61ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Endermanch@MEMZ.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Endermanch@MEMZ.exeEndermanch@MEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Endermanch@MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Endermanch@MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Endermanch@MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Endermanch@MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Endermanch@MEMZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230401055043.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2b786f16-ab17-416c-899d-551dfa41a8fa.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Endermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exeEndermanch@MEMZ.exe

pid	process
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
116	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
3756	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
1932	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4768	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe
4912	Endermanch@MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 1976 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 1976 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2188 msedge.exe
2188 msedge.exe
2188 msedge.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Endermanch@MEMZ.exewordpad.exe

pid process

3748 Endermanch@MEMZ.exe
1260 wordpad.exe
1260 wordpad.exe
1260 wordpad.exe
1260 wordpad.exe
1260 wordpad.exe
1260 wordpad.exe

description	pid	process
Token: 33	1976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1976	AUDIODG.EXE

pid	process
3748	Endermanch@MEMZ.exe
1260	wordpad.exe
1260	wordpad.exe
1260	wordpad.exe
1260	wordpad.exe
1260	wordpad.exe
1260	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Endermanch@MEMZ.exeEndermanch@MEMZ.exewordpad.exemsedge.exe

description	pid	process	target process
PID 4908 wrote to memory of 116	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 116	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 116	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 3756	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 3756	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 3756	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 1932	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 1932	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 1932	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 4912	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 4912	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 4912	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 4768	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 4768	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 4768	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 3748	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 3748	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 4908 wrote to memory of 3748	4908	Endermanch@MEMZ.exe	Endermanch@MEMZ.exe
PID 3748 wrote to memory of 1812	3748	Endermanch@MEMZ.exe	notepad.exe
PID 3748 wrote to memory of 1812	3748	Endermanch@MEMZ.exe	notepad.exe
PID 3748 wrote to memory of 1812	3748	Endermanch@MEMZ.exe	notepad.exe
PID 3748 wrote to memory of 1260	3748	Endermanch@MEMZ.exe	wordpad.exe
PID 3748 wrote to memory of 1260	3748	Endermanch@MEMZ.exe	wordpad.exe
PID 3748 wrote to memory of 1260	3748	Endermanch@MEMZ.exe	wordpad.exe
PID 1260 wrote to memory of 3616	1260	wordpad.exe	splwow64.exe
PID 1260 wrote to memory of 3616	1260	wordpad.exe	splwow64.exe
PID 3748 wrote to memory of 2188	3748	Endermanch@MEMZ.exe	msedge.exe
PID 3748 wrote to memory of 2188	3748	Endermanch@MEMZ.exe	msedge.exe
PID 2188 wrote to memory of 3096	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 3096	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe
PID 2188 wrote to memory of 4288	2188	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:116

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /watchdog
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\Endermanch@MEMZ.exe" /main
2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
3⤵
PID:1812

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
4⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34f446f8,0x7ffd34f44708,0x7ffd34f44718
4⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
4⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
4⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
4⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
4⤵
PID:2912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
4⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
4⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
4⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
4⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
4⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
4⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff742245460,0x7ff742245470,0x7ff742245480
5⤵
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:8
4⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
4⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
4⤵
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
4⤵
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
4⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1292 /prefetch:1
4⤵
PID:344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
4⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
4⤵
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
4⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
4⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,12160337016328406089,11525544563583022026,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
4⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection
3⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34f446f8,0x7ffd34f44708,0x7ffd34f44718
4⤵
PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
3⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd34f446f8,0x7ffd34f44708,0x7ffd34f44718
4⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
3⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34f446f8,0x7ffd34f44708,0x7ffd34f44718
4⤵
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
163202a097983b20ce2bc01b538ac220

SHA1
d6687b7a0da5b733e677f7f9bc909527e97ff748

SHA256
031eb7b5db01a3ac72cce6caa1b26a3abd390d0bb06ae09af624088979c9330e

SHA512
dd1323e23848cfc3bc9d025e856bb2e48c94dac3093110356ca9c1fdac2ebd5ea304d0c79424197e6153126d29189c07a2993ce03873392023aaa967e5345a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
331KB

MD5
95efe88b5b36c29de90d7e6e99300857

SHA1
9a0ebfba154f93b7ba83b733daef1225beefee76

SHA256
c596953e04cb63487d2543005ed52be5b4dc0ee3c38f394f530ce1ee9d79f8a3

SHA512
38d21358e5a36e63ae79a6e0346fe11fafd3404830bb9702355404cb6b0dbd5415d58a1b1db1570374b0212e894c2a03f4b37fb18a98cd9d00e4a6fcc438891a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
64KB

