
2908	ExtremeDumper.exe
4216	ExtremeDumper-x86.exe
1744	VenomClient.exe
1744	VenomClient.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8f48b74a-73b9-4cbc-a2bd-dfff15032b65.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230316232643.pma	setup.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2324 1288 WerFault.exe VenomClient.exe
3704 3644 WerFault.exe VenomClient.exe
3304 1744 WerFault.exe VenomClient.exe

pid	pid_target	process	target process
2324	1288	WerFault.exe	VenomClient.exe
3704	3644	WerFault.exe	VenomClient.exe
3304	1744	WerFault.exe	VenomClient.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

Processes:

ExtremeDumper-x86.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "8"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 = 78003100000000005456e2951100557365727300640009000400efbe874f7748705651bb2e000000c70500000000010000000000000000003a0000000000e04c4e0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ExtremeDumper-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\NodeSlot = "11"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\MRUListEx = ffffffff	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "10"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\NodeSlot = "12"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0 = 50003100000000005456d59e100041646d696e003c0009000400efbe5456e295705651bb2e00000084e1010000000100000000000000000000000000000000127e00410064006d0069006e00000014000000	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff	ExtremeDumper-x86.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ExtremeDumper-x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	ExtremeDumper-x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	ExtremeDumper-x86.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	ExtremeDumper-x86.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeExtremeDumper.exeExtremeDumper-x86.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1748	msedge.exe
1748	msedge.exe
4400	msedge.exe
4400	msedge.exe
796	identity_helper.exe
796	identity_helper.exe
5440	msedge.exe
5440	msedge.exe
2908	ExtremeDumper.exe
2908	ExtremeDumper.exe
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe
6056	msedge.exe
6056	msedge.exe
5788	msedge.exe
5788	msedge.exe
2336	identity_helper.exe
2336	identity_helper.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe
5892	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ExtremeDumper.exeExtremeDumper-x86.exe

pid process

2908 ExtremeDumper.exe
4216 ExtremeDumper-x86.exe

pid	process
2908	ExtremeDumper.exe
4216	ExtremeDumper-x86.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 5400 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 5400 AUDIODG.EXE

description	pid	process
Token: 33	5400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5400	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

msedge.exe

pid process

5788 msedge.exe
5788 msedge.exe

pid	process
5788	msedge.exe
5788	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

ExtremeDumper-x86.exe

pid	process
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe
4216	ExtremeDumper-x86.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4400 wrote to memory of 1140	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1140	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 4540	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1748	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1748	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe
PID 4400 wrote to memory of 1624	4400	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\VenomClient.exe
"C:\Users\Admin\AppData\Local\Temp\VenomClient.exe"
1⤵
- Loads dropped DLL
PID:1288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1084
  2⤵
  - Program crash
  PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff986dc46f8,0x7ff986dc4708,0x7ff986dc4718
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:340
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ee505460,0x7ff7ee505470,0x7ff7ee505480
    3⤵
    PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,16550715327641917450,11449872179288183740,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3832 /prefetch:8
  2⤵
  PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1288 -ip 1288
1⤵
PID:396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x484 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\VenomClient.exe
"C:\Users\Admin\AppData\Local\Temp\VenomClient.exe"
1⤵
- Loads dropped DLL
PID:3644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1056
  2⤵
  - Program crash
  PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3644 -ip 3644
1⤵
PID:5216

C:\Users\Admin\Downloads\ExtremeDumper\ExtremeDumper.exe
"C:\Users\Admin\Downloads\ExtremeDumper\ExtremeDumper.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2908
- C:\Users\Admin\AppData\Local\Temp\VenomClient.exe
  "C:\Users\Admin\AppData\Local\Temp\VenomClient.exe"
  2⤵
  PID:1772

C:\Users\Admin\Downloads\ExtremeDumper\ExtremeDumper-x86.exe
"C:\Users\Admin\Downloads\ExtremeDumper\ExtremeDumper-x86.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4216
- C:\Users\Admin\AppData\Local\Temp\VenomClient.exe
  "C:\Users\Admin\AppData\Local\Temp\VenomClient.exe"
  2⤵
  - Loads dropped DLL
  PID:1744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1132
    3⤵
    - Program crash
    PID:3304

