358277139176aff0276849421fd6b8e4f076f8d14dc625e093545cc211c50f0e

Analysis

max time kernel
2009s
max time network
2015s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoDynMethods (2).exe
Size

54KB
MD5

af7271d99debc5bb06693e7b365a0ef5
SHA1

2a46750b1f478db1cf3af2fb5bb2046233a33a65
SHA256

358277139176aff0276849421fd6b8e4f076f8d14dc625e093545cc211c50f0e
SHA512

85df1e617570d1c03dcc479d99bcb7e438f4ba0d07686a41d25ed1926855879a6a00264c96b31fe468b634669c80fb3f05304cf56664ca3867d4cc9a34fd191a
SSDEEP

768:uEi/fJJ40sqd2U+Yu5LrlSGbY7cnLF/Xb/gygS4qGfdlWwzQQBH1mjH:y/fJJ47q5uRrlSGDpXb/gzmwzlZ0

Score

7^/10

agilenet

Malware Config

Signatures

Loads dropped DLL 6 IoCs

Processes:

ExtremeDumper.exeNoDynMethods (2).exeNoDynMethods (2).exeNoDynMethods (2).exeNoDynMethods (2).exeNoDynMethods (2).exe

pid	process
5664	ExtremeDumper.exe
5348	NoDynMethods (2).exe
1356	NoDynMethods (2).exe
1848	NoDynMethods (2).exe
5472	NoDynMethods (2).exe
5300	NoDynMethods (2).exe

Obfuscated with Agile.Net obfuscator 10 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/4296-133-0x00000237AB3D0000-0x00000237AB3E6000-memory.dmp	agile_net
C:\Users\Admin\Downloads\NoDynMethods (2).dump.exe	agile_net
behavioral1/memory/5348-677-0x0000024B35390000-0x0000024B353A6000-memory.dmp	agile_net
behavioral1/memory/1356-681-0x0000014B21110000-0x0000014B21126000-memory.dmp	agile_net
behavioral1/memory/1848-684-0x0000026D66750000-0x0000026D66766000-memory.dmp	agile_net
behavioral1/memory/5472-688-0x0000020B00DE0000-0x0000020B00DF6000-memory.dmp	agile_net
behavioral1/memory/5300-690-0x0000022F61330000-0x0000022F61346000-memory.dmp	agile_net
behavioral1/memory/5856-695-0x000001929CBD0000-0x000001929CBE0000-memory.dmp	agile_net
C:\Users\Admin\Downloads\NoDynMethods (2).dump.exe	agile_net
C:\Users\Admin\Downloads\TestHook.dump.dll	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3154ca4e-f024-4657-bf4c-5849ef666bbe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230322025742.pma	setup.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1708	5348	WerFault.exe	NoDynMethods (2).exe
3784	1356	WerFault.exe	NoDynMethods (2).exe
1144	1848	WerFault.exe	NoDynMethods (2).exe
5212	5472	WerFault.exe	NoDynMethods (2).exe
4912	5300	WerFault.exe	NoDynMethods (2).exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

ExtremeDumper.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "3"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	ExtremeDumper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "6"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ExtremeDumper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "8"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "7"	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 5000310000000000545679aa10004c6f63616c003c0009000400efbe5456d2a6765623172e000000abe10100000001000000000000000000000000000000234427014c006f00630061006c00000014000000	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	ExtremeDumper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ExtremeDumper.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ExtremeDumper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	ExtremeDumper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	ExtremeDumper.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeExtremeDumper.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4216	msedge.exe
4216	msedge.exe
4300	msedge.exe
4300	msedge.exe
3324	identity_helper.exe
3324	identity_helper.exe
3300	msedge.exe
3300	msedge.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5208	msedge.exe
5208	msedge.exe
5700	msedge.exe
5700	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ExtremeDumper.exe

pid process

5664 ExtremeDumper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AUDIODG.EXEExtremeDumper.exe7zG.exe7zG.exe

description	pid	process
Token: 33	5172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5172	AUDIODG.EXE
Token: SeDebugPrivilege	5664	ExtremeDumper.exe
Token: SeRestorePrivilege	2956	7zG.exe
Token: 35	2956	7zG.exe
Token: SeSecurityPrivilege	2956	7zG.exe
Token: SeSecurityPrivilege	2956	7zG.exe
Token: SeRestorePrivilege	2840	7zG.exe
Token: 35	2840	7zG.exe
Token: SeSecurityPrivilege	2840	7zG.exe
Token: SeSecurityPrivilege	2840	7zG.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