MD5
c4f7300442a8f13dddf5c9bd09128727

SHA1
d7c8a30cdfe9027cca42c45f44d569627112ae6c

SHA256
5decc8ac1f3d26152842e44d1aa103c913711168c968c936bb782fb3cac10155

SHA512
3b6ebaff36af22dcc9ae7a7593657b56f99afb242ebeed50d26a33e1e6b0ff31c98ef576b96cf98c277cafc1050fee40b5d4c3fcd730595be756089a980030cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
37KB

MD5
47ae9b25af86702d77c7895ac6f6b57c

SHA1
f56f78729b99247a975620a1103cac3ee9f313a5

SHA256
9bde79a1b0866f68d6baa43f920e971b5feb35a8e0af7ffadc114366f8538224

SHA512
72b5296e3dd1c5b4c42d8c3e4a56693819779167b9f02bc2d5f5a626b519a9cf10bee59846d614c929c42094b65d13039f6024f6cb1c023e740969aaefd060c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
69KB

MD5
bccc51004c03a0c94c1672047afa992c

SHA1
80654bd616d7b2ba2c477679ffa7c5cf69638e78

SHA256
9d688650a392928dc61497e4783e117dd40908415e4d3e1d4cc3bbf20190116d

SHA512
a5f410f3e0c27fc12156f7c132303c7a4171de267a07aa6edd0eb69e37a7ac73e5ff54dd8f4060740088df96cb119a09a499a4b3421ebd64be93bca7bd96a79a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
27f15793944ec5d09c9959235db29ea1

SHA1
0371493d984e4da952a4b8a4876e606a8282fa07

SHA256
4612f6acab30c7301bd86948767bf9cbf1d1c376af570bffb7999770910f3e2f

SHA512
76628743c9567cefc9c0985ff4e59fa9bdbaeaf43565c88696afb21fa5d76a52354f166c94bb36d40d86ff497acddb4fcbbebc094ad9c3f8c7737b8ee56c1cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7b456de21bdb97057f564106c6ee2db4

SHA1
3213ccf01c0d832aa8e17bbeb3e19654d14c1223

SHA256
7105d476057e5beb0aa0dca0363cb45501450a8adf9813135dff508d03df8aa2

SHA512
26525f6c3159e5ecb6ea39dbabb3cd7ea5d882014f32f3243e2d98884c3f1e1c325c3bc392adc8241d17289701e45b0dfcc356d1dd953b9821373f5c1e16bcd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
b08bf316f11edf5cb39b535aef4ad403

SHA1
d971b255a0b58abec3f25d8c1dd4bf19ec0ba014

SHA256
0376ed2f40a4421b5b398a86ba2938f30c43c117c371a81f449671466183f8c3

SHA512
45a900f72d46ff28974f83d0e95856a1b12fce5e0d10a7c00c5bf7e718a81b1464462a61983f5e91d325e3dac36c709b860af14ec04e48ee6eb3edb483ebd324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
df3edeacb061aef584727a0a5b7d374a

SHA1
ff1b8a7f431c475f1012622af4819acff95a0401

SHA256
59ecd9e985fe880322d5bd85d357485e09615bd215c939dcf2e6b51c3bcf277e

SHA512
bce99cf5e9f5d553f9642a1987e50692016f3c8ead2ca4963543f6eb520c5aae8a81bc38b6155a54967a92edfc9178e009ecbb6cb5090d24a190119fd346d568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
ff8ac44d8fd039f5d0cd6475348487de

SHA1
bd56ad83fa35210aca88583ab40becbcd176dccc

SHA256
c6d8c6318301a8a307692c647cb347cece949504dbcf559f252301b687bea20b

SHA512
48f6ff0748e648b534e8be08f3eb23a6a83e7c52b4e167158eaf0fba20f37e30962edc3740673cf01b23119bbe922a5e343ae0ae5e8272509e702d9b8eec031a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f208b45e616931a7f86dd1a880740e45

SHA1
fc60305e963575f3ebd4136b9f8efaec5febb670

SHA256
ce2d0e11dd8561da02108c1ae947a178bacfa6a7fa0da3930e2b6f39abf7ad8a

SHA512
4305b8b8229c2d551a08c4df1e1a564f3db3478dd9dafc7d2de803b5b2b48cd671edb3f03e35faed94878c1fc9ede7f966221498188d111c232e4a6e70340058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
10bac9a6a991b82ab187ca271909f2a3