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1744 -ip 1744
1⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff986dc46f8,0x7ff986dc4708,0x7ff986dc4718
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8365540637008005045,4209033203535586897,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28d9715d8005616a585fc23e5704949

SHA1
94d5f2220be1d0bcfd784d1f68ede7f92dfd0885

SHA256
6f97b6e419bd4b021c8cc3e4bf297f5453730243341b5457b5b11bbd96825057

SHA512
d956989edebdda2bce25a8bf58b5e5286c7a2505fa55a0ad66bf0451529fad4d4e843108497a81df7d0eab218572eebc9f139546375a1ecc60f8473713a8be46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28d9715d8005616a585fc23e5704949

SHA1
94d5f2220be1d0bcfd784d1f68ede7f92dfd0885

SHA256
6f97b6e419bd4b021c8cc3e4bf297f5453730243341b5457b5b11bbd96825057

SHA512
d956989edebdda2bce25a8bf58b5e5286c7a2505fa55a0ad66bf0451529fad4d4e843108497a81df7d0eab218572eebc9f139546375a1ecc60f8473713a8be46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
825165d7d840b1d956491fe9adc04284

SHA1
e0dadc69a911e8ed4f8650fbe414729b77129637

SHA256
528c97a15072486f4aacafbff3545cf6b9cb117030d3d459e85746b188df78ea

SHA512
6ad1af3ab82ef4b77d6d85ade13b204eb0b9f605a0f013cace53457ccaf3ffa11c871e65c8ef31ce9d51d94ebfc5a81d25ff74c8731f7e4901e6221a83434c78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\58124877-1c1e-4942-b73d-ca826c50174a.tmp

Filesize
5KB

MD5
7ccd16eda6ec50a3582275862bacb402

SHA1
a1d9f564a1b7292f877c29facf27b652a6c68d14

SHA256
f961fc878aea6df134259f192f163ff8eeca2028cb53af017d910804cdf2641c

SHA512
92c94be6aeb34deb08dcd18e9aa47dc0cbef59b4b5160e8dbbc2a922d4cf6359d201b428e9f2bf1236b057f4977885887a440a3bf19411b823de62df7b3ba063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bf3f0040a7e0fc46d057466ca875d0fd

SHA1
155cc7683c24ecc9b37ca243e3299328ecad568a

SHA256
0537d77d55907927d498f126ebcba9a6c10b94984efcf6a50b16378a406dc19c

SHA512
2c16a0a8e06ce3e9429877b4faae748869ba39cac9ae0078a034a5e1e314191940a41a3c17cdaa5b039c791f2af8a6e4f6422ad71fe97db6f1dcb31a56cc24f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bf3f0040a7e0fc46d057466ca875d0fd

SHA1
155cc7683c24ecc9b37ca243e3299328ecad568a

SHA256
0537d77d55907927d498f126ebcba9a6c10b94984efcf6a50b16378a406dc19c

SHA512
2c16a0a8e06ce3e9429877b4faae748869ba39cac9ae0078a034a5e1e314191940a41a3c17cdaa5b039c791f2af8a6e4f6422ad71fe97db6f1dcb31a56cc24f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
57e95f145be13aa771236e17f6977511

SHA1
5250a1e15032603f09a168254b051082462429fe

SHA256
7d12d800c9c5c0c2837c87f976a84fc1cece3147a7a77bb09f9e8af7e32f8703

SHA512
afbc334a5556326284a786f287576ce0195a48caffa7a8111482f21a32613e18bcb88cdab65bb6a6ddccd3def20dc03969752730c64a20fbd55616502bb783ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe56e12d.TMP

Filesize
48B

MD5
16f45db5e980d787250551381a9efe21

SHA1
b567fe4e708061cb4a10c986625cef26193382c2

SHA256
72e0625724f84e6d2e86bd16f32fedd219867e21a0818e9673a9769bc040c0ac

SHA512
251adb572d4d0fd66104bd1268ab31e1de99bd834d050d4237b389fb480da1995d4cfe223f1d05215ebe0a96467f71dcb05c92f01ce2978519eaa2126da72a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
55b557554d73713921f7f7b4f4cab963

SHA1
1f7ab6194035dca65b9454fcae8783ab46d2a9b0

SHA256
19fb29a051096b81925e7e9e861fb0d37977d1979cd4105b3e06ae2d323ef486

SHA512
e21933e1197bf3d31ba4d9734db3382b5d1dbf7aba223efe92fb88c582fa026d9bc28f5aca3fb4da80b13070ea056fb6e2f7905bb243c235029a1e8647b0c138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
9b30d4b2718ded913eb45c567ea53490

SHA1
77ffea919c7869de38001ebec275f7d6e576225f

SHA256
88b797ad810ceaa4177352d77fbdbf54309664e9acb1fa67a8b026763d4acfe4

SHA512
9e9d4d1601fbd3ba8c511f4bfb09e65c0ef664f7c61173f0d7c462ad9dba18daa25b59b72a91e2cbacb96931d70d7e702605cdfa5d51b79230b3427fefaed52d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
17779f0b68536f2a5cb2c00b0da5e212

SHA1
9a0c6f83ac4737dcaf6fb2f61e94e7b99960ae5a

SHA256
6ef0504f0bba4ae05a915bc03934ffde155c8df7542f3c0116e29732760e6c65

SHA512
7175af10a1a0c777f0f1d5d86de7bd7bf7f774f54870560feffb7737b4a9a058fb637057685783bdb40edff2c792c77c6419d61ee8472c70854414ab5f0bbc2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
8ae76c428ac9eed4f94308413c6870a3

SHA1
119ef7c7972c14f9f2fe1e653cb415e969b55c73

SHA256
84d7fb6b3b3b84e19d21093afd60751ed4cf4524a6b3431c422921b17ec1d665

SHA512
7d95e47508a01f48ccd69bc5cd0f3c5ec35cf7271cd09e7e9d691ab71878ad3945184bda83f73106eb045d0fb04f70e7deaed6ff7731816e240b524eda6d1328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
3KB

MD5
3b8e822d0b343d5b1342adbee0da6ce5

SHA1
6164bc56510ea7f234c5c811b0ef8c0ac7b19c27

SHA256
2c5edee8e14ed86c3e529fd5d111150eb2290b92076972db96b825eb4f910d47

SHA512
244f815ecb82dfddcef8027f6e76d263279bb4f794a07f42215581d152611264d19dac8cd850727554bf7029a23f404f86b684d010cc0c76d137855757b864e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
8KB

MD5
82abe0aefbb80e06ae11e563c769643f

SHA1
38348bcf5330c219ac50d92bcb0ce0c3ab2c78ae

SHA256
5345d0e54547ac532dbb15d7e0acaf2e15927cc05831f8346e7dbf5dd8a4954b

SHA512
effe20c995c1e3a8394cf40ecf73b0f18220d889f79902129e2a2e0fe94ac5f7d0987cecee14711abf8ffa1c84a51129b9d48544ddffe416d5f007f098447566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
5b12591da612cabe0044c35dc5721c05

SHA1
dc1bfa8ee24f03235bcdff3bcad357ffb10f0d2e

SHA256
89302fca22e5c7502ccd596acf0c2700495742980bbe0de4916edcc9a2ad1f92

SHA512
b9ee7c0dd43723fc1cff4412dfa238fa4f6ac8ff9953c95445bc5638c24477d5971e18714badb5a4f3aa4b058d79d472c07b8a8434e5c919dc9e46e5a9409c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
f82d676121371e0f2955f07879aa6800

SHA1
0edbbe9a70c49be69516be4eec27249f67489762

SHA256
6e73794c85ec23f31e512edd585f0d95b477ab9712143e9ad5171cc283e91e38

SHA512
a3d935d63dabe909fe8d714e27eb5298be05b377816ec986a7d2ead07ee78b8b77d2840d3ad5ba6d8952a70a519acb22b2aea695b3349f145b9778de4d5055d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
703B

MD5
45aafa455fcbef5aac69d5c32f1ada6d

SHA1
5c1b3cc569f1b4ff5621f168e8bd1eab9efc08c7

SHA256
04384d6b9f9b721781e6a8ac036f0d928b89b61d563e07e00710ab05d09ce02a

SHA512
15cfee38128b6e016ee101717ce27f8005413dbeed8cf9af161fc8d3bdfb5e1f95611ff64febec38f7a5a9dc145fddd19cefc36b632f4f23d7bc7d486c34dff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
df3c426de9f44c469a9c4bc3788016a4

SHA1
d9e73576ea06ec1980ecc922fe1a7b04ff76d258

SHA256
848daf5498d29c7cb0ea342a95276d0e72f093e0169395ba89de7d524012b01f

SHA512
d86a1a90420e3d197bd67fa6054f53bde4b7804e127181645d9cb347429a1dc7f764068a0cf94ddfc14e7cd77a0f71c4b4cc29146e68e882b5c84e1bc32e14ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d0cd8168881a24042703109b263ef5a

SHA1
cc3059783cde33d0601615c0160bdfa747db7b67

SHA256
2e2471ff1c556e460bc39742331e1fd3bc4cd873cdd6d6f6ca7c9115551aaf0a

SHA512
882b5813df2fbe9ef4390f8f03bdd263b4f2728b874eb8eb2858afc0db38e20568d1e888e8596917e755cb8adad9725e984d07d361057b831782ff7707635ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
021a4529a5dd4cc0f05d8eb3455d93b4

SHA1
12e8eb26409141bd89e8bba162838dc6becce030

SHA256
f64730ab0eb97e395227e3242d94f84940df1eb8bb6d75e3842227bfa3a95b49

SHA512
cd1ca904b595298d22fe8ee0b5bfbd1ede33dd2601dc812f5b5d1c13e32794ae6a9c58129222634f92197d14b2976b3999bc977059144d6cfea42b1c833b1579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
88a89d53e7b0879412cc5fc2d9a7357c

SHA1
6529ae89ecdccdae7d62ee7acf94eced4e770ee3

SHA256
46769f36e2451b76ce93bef9863877be7a81483fb82ec405a5272d7c79b6fb4b

SHA512
ef1b45c8dbf8cf2cfc9c045d8e64eb931694c82d9be28d33ca9dd63ed335bfcfcdf01a14a82d892facc68e9c2cfbee0d0a360e08eaf7ff58c5aa5012eb17724c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a108a765e0b4f4ca7f4084afd8c9f09b

SHA1
57f5dd312b01dc2b712d9358f000c112ae12b825

SHA256
b20db1fafe6057758717625a92a60453764b70d5fdf841daaf02a52ed94e1586

SHA512
ad374cc24278ff5905a7361b557056de7d8986716e512b6474febf28fb37ffcf0005c2f0e658d0fe22e19746c2281c57b41c68e5e340935737ed93989fa6981d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
236e76ecf093aed98776816acdd00eca

SHA1
07e2759c4a07ffb4d638ad2773421f28d7603733

SHA256
d09cd62f8cd755e82a251fe3c637f49cea29fcf0642b043b996c42bd36fc1264

SHA512
84cae786668b108cf56e2295db8fbc35e31c0b24ce206ffbe3fc9c8a7453a25a11827f52cdacbd1837014cc9c3df6264316ab1222f631c6ceae2df5c1f51fb40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7535129299d5f2d85ab0c757cbf54364

SHA1
cf8f0d641f078c8019a953b83b0253c555f4946e

SHA256
b4c962dab49631bc1accf1e35ccef6c943f499193342a9569ba21e0e11f1572a

SHA512
e8987a5698b63a3fd2795ceb50e996f6478f3e591cb7995c3e93ff838e458175c0d05443b0797c22a3f5aadcae5890f883949cda358be9e5fd4affae339c76c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7535129299d5f2d85ab0c757cbf54364

SHA1
cf8f0d641f078c8019a953b83b0253c555f4946e

SHA256
b4c962dab49631bc1accf1e35ccef6c943f499193342a9569ba21e0e11f1572a

SHA512
e8987a5698b63a3fd2795ceb50e996f6478f3e591cb7995c3e93ff838e458175c0d05443b0797c22a3f5aadcae5890f883949cda358be9e5fd4affae339c76c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b3a2524f73b869b2a06334d76e2ac7a2

SHA1
71136ffd8347c13eb1a6bbe0438134bee380d063

SHA256
ffd481bda0f1b58618a624d2c11e0b3e5ccb88d55202f5a81ba794debb1c71cc

SHA512
f3dcf2365b3629944137f69e08e4618a1db59dece1e237c56a198825d784580742438987dc8e12da52d2ac1f0d3548fefe27d8e9bee91c16099fd0e5d2a9eeb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13323482812751255

Filesize
11KB

MD5
e7e7f8e4f725eaadf094ee0356cea61c

SHA1
454ea537314e9426cc0c37ee58bd81efa2bbe03d

SHA256
52f986cc307a99161b103b86632ff0f393ed79e9a59bdb94f5bc779424369cd2

SHA512
06fa969f3d5738cc6595769b175586502d818922c11c83f5697936b74cf388a11f4e67f78d25674d7e16be66e4bca8c8f913923e0830d93e79577654e81f37ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
b9b16fdb188f9d546199bfd6be6a6462

SHA1
141062468bbe1db47cc35b0738003d666eac7731

SHA256
cb52c48e442fea11b1debecf8611a664cf6a9c9ab5764d165ae8be93940087dd

SHA512
d80493798ed4dc592891d80eab0c8e0ce33ac7402793078ac3848edc81e1cf603a971265310d6e2609ef5baa105812c73039df82b72dd3b9afcaa3d5746a10ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
9ae0829b765d2b56756e11c16d3eb1ad

SHA1
7f5474d92e0beaae7d6fcb61a1f3b35e9e6dd3f6

SHA256
a7e2e762ae2abc6f8d34a317df5f05d868a77046e58277b80999885424ce7213

SHA512
3c69749bfd8620e9de62e62508c4ca1d67264f6d80420cd22e26726459fe3889f3cc536da2a89ccb8ba7763e694390c95ee69c28b05e4f446b668f5ec811d5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
197c1a52a2e7e41cc124fa4831df798a

SHA1
04ac8f0354c7ed3f8219849616121b3f73f79af5

SHA256
416942d0e12abb3b2dc688bd7a02d5242c366fbeadfd03d88ba5bfeb023630ef

SHA512
08f79aa63eeeafc6d21b21dcecee44885ee23c7776f6fc03971aa983d628bd35529e11dc3525743fe7bedfcdab80cad37d16ac7e4975a3d53c21badb24c7fc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9966ace27c55b68733bbc5356f265c2a

SHA1
1a5be7072876f1c80536c3a922e0ef7b03f3f91a

SHA256
8f446ded6c59e5dbf63d6d7500dda1c52ef628449a703d9741acb6e20af4a09e

SHA512
8bdc350b7bc9fa5471cefb1d38b04f35852909bf298af57e4080631233a12c1b46dc9c5d8b8bd6aa00edf041acc30f2a0d37dcc12efc04bb7857b3fd76a6550d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
38a8a48f277d49b97a49313a17d20d41

SHA1
f0e10f2f24ddb77c07d9ce2ba695dbda6ce2cbf1

SHA256
697869e841498e915eb4801713db6d60812fb514ad86154ded14995a7630bd44

SHA512
4e3f5170a7e4621d6076ba0f54f629d2bf1872788a98ef3cc842a350f28df8a97998c0b52618d623d10715f924c807d8091e42232664da33cced2afe3354034c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
02bb816582ef5f33a44ce6c203a9ff85

SHA1
0df747230c85496e86bc6452d9388bfffb3358f0

SHA256
8455ea3ef5dac12cf9a78da52048f103a73a2d7b980632320c5be40b4bc5b85b

SHA512
7d38deb67df7ad3a8731048ad2c52f6b1acabe09b48b5e16f22a0787ff1d630c0c617832416650a3e4c2657c025af7f97658742a8eaa2581f3024c8882434dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e489b82b-bcc2-4311-a79f-de1e33e4fcb6.tmp

Filesize
2KB

MD5
2b3376af44b2c01b08495b79509714ec

SHA1
fb966acb73a7367cae31a189de01d2db5ec808e7

SHA256
41e637e88f6adf71bb8f3d2c82b7fd7173d53f4005ecaeb545a13e3b0226730b

SHA512
acd76b6ee3c7e4b707c6055f9c7eaab4d44ede6dd1d0009fc9322a0ffc6afce28259863b3324ed579a6d7a3617e9dae490a8ab6450830e20dd5f5b252f155d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
52KB

MD5
44ffd6a26421bc9345af47b2c48906ff

SHA1
5a972bac730006182b99296566a4e4a768964e02

SHA256
6b90ae7a9c1fd0927502fdf6954b7840399d607e29ab6456ab63bb421baf97c7

SHA512
6395af0e6d618b5dcbe11c24b81ebf51c68dd4901f2bb02435b014f24c0a2f3afc6d75fbff37b6d77fa1226cf8a1fa897355334d637471cbf047bfc07aac3a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
531B

MD5
ab863439c9f8478dc396057d885ed26a

SHA1
233de80912615fe2b317c6c52dc3191ec3fdac81

SHA256
e2b716ab6087cf49da5c527eedb651d5091cdb5bee86c346e66f49af8a171531

SHA512
10b7154fdb9d75103e73e72be18d00b8a9127a2e7d9d67460711ecb5e812632dca95bab205080e8b2e17860d8480b1f269b96192d9410060c1264234cf2e1c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
15d3b51293cbe20e099ffe9f3a77f2ae

SHA1
5b9c2cf3ee2ae84d5726e7c032224ac14a1ba057

SHA256
fe4c9ab4cf5594746978bb0901463d0aa85a8d35e8f7905f1b783ca38816e48b

SHA512
91a3bf747ace75f854126b79a5839c34580103b8711c13490814615405c64ada74757447edcb9e5b335d09a99b8a5afbf8c9ef72d9ae38a54567b109cb1512c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ce930560548084e0107f62b4a10ac006

SHA1
147ece15c6456ef66996005e6683fe3a22ca919b

SHA256
7296c53e886df1c0e108fd75cb8581740929a774656463f243de0ddbaa752166

SHA512
4961174ba20ddcc40e137afbc29a2e128f26f856cad8acd94edad84d62df1bb495f1e6e25c1f871d2e2ea7e3618c25e4242d9206a2228e716e0429e8137827d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
10c44a94af3993bb9e490d573180f471

SHA1
a8d063ee011a1b1374cca6f09c10c970bc91f655

SHA256
2b6e4e8ea90c9be224c5950becab46447689246ae669e2f46c28d098f6c32f98

SHA512
9f16697167570adac0fc96896ed0f223be65c5ea7883af6676a89ca55db328b20c8b4aefe066e09559952dd830e5aa71fc3d994568a53cce9fe9821e003f34ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
514ca6f1a0077a017d4f9b542e825b02

SHA1
3cfde44e8cceaea88d646c7b075df34125b0efc5

SHA256
d0bfeab2014cc9ea62328a1033ef59dc9ab9eba0d11ee248d612c9582615c28d

SHA512
ab5c0962b735aaa8439a5dbb273cc7b8484071eb1d75ea34bad00df8dd3ad96bee97291ee6e30ba27d0343d516ecd974b28302e1e075df8f2d680c63067d24a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0f864e63f43175d3fa44d596f9e8d9e1

SHA1
af92bde7028bf71ad4de9ec78a8284cc8c7844e0

SHA256
6b224bdf9b8fc802b804043b9535c059840be1c22dcffeb540ab7d094ba880ab

SHA512
77e723ce1517c5ad78f5307e36b4fffd3b5110a8b4eea93da5f69ae57ec1830f4d59f37a1be47596c014ef53c0b0ba7f232122c4553ea0a0f08c48860fea6d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0f864e63f43175d3fa44d596f9e8d9e1

SHA1
af92bde7028bf71ad4de9ec78a8284cc8c7844e0

SHA256
6b224bdf9b8fc802b804043b9535c059840be1c22dcffeb540ab7d094ba880ab

SHA512
77e723ce1517c5ad78f5307e36b4fffd3b5110a8b4eea93da5f69ae57ec1830f4d59f37a1be47596c014ef53c0b0ba7f232122c4553ea0a0f08c48860fea6d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
205f5156fe99188582567591b5f5e00c

SHA1
3109415fb7fd2905b60627ce0c7b7922dad3cc5e

SHA256
66cb6af387cc13b5a30c27fdb6a89d4d3ce13e1c32ca2fe08f63360516a6c62e

SHA512
48604f576cb2f5a9d93dec266951721971881d2d14801bd7a5dec24902e4e1f149fda60aee0c4a70239f866df8a5ce2b273aa0311213e085b94cff08e6bf4637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\32\extremedumper.loaderhook.dll

Filesize
165KB

MD5
666bb02763fe5ceb4fff36db4d5cefad

SHA1
674045a63f4e7bec9312043a77e0f47b7009acb7

SHA256
8b8c972255f75488d0b562df4df6a281d52911e39ceeb43e05801b4658ff358d

SHA512
484acddf07c4e5cca74cb728da4b34cfaa8df2b68f04880dfdef70ec708bc687976702a18703a814aa812f6e1312a45e7ee7ee7ec51dc365268208afb20f9127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\32\extremedumper.loaderhook.dll

Filesize
165KB

MD5
666bb02763fe5ceb4fff36db4d5cefad

SHA1
674045a63f4e7bec9312043a77e0f47b7009acb7

SHA256
8b8c972255f75488d0b562df4df6a281d52911e39ceeb43e05801b4658ff358d

SHA512
484acddf07c4e5cca74cb728da4b34cfaa8df2b68f04880dfdef70ec708bc687976702a18703a814aa812f6e1312a45e7ee7ee7ec51dc365268208afb20f9127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\32\extremedumper.loaderhook.dll

Filesize
165KB

MD5
666bb02763fe5ceb4fff36db4d5cefad

SHA1
674045a63f4e7bec9312043a77e0f47b7009acb7

SHA256
8b8c972255f75488d0b562df4df6a281d52911e39ceeb43e05801b4658ff358d

SHA512
484acddf07c4e5cca74cb728da4b34cfaa8df2b68f04880dfdef70ec708bc687976702a18703a814aa812f6e1312a45e7ee7ee7ec51dc365268208afb20f9127

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll

Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7fd9224e33854a1d8e5758d7b6fe22d9

SHA1
2b4e8239b2a3fb143ea81a51c6433d6c208cada1

SHA256
a1453bb0d0b930db21911f95adac884d4935b754df6c2f94a0eac59f763a3f3f

SHA512
1fb09a663c73a1ee012798080d0030de855872645125cdb8567ca1498367ed31a120daadb93d94b4fb73e7c3bda063d8fef43b3cbd2dfa3f9ce1b048fb51fadd

Download Submit
C:\Users\Admin\Downloads\ExtremeDumper.zip

Filesize
2.3MB

MD5
5a175dbbdd3ef221fc1cc8cda9988c33

SHA1
5cc3f21a81438d8d24a82e3218541a00e51c6978

SHA256
fbffedf2a9420be03538f04bd80a69e35503f8d8395da76a9ac2518a65e1facc

SHA512
b6cf84830ff72a84d333850b88e981d4e7f7a68334546978169aec992ea7fa13f4a1839039aea2d18a7c8ff9164bf174719184a92ad5567cff048c2fbf2f8367

Download Submit
\??\pipe\LOCAL\crashpad_4400_IODAOAUXEGCCDOXT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5788_DKANJTIBVHOJEJPI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1288-163-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/1288-164-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/1288-133-0x0000000000790000-0x0000000000B50000-memory.dmp

Filesize
3.8MB

Download
memory/1288-231-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/1288-135-0x0000000005410000-0x0000000005420000-memory.dmp

Filesize
64KB

Download
memory/1744-681-0x000000006D430000-0x000000006D440000-memory.dmp

Filesize
64KB

Download
memory/1744-682-0x00000000007B0000-0x0000000000B70000-memory.dmp

Filesize
3.8MB

Download
memory/2908-666-0x0000020D830A0000-0x0000020D830B0000-memory.dmp

Filesize
64KB

Download
memory/2908-661-0x0000020D830A0000-0x0000020D830B0000-memory.dmp

Filesize
64KB

Download
memory/2908-662-0x0000020D830A0000-0x0000020D830B0000-memory.dmp

Filesize
64KB

Download
memory/2908-663-0x0000020D830A0000-0x0000020D830B0000-memory.dmp

Filesize
64KB

Download
memory/2908-656-0x0000020D82B40000-0x0000020D82CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2908-664-0x0000020D830A0000-0x0000020D830B0000-memory.dmp

Filesize
64KB

Download
memory/2908-665-0x0000020D830A0000-0x0000020D830B0000-memory.dmp

Filesize
64KB

Download
memory/3644-653-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4216-668-0x00000000001F0000-0x0000000000336000-memory.dmp

Filesize
1.3MB

Download
memory/4216-669-0x0000000004D60000-0x0000000004F0E000-memory.dmp

Filesize
1.7MB

Download
memory/4216-675-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4216-676-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4216-677-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4216-678-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download