msedge.exeExtremeDumper.exe7zG.exe7zG.exemsedge.exe

pid	process
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
4300	msedge.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
2956	7zG.exe
2840	7zG.exe
5700	msedge.exe
5700	msedge.exe
5700	msedge.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

msedge.exe

pid process

5700 msedge.exe
5700 msedge.exe

pid	process
5700	msedge.exe
5700	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ExtremeDumper.exe

pid	process
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe
5664	ExtremeDumper.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4300 wrote to memory of 2124	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 2124	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4080	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4216	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 4216	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe
PID 4300 wrote to memory of 488	4300	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
1⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbc01846f8,0x7ffbc0184708,0x7ffbc0184718
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
2⤵
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
2⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
2⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
- Drops file in Program Files directory
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x7ff66d2b5460,0x7ff66d2b5470,0x7ff66d2b5480
3⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
2⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
2⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3948 /prefetch:8
2⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
2⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
2⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,13461303353164738856,1910279456519085966,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
2⤵
PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5624

C:\Users\Admin\Downloads\ExtremeDumper\ExtremeDumper.exe
"C:\Users\Admin\Downloads\ExtremeDumper\ExtremeDumper.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5664

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
2⤵
- Loads dropped DLL
PID:5348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5348 -s 1040
3⤵
- Program crash
PID:1708

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
2⤵
- Loads dropped DLL
PID:1356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1356 -s 1040
3⤵
- Program crash
PID:3784

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
2⤵
- Loads dropped DLL
PID:1848

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1848 -s 1040
3⤵
- Program crash
PID:1144

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
2⤵
- Loads dropped DLL
PID:5472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5472 -s 1040
3⤵
- Program crash
PID:5212

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
2⤵
- Loads dropped DLL
PID:5300

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5300 -s 1040
3⤵
- Program crash
PID:4912

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 5348 -ip 5348
1⤵
PID:1416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 1356 -ip 1356
1⤵
PID:5208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 1848 -ip 1848
1⤵
PID:4952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5472 -ip 5472
1⤵
PID:5624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 5300 -ip 5300
1⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe
"C:\Users\Admin\AppData\Local\Temp\NoDynMethods (2).exe"
1⤵
PID:5856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap26594:190:7zEvent21561 -ad -saa -- "C:\Users\Admin\Downloads\Downloads"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2956

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap16165:190:7zEvent30039 -ad -saa -- "C:\Users\Admin\Downloads\Downloads"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc01846f8,0x7ffbc0184708,0x7ffbc0184718
2⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
2⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
2⤵
PID:3804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
2⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
2⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5652 /prefetch:8
2⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
2⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
2⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3336484574906444080,9009026233821359898,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NoDynMethods (2).exe.log
Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b8c9383861d9295966a7f745d7b76a13

SHA1
d77273648971ec19128c344f78a8ffeb8a246645

SHA256
b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e

SHA512
094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
91fa8f2ee8bf3996b6df4639f7ca34f7

SHA1
221b470deb37961c3ebbcc42a1a63e76fb3fe830

SHA256
e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068

SHA512
5415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
01732247b1e9d1ee670eb36b9f78b84e

SHA1
0005e2b10259657b79ee2e3f2d8f942499438428

SHA256
158077ba6b35eb611938f26f0ab6931de86abee972c335770d8c799f44195a91

SHA512
41ef3ad58196e21dbe09d581a6d2914b78538b61326716985f116bc65911d92000ada4c29100b5f3dc22025b583e2b7fd87b105d4c01da53c72ae2011afb03dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
70f29f2e50ce5e363771183136d43607

SHA1
6263a5fc645584fc8707d86e40a39150a9c77ec8

SHA256
c0fe11c72da294c339e8026e32a6cb51c7485e051cda3ec40227de8917fc02c3

SHA512
af9e240fc55494a9115721e802a86a5d8e75f4ad62be8eec2e1b4d87339fb9b1e163a39117b4f19c6e461c314dd6ca353f47108dd999185520d383fd45446fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
addf8e18f745518af5a8df214c9ca186

SHA1
ca9218747347d5148d5066ab5d4555d89dac7e85

SHA256
d9b35e76eb4808d803c6521f12a5035aedb60555306fde1a3b9814cf3cc9fc03

SHA512
ea362af7f32c9f615416b66dee4ee707ba73a437d0452b504ada80f5e734caf7375c00a304271d5ca7a92da17df856638a347fe3b141f709eee659f615f020d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
2KB

MD5
441e473a8ff804b7b4c048081bbee7ac

SHA1
06e6d6962b6b44328b21bcbd6b24a45c9bc5f0bf

SHA256
6be4c1996e2b67c81149015678b79bd6a559aedf7100779a8e21515186ef624d

SHA512
24e3deecdc76e84e2348aa57712299a6ca080e1dab3935495586733b7666b4d6bcf582ad77766040905b09b025674f62c2d01afb2e22ac5b8bfdcc07d6632ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
210a2445e0858953070025ee908633fc

SHA1
a6a599898e7e726415ff5e50eeb21bf968497ba2

SHA256
af1f1650125e82f30695b93820efbadba6f983b79f5f8d6f808e3be78c9cadf3

SHA512
64ddaf82553ddf123428580c0eb8b345953292fe6309a79214474829b773ad34e4df69d94428434f2a766656d77f46ffe49b835eb5b543da47188ca774521b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
bb5e1d5abc5aeb2fc8584671f7e5372e

SHA1
9810e7c556bf1bce024dc0f0b3259d0f4e05edd5

SHA256
7aa26363ceafe462af5eb4723e5e896b02c875e0d4ee8b263965e92cf02789d8

SHA512
a80114a4c6ea51f844d6ad122536df1876e48d8965932ae7a8e29528c704a79b4115da3d587e046e5e5e7a2c580778aabb88f780a57d67e468a42b730ca8d662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
bb5e1d5abc5aeb2fc8584671f7e5372e

SHA1
9810e7c556bf1bce024dc0f0b3259d0f4e05edd5

SHA256
7aa26363ceafe462af5eb4723e5e896b02c875e0d4ee8b263965e92cf02789d8

SHA512
a80114a4c6ea51f844d6ad122536df1876e48d8965932ae7a8e29528c704a79b4115da3d587e046e5e5e7a2c580778aabb88f780a57d67e468a42b730ca8d662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
28KB

MD5
df4122260846d953d877f69db8c9aa72

SHA1
6c1f3f965b7d3fb7c79a1672167e535166befc78

SHA256
17e4c0756efff9945ddbae6d10fd01d9415a420d3813e7d4be9bb6d1ed823fd6

SHA512
f9d1401f6eb9faeb10ea279e9b8578aa0228f9925a15b54950170cf33a3a45b57be42cf85a50838d2afdb90eb9c6a5187e311bbc6b23d3c4b95388407f69b228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
d3b1347d5f76c897472395260452b528

SHA1
1c9ff35f8b01957b2d07fbb6afb07d55b1a992f5

SHA256
d22f1cd689e46d7871912cbd51dfbfb46a3603b4c9411395237c84a171ee7aab

SHA512
e1832350df48fc03a0c0951d617e757b79a58d4e55575a75141ab491ab622f4b18334ff213b345449ed51ab238a3d5e8cfe05c812d430ab8e974f7b9f077fc9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
d3b1347d5f76c897472395260452b528

SHA1
1c9ff35f8b01957b2d07fbb6afb07d55b1a992f5

SHA256
d22f1cd689e46d7871912cbd51dfbfb46a3603b4c9411395237c84a171ee7aab

SHA512
e1832350df48fc03a0c0951d617e757b79a58d4e55575a75141ab491ab622f4b18334ff213b345449ed51ab238a3d5e8cfe05c812d430ab8e974f7b9f077fc9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index
Filesize
256KB

MD5
6f8864bfa24c4256122f4e9d70b7accf

SHA1
4864a71fd9b064e3153b889e9ba2f012139ceda1

SHA256
300610b22df7de8f38767a805e4bd1a3f53f2967058285188b7bb362e8078b20

SHA512
413c422968fe0b9762bc67ec6a97922021e96e5bb82dbd5fd596cf967ea423674e7fc00f9d5071f90384042a2b4724c2fd062c76f79d33c4fbbb7fd555527f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
3a4ddc93fa49129d3345e798bb855562

SHA1
abd03b474637ba089e8d1842f99ba318fb8c2a40

SHA256
92a1051e829a1308a170a5abcbc4caa7c377fc36d749cedf942b9fb7fa128452

SHA512
4f0fe5c215d7bb160dcadeef32562f469aaf13911f5bdded32b5e5ca234d263e8814632563b2c5e3ba65ddde1f72d109356681fe69dfb2303970e714e3269f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
3KB

MD5
b85a64cf8c77e9de9d8e52bb6826f735

SHA1
d8d0815b4bed22556afb8f11c9d3257af49d24d2

SHA256
912783a5322709822ff0f9d049996ff2dd5bd1d2382ffa85ff096c929a1d9524

SHA512
a346cf85ab353efc2bf1410de1f5f15c95e5c5608a66aca8250c7f3a9c794749108fcedf4699702ace1a73ed305b6b7c0dae1cadcb8a69008dcac51a3c58b7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
8KB

MD5
d5d8a19ef7110ef8603333a17dac9576

SHA1
214b7b8a35d9789dddcdb7d81436b4328a0bbde8

SHA256
c8b3932013626e89f3c39af7b37ceedae61d7b9b97227d040a844bd0a3910dcf

SHA512
fe9fac10beb81a7ced28fdf08cbd170f69e404498514666a3ad9f02e89e92a255cabffe6ed07a9dfa04f70f58939f11cab1932829deee3beeda607a69bf7f4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
30b9e6e8c26d647df25ef4cc05df7aad

SHA1
db029d19331afc71585c2672670df039c94b26a2

SHA256
0cd4a8ce40b1e48dcc30c7bc9562ce739bb4abc643d7956654cad4f297553489

SHA512
78de0d91c47dc48987de5d123fe62dc8c6272b1fb4dfd01b041495294f294466381ee76a3ea1872335c2e1eb795b20e30681763e8ff3399375d376e749685c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
91f3411daa9b2a87665bce7124518b21

SHA1
69499287200abb7033914f7032147d4c37c99637

SHA256
9429e40287d40c78c1fedeae0f936e38e5e9ae46cd5b97c1dfaaf2c3cf840d44

SHA512
c9f65d6033d70cb1b42dc20d832a3580915d62e19f958c9951c05babc87e59d497f15ff9db1afd18f8c08ba08694a02ac1da363a863d44146cd682c5bcb8ed61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
703B

MD5
c5452a442fccf68d8206c2e49aff5a6e

SHA1
53631d6a243520625faf5d23f820ea8ac541bcda

SHA256
5085ed95d9aa9d87e77123bc739f79ebf09ed67126fa0d2149dd730fbdd832ab

SHA512
e0ae8cd9c944d263f467c0ad2150f0a9d0e85d1fd3ec7ada7ab6967a4ec08d9c12f0bde460e2ab8c72638a8974cce24c70ae94dbe05ad13c606a57288d697ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
ab515e7f91fe525eae994e23d9a7d9fa

SHA1
050134a86e0be524c6db21b79e5d358794d09e30

SHA256
76ad95ce47d008d37a87e70f79e17da04e52ee5fc81f00eeecaab5284ed79e2b

SHA512
a1e7372c12377dcce71b4bdfd04774f8e562f0cfa78fb7865b9146a0ce0833335321921300d79a64fe0b979926fc973073671bbf8da5d03cdce749e06b836596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
48bedeebfbb42ced581475217e212d4f

SHA1
470b3be254c287d964e64685b598626c450e467b

SHA256
03500a3624ceaa9955f2dd6636963031e623ced8d841af3b386968459989a7c2

SHA512
76f7b3755121c4f9d753be5cd54f42d35baac8fbcb46f1c8d7b48bb3b00b3aed56bf3c3b75a30d3b2e568d84feb2c789fbf57039c35f38419b306d78983a8ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
85569273739436bbdc7811b1e2e9d1e2

SHA1
2cb725eb379b90d3391c479c9092f89ea03431d5

SHA256
fba137f23dbf38222404a6999ba65c82351e616f762ff6b74aa1a13afc0c6165

SHA512
84edcc0aa5e30dd6125334459aca5534b398c4f14d286d0dc7d59058f62496d278b1189af47c7c066afc9d281cac694b2f956d551732a25dcede4db37f78825d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
368cda0f754b92c6184809fcc0d35334

SHA1
fd56742ddf19e236ab83af50b673db097263cfdc

SHA256
0425b73196d5e7e491e8357039579b6481c0cfd3f520f6eb5588bfa116034e6e

SHA512
261c3cf2b9818fa64c99951687ed6aa9e08553c6a6f33eccbb20a0a1aeb23d805ced7aa67963f8f89922279bcf71cf9c135b846faf41a28e94348fc2ae407803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f556e1bd6570a83ef0103f297037d166

SHA1
b02430139f4bc58cd0ca0214f5ef5bd5aeb9f6df

SHA256
2760a1044220909941a95d38d9128013066e9d786c24bba248ee3fb135a00e50

SHA512
e5077e6980cff177f4a1dc8bb849a8e60c16ccb0359a2bc583246fc1359a210f898403761ddb31a98f68d256bccc9e0d257d5ace19a696545094fdff5610cf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
66a30b54d578333950681fb0d15d1ffe

SHA1
a3091aae956a84beb98eda0300232c7364297674

SHA256
734836fdc380df76064dc7fb5003a5b1de36c6c80413379d695ab490060a3947

SHA512
b5a91b43c9475af5ee58b1d7fb4a04c1d91c40683f058b79aa5218c61f52ad83782010ea04080b104446607fb23e70aabc9503701c272603748ddfc3b5915c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6a00d2185fc81941f7f776538df0d435

SHA1
2d6051bd137565dbc90bd5f325bedc03d9379252

SHA256
6ce1ef9b1e5a2c18b31238581819a72567d6a80a6bbb1a51dbe580854d33349e

SHA512
c8034eb35ebc6e6e9a8e768b7440f2c62d06409ef6306a43a6f2dfc626e5ff6028ce2d0e3bf45a6d4279707c792ca5eed87d072c0f2a3ec1bc8ccd053992c22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6a00d2185fc81941f7f776538df0d435

SHA1
2d6051bd137565dbc90bd5f325bedc03d9379252

SHA256
6ce1ef9b1e5a2c18b31238581819a72567d6a80a6bbb1a51dbe580854d33349e

SHA512
c8034eb35ebc6e6e9a8e768b7440f2c62d06409ef6306a43a6f2dfc626e5ff6028ce2d0e3bf45a6d4279707c792ca5eed87d072c0f2a3ec1bc8ccd053992c22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
22e9151c71f2529c88c954b33e7772eb

SHA1
fc0251d08cfd8cbbaab25a958a605b91709e64ca

SHA256
0e32d1aa727d212c028f7c0c219c347a7cc6bb91bfc29a376f99ffe1bbe2fdb5

SHA512
e822e9feef5d1395d2b4b602280618edd3c99cbe397c8ab8065d83b863e505d6ae6033114c24b5921f6e41d233c75b19952c512449bad0a2d43488f49c332f50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
60b345592703258c513cb5fc34a2f835

SHA1
39991bd7ea37e2fc394be3b253ef96ce04088a6d

SHA256
7e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300

SHA512
0346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
acfcbb16fadae6fbaa1ab8bf894730a3

SHA1
510627ecc38d01212d10f8fd77798a1804b2edb1

SHA256
0409ba629e259ef5eff0e3cc33a267b3234e4a4eb46992f090764416a93ed89b

SHA512
dbc17293c4149a45787bfbc8d6ba156232ed7bb7c6a63d29ffdb34a68919f96be86338c9b858b7e0ae4e3b23cbd01c9316f500b6af5573da7e8318c642015502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13323927476087764
Filesize
10KB

MD5
433b8d85aa22285a37f756f464875730

SHA1
5e8966fc22e6d7d675bbde25fcb7f630c4060774

SHA256
385b0c895e184ce08927d5685f4526af1d4a5fde3dcbcf6f2484a6a0be87fa6b

SHA512
3dc50536f6a585d51e7be5f1a88ff7498f940e712cc506c83eacf2c3d4d2ace327d2ab312e5e5f6cb1de29d3bd4547d5cbd37a863728cfbb874d3c6021a34244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
4518805e1fe57976985e1fb9217384de

SHA1
773f0bf732e5d8be6d8cc1c9c55b8549a705bffe

SHA256
64d57525688d797ca729baaa99ab0518002607e2f64e2904057700a21ede16f8

SHA512
850f9e4f210ed90d7297999c62d12f0d417b3e51ffd485bd4a896a5f8f17c2da3495f68c49be3e5ef966c0d13d5f3bd2614fd9fadffbe3da105a2bf2a3b6b8d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
5a35db3d7d0480ab5d8bc28ee4770977

SHA1
4e7add18a387c1cfe8f2c744d90f66fdb3058b47

SHA256
cc360e8e176b2a899e5fc3b7fa070bb15b59c841dd0cb3ccf6cffef44bb492a9

SHA512
9995e48436c9f2d4bc3ec6f015ccc7dc2d471236fe5ddc7b3a974dc840763b01ccebdc300eb6c47f0c275ee8a4c3aaf0eefe9cb5a112c41a8792ce4b422cf9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
80856dee6415afc7a20fcf171a2b7996

SHA1
b37f1d6404a892b7a496e1f9c9bd95b5759206b3

SHA256
21357b103c6b4c872eae20c1728062e6cb52fa3cb3fc38c8ed39b76141d664e5

SHA512
e476775c3b7768918c5166560f114d78f0d2c73bd5de42c854e957b72ff56253d0629ed4a7f59a7c5329695beb65422484d81511cf1f6aefb8810507c9ad7340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites
Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
ab7c90a596206a7bd38ed011aafa960b

SHA1
c85a60fc79e539f341f55e82d55d9815456a52b6

SHA256
5d56a4669215d8641a1d8bf044ad4afbc2e2c8dfc081f822d4e22a1fd9c22f8d

SHA512
db175f6d31086be164ffaa62e9582ebaebe5d52ce8ef3ec6a72139572f66b57d436781ae500e5fb85b9d2f4eb96783da617400e82cf08c83a43afd75b33579df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
c5e581b758b6208d340b4c76378c82ac

SHA1
f41ddfb12d51f33176a0df2fb4579803cfcb5200

SHA256
f6d9595421c3dbea2b20a688f89c75939d64d61c8368948ea1284c37f5617cb2

SHA512
c12890e61e687460560e0b2a9d47370a6dd355cba8c0b7d6d50de8405664f6d3c8bf907e010f517bc2022675b74ffe253d0b51df8937aa62e8175013b6345d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
0a8c55c445c11bdd11fd1eea54470948

SHA1
4e977f31f32f0acc37324aa25076263f2b59356a

SHA256
023d2513616bbbf9f8179e2b7c62c1f7145527fcc127c9357d7ed8c121c7850e

SHA512
361d92f9b3f3bdc9c2ccbb6ca237736d5bcae5244631522b75300565b1086dce3f1962255bc9b58bb345a03e8e576799c6c89eddea6b03aaab0bcebb56716833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
f51c9a3fb2f168d5fca5c196f3399a1f

SHA1
68732bbb25aa9f069c4366970ea042e0cdf4d514

SHA256
6d96a3600c447afa9c52f549b06107c998ae43c5b2da3b29f68b071e0face185

SHA512
7ca8a50d477abde7583344401b341bff416e31c9b8207b6088cc134fb4854fcd2ed8ff3111ded32d255dbe81fb71c305e81226921027a46c1e4d4c7f2046cab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
52KB

MD5
ce0e7ff163f55a0a1015cb7194036eb0

SHA1
3e221353687c204bb4d906d6c974017a4c4f1c60

SHA256
08f2c5bed7e8d233b0fc7ed9bc073a8bc82121a1dc50385d9f067b61e29afb02

SHA512
2de3537b077a20a396f09696dd39f4ea0c02b195ca24d48b10d34c7153b842bb0a47aa0f24863eef1d810f4d8e1724643f8f742c69cb79bf46a6e2453d0e4f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
b7749975625cac9aa7607dd3735d7ebe

SHA1
e05aa76cfcefba864439e7610bbe1bc97fbac548

SHA256
b8a836dd259123c1ba099851782b30eae28ba1dc95372a2452fed628983c0006

SHA512
4cb99352f6dc33a4c3e355df4d5953c5a2be8f88db75e7d958d9cf2f0d27bc40dbdb3fa79a29af9e468973e011bfb52f91a201c6dda1a61193fa59c3ed435438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
fa6019e5027c63078058b57e1b814e83

SHA1
4b97a80c493a1a2173b2742db98244552d8ca8b4

SHA256
43413972df8a375a6a542420933e88266b65bf66150f88ab688be58e0a129240

SHA512
6d553235e040a7e9c4c6fb7141d4ea42ba7046ad722ba46d8ac164b2d552800ed75d8f922f106816ba566312a6d8154f8ddb6af3d35b95951e836dda4c50ea60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
6eac4d7cd6c8ea3641318ed03ad3908b

SHA1
d36eccd120378abf58949d1249eefe4ebc1a97b4

SHA256
bea5ad1bcfdfec07cb17845357fb821fac5f2494377ac78a53f27d2398e11883

SHA512
d60264312764101befa071c4eb36f445a1d42c8c4b21389953961f7019f73e45211c7f5d771425a8c31f168406a874481c4ce3da68996b7754d413c92ca413a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
73e8e6ea9be88833411b95458c9c9146

SHA1
d420a2b6585881ac021283f444862674a376b387

SHA256
8d77d263012d173542321364f4b556cb3fc6711a911bae251dd4c3c9e22acdcd

SHA512
87edf04d0e2c785bd32d6515d5de85f8544e34d67c594078f910df2f75f5278434498ea6780c2683838246ab95a3b3e9727c9ba2303eea8493bbe604d2bea309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
b331f270611c7d49d64aa16dec53209c

SHA1
af5a441a0208f89567adb78eaeba9581ac2bf585

SHA256
ff954d59cbf90d195ef161854ce42360715f571d1a076c96e753dd7611f68e10

SHA512
6faa2dac7042ede8a1cae85ad3d843126db65f792cf433972cfe6cf7e5c978b499e09c1a61333163946cefcf442136d68c285507f2f43e752c02717b9eae5874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
1423eae6aba3b86d92e6fd8010a309a1

SHA1
87d57fd498c0a2f9ff09523add9418fa8381a693

SHA256
7a3231a06ff4b50a66b1595c003bde3530fba7d4db55da132374736078f26c79

SHA512
f069b0d7b9c665b7d1f29c274a78e41b1531d14b07e6abf8db7dfaa0e231b223b668fb719577da39d27d327fb4268da07e3aed426b866279ef6da9602b9fe582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
fa6019e5027c63078058b57e1b814e83

SHA1
4b97a80c493a1a2173b2742db98244552d8ca8b4

SHA256
43413972df8a375a6a542420933e88266b65bf66150f88ab688be58e0a129240

SHA512
6d553235e040a7e9c4c6fb7141d4ea42ba7046ad722ba46d8ac164b2d552800ed75d8f922f106816ba566312a6d8154f8ddb6af3d35b95951e836dda4c50ea60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
4a638dbf77c8866499562a93662938c8

SHA1
379b7b22415f3b550fe8a91fe1986280345acd39

SHA256
e3ed6b0cdaf105b00644bb81d1994b1140f5a6d3b4ba7abea88c36c97da56921

SHA512
2beb8091b41c6b61e51d50c059446d4af2b72417ba05e5a88373ceab1fcf553951dec31712836a965dd2929ed227a083db24f6f01ab31f65a7b093b4d37b9d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\904ab536-41a3-470b-9020-4b56306e1aef.dll
Filesize
60KB

MD5
43641721167b2dcf240174ba270c3157

SHA1
c2f9a5c66213a6179b82fe97e1c143cc0c58226d

SHA256
8cd7aa620a92599fc970c6be3b8f30dbd73dc50cbed9a992acf00dbe836ec263

SHA512
55663c5ba903fb0f920f905f08cfcefb29a90c7e3a5454c8d0333200c967a0cf22625f5a930ede7abd2ec74b2045b3ad01f36968cd289fbcaae3c8fa7b191a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
fac0721181b2735f432110c726dd76bd

SHA1
e09ee8e0fca91245cfafbe622fdfced997edf112

SHA256
8ee71ffc0bd3d7254656b6968882feb545dd29d26951d772b7846a732e62cc90

SHA512
86e15e7efdc9593501b377c8a212889d7e7baf24d774897ee3506e952eb231aebb4d25d46584350c55376ea9eda2559079527d40883d37679be85326e8d3a251

Download Submit
C:\Users\Admin\Downloads\Downloads.7z
Filesize
18KB

MD5
aa8e1b9f11c49c6de94d7d04edc9911e

SHA1
1fb40edc25d1dc95519ba27dc184f1a20b190fc7

SHA256
8c7a7b34745c6297e07675d4309ab70837235a64c32aa66e9dfc9da1cbd2df6e

SHA512
fbcd8087204a146bac85b6886f7b5cea8e002d88160fb03e70c705d8cf3ceb634b2cb30836bd3896cb1dfe6bc48dadf442de5c445ad4fb719f985646f31fb41a

Download Submit
C:\Users\Admin\Downloads\ExtremeDumper.zip
Filesize
2.3MB

MD5
5a175dbbdd3ef221fc1cc8cda9988c33

SHA1
5cc3f21a81438d8d24a82e3218541a00e51c6978

SHA256
fbffedf2a9420be03538f04bd80a69e35503f8d8395da76a9ac2518a65e1facc

SHA512
b6cf84830ff72a84d333850b88e981d4e7f7a68334546978169aec992ea7fa13f4a1839039aea2d18a7c8ff9164bf174719184a92ad5567cff048c2fbf2f8367

Download Submit
C:\Users\Admin\Downloads\NoDynMethods (2).dump.exe
Filesize
54KB

MD5
3350f7f5e9c67bf6dd9dfa4a3e3dda6c

SHA1
bc400030613575e479df0d119a524c4b0ab7e4c5

SHA256
79a2f779f0cb7825fc903be1656902b3cf20a1eca450969724c0d8c5e1a48c18

SHA512
91435ce9a6ac3251237f66da59bd25744d315607bb1a29b02bb3312d099414baebc0c9ca6fe876a5d45125a54e35864c9faf78d72f32e0e14ddbc03198c5ce4c

Download Submit
C:\Users\Admin\Downloads\NoDynMethods (2).dump.exe
Filesize
54KB

MD5
3350f7f5e9c67bf6dd9dfa4a3e3dda6c

SHA1
bc400030613575e479df0d119a524c4b0ab7e4c5

SHA256
79a2f779f0cb7825fc903be1656902b3cf20a1eca450969724c0d8c5e1a48c18

SHA512
91435ce9a6ac3251237f66da59bd25744d315607bb1a29b02bb3312d099414baebc0c9ca6fe876a5d45125a54e35864c9faf78d72f32e0e14ddbc03198c5ce4c

Download Submit
C:\Users\Admin\Downloads\TestHook.dump.dll
Filesize
88KB

MD5
3178db3830d973d6106e82fb00956fc8

SHA1
ebcefa3304d1b8aa6de45a90422720b6febd29c3

SHA256
508c708c165b81fa7a0fbfe93070a70c7fd7900298054bc27a7e24bf20ed6738

SHA512
44b9ed5701a4ec7be26f92fc75c081f3c188cfa411e23ea91858192e42cf0f1e1786f1f801720b8429c70cda54b9c6a9dc9fea1c812fd2dc04dd695b9ec28dde

Download Submit
\??\pipe\LOCAL\crashpad_4300_TZSLGOQRLNXZAAXZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5700_YBTDLYUNJNUSYDPE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1356-681-0x0000014B21110000-0x0000014B21126000-memory.dmp

Filesize
88KB

Download
memory/1848-684-0x0000026D66750000-0x0000026D66766000-memory.dmp

Filesize
88KB

Download
memory/4296-134-0x00000237C5970000-0x00000237C5980000-memory.dmp

Filesize
64KB

Download
memory/4296-135-0x00000237C5970000-0x00000237C5980000-memory.dmp

Filesize
64KB

Download
memory/4296-133-0x00000237AB3D0000-0x00000237AB3E6000-memory.dmp

Filesize
88KB

Download
memory/5300-690-0x0000022F61330000-0x0000022F61346000-memory.dmp

Filesize
88KB

Download
memory/5348-678-0x00007FFB7F830000-0x00007FFB7F840000-memory.dmp

Filesize
64KB

Download
memory/5348-677-0x0000024B35390000-0x0000024B353A6000-memory.dmp

Filesize
88KB

Download
memory/5348-679-0x0000024B36ED0000-0x0000024B36EE0000-memory.dmp

Filesize
64KB

Download
memory/5472-688-0x0000020B00DE0000-0x0000020B00DF6000-memory.dmp

Filesize
88KB

Download
memory/5664-654-0x000001DAA7860000-0x000001DAA7A0E000-memory.dmp

Filesize
1.7MB

Download
memory/5664-667-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-773-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-660-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-661-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-662-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-663-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-779-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-664-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-665-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5664-666-0x000001DAA9780000-0x000001DAA9790000-memory.dmp

Filesize
64KB

Download
memory/5856-738-0x0000019283620000-0x0000019283626000-memory.dmp

Filesize
24KB

Download
memory/5856-710-0x00000192834A0000-0x00000192834A6000-memory.dmp

Filesize
24KB

Download
memory/5856-701-0x0000019283430000-0x0000019283446000-memory.dmp

Filesize
88KB

Download
memory/5856-699-0x0000019283400000-0x0000019283402000-memory.dmp

Filesize
8KB

Download
memory/5856-698-0x0000019281CC0000-0x0000019281CC1000-memory.dmp

Filesize
4KB

Download
memory/5856-695-0x000001929CBD0000-0x000001929CBE0000-memory.dmp

Filesize
64KB

Download
memory/5856-694-0x000001929CBD0000-0x000001929CBE0000-memory.dmp

Filesize
64KB

Download
memory/5856-705-0x0000019283480000-0x0000019283486000-memory.dmp

Filesize
24KB

Download
memory/5856-719-0x00000192835D0000-0x00000192835D6000-memory.dmp

Filesize
24KB

Download
memory/5856-724-0x00000192835E0000-0x00000192835E6000-memory.dmp

Filesize
24KB

Download
memory/5856-733-0x0000019283610000-0x0000019283616000-memory.dmp

Filesize
24KB

Download
memory/5856-747-0x0000019283660000-0x0000019283666000-memory.dmp

Filesize
24KB

Download
memory/5856-752-0x0000019283670000-0x0000019283676000-memory.dmp

Filesize
24KB

Download
memory/5856-761-0x000001929CAE0000-0x000001929CAE6000-memory.dmp

Filesize
24KB

Download
memory/5856-766-0x000001929CAF0000-0x000001929CAF6000-memory.dmp

Filesize
24KB

Download