SHA1
483c5ed3fff86f8189e4105231bdbd76ab6fd563

SHA256
3f11bada6ea586e485cfdf5b5c8a92c1aeb102fee71880f9e14fafa05d7d3ae3

SHA512
7422c9f3bf38d94cdadcc2410e4f392e29bc8d28472de74370ae67cf5eff91842f0d17c36adda9b64212eb9dcb4c5d194268f2eec52a423b50c5472a011b0467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
91ab44e70293cf25a5a98c878ae2206a

SHA1
a137a2b5d277e56996d291de0bfcf22b9c8aab2b

SHA256
042ee58c56f1fd6176183991a614f3f343c3de0e9a4c453e1eba4c7cfb55d05f

SHA512
8cc1aaf5895bb44a6d302df5c3e8f0e34ee754c85be92614011779bdf394c732232256701426e834700f1f555ceccfc128cb74d38173e860f752e7ea3874e932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7880cc221958a35caed9589e3cde40ed

SHA1
416c921b6131ebfda43b74d5c0528b42826bfdcb

SHA256
0275be4971c0435efa17f7ef0efa3edf10c021ee12442fd0c50999b7ff709592

SHA512
403892e4d8098d319bcad8f2016d56ee503af713881177db5b975afec6e22e0e643a1ca547cf3c4025a9ae3d458702cbd8e19689afc2870ccbad60baec493f72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
7dff0eb3892b7a5bca063ded4511beaa

SHA1
7e3f41be2921125c0852981fa317e40b6581ddad

SHA256
13013eb51dbe89c7aadba0094895b9f7799bc54bc7d3befc722b235888404fe4

SHA512
3c1f4f12bcb95bef8dadd1e43a93dd2d92f713d90f05a28c1c79c098f3f4160e6482602f6b19810ae351ebd345cd42209a4ca4d0048a25c042efa7fb6fa20d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
90B

MD5
c17f01b1473c6e5cd033167be45c724b

SHA1
535e12a6f5603684f07c8afa4102b4f1a78b46d9

SHA256
2c2d846d7ab05d13691cedcf96f4c8238f2b465fb0f66283896bc8ab20084fe0

SHA512
dec30e6a67c49d7b23bb6475a1f2a0ed87fe262ce95892b123e7a5d448b57e858c837a0af97438810ff6af6947ce1ab4fc51ad413ed3eb309be452583e820728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
372B

MD5
c9c49bd66ae9092346ced9315b97594b

SHA1
76bbec653ab046e2b65835a6cc4252f773938803

SHA256
7d79bf89849c8b9c185cf787686e14f8eaff3d6a3397ee1876cb8273e2fda2f5

SHA512
1d30cc81e74dd15a97e0a0699b5d0179eafb2be472548f8b73e0634cf0834d07e8dc6d3e36549e46228305e96d9e17d57833f52eb2c42771cb4631cda91c531e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580e43.TMP
Filesize
370B

MD5
5fabf88c910e81c71fba070a32bed53b

SHA1
561f37f2ba6a43bb384896decf5df50896e1034b

SHA256
e92f116cbd482c0e7013c01f9b752c0451bdc3faeb8470afaddd64fe949ddd2a

SHA512
acae5278d7413a1bbab8737fd9e2449896d4e24b6d93fc4ad533adca666d6a8bb4b6469d9fdc6650b2f2f6c16abf97e495c22c79c994b5c3bd5dc6daa83109e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
58af20babece6106aae079001d0b8163

SHA1
b63114f047845b735ffbce9948601273b281fa12

SHA256
a2351691b6017542c44410f04df4281a22c1467e2fe27a2dc6c4d71e7fb568d7

SHA512
534e7f21389d68d23a520def631b3e3112205344076e8a6d435560d082aadcbc3fae532b6111bb46923570a872896a46c1a8103006f0b10d5d64e337314f8ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ab4bf6f13066ec383d5c983c10259d12

SHA1
329409173699a41bac45e17af7f68eb2ea9ed012

SHA256
b9748b014f6c5e3fcd1672bea82694ab8483584d430d1aae0c281fd5ad0d8265

SHA512
f39dbbd9e0ff78caf3c59f01780a2deb26499d45654ff7c4e0e4baee55c1667fd25d46b057a83708a8a1d5f2b084a1bb8f962e2ebfb5c4a54b07d39168307534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
3923d968ab436f5859d9b218f1dc2749

SHA1
a7f4223337c67ef3bd3b243252ccb35cd491c9bc

SHA256
6d4893bc6e985ed69ec205b94440a9b2924af2e42aa1bfb52f0636e54a14458e

SHA512
aa5e654f8a34a089bae916554d4e03e0fdcfc2300d19fa7edd343eea1e95df1d609d21533324180c9d6d52d66e356ad17774afb114fac637d950baf450978e09

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_2188_QZQRJRNBFVOWIDIM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit