hxxps://www[.]mediafire[.]com/file/gigc7q6hytvpbaa/FORTNITE_EZH[.]rar

Analysis

max time kernel
1807s
max time network
1696s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2023, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/gigc7q6hytvpbaa/FORTNITE_EZH.rar

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1272	winrar-x64-700b1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350690463-3549324357-1323838019-1000\{9BC5BA8F-814C-4271-95E1-FA04D625422E}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 839248.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
3752	msedge.exe
3752	msedge.exe
5956	identity_helper.exe
5956	identity_helper.exe
1824	msedge.exe
1824	msedge.exe
5716	msedge.exe
5716	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
5844	msedge.exe
1780	msedge.exe
1780	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5280	OpenWith.exe
4872	7zG.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4872	7zG.exe
Token: 35	4872	7zG.exe
Token: SeSecurityPrivilege	4872	7zG.exe
Token: SeSecurityPrivilege	4872	7zG.exe
Token: SeRestorePrivilege	4380	7zG.exe
Token: 35	4380	7zG.exe
Token: SeSecurityPrivilege	4380	7zG.exe
Token: SeSecurityPrivilege	4380	7zG.exe
Token: SeManageVolumePrivilege	5284	svchost.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
4872	7zG.exe
4380	7zG.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
4728	OpenWith.exe
5692	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
5280	OpenWith.exe
1272	winrar-x64-700b1.exe
1272	winrar-x64-700b1.exe
1272	winrar-x64-700b1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 3992	5032	msedge.exe	83
PID 5032 wrote to memory of 3992	5032	msedge.exe	83
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3188	5032	msedge.exe	84
PID 5032 wrote to memory of 3752	5032	msedge.exe	85
PID 5032 wrote to memory of 3752	5032	msedge.exe	85
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86
PID 5032 wrote to memory of 636	5032	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/gigc7q6hytvpbaa/FORTNITE_EZH.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad58146f8,0x7ffad5814708,0x7ffad5814718
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9104 /prefetch:8
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8340 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8076 /prefetch:8
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8252 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,11938586064136961250,10339442729015209472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3076

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap8531:86:7zEvent27838
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4872

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10553:86:7zEvent27221
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4380

C:\Users\Admin\Downloads\winrar-x64-700b1.exe
"C:\Users\Admin\Downloads\winrar-x64-700b1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
50d5082203c186511209f1927298c408

SHA1
9e9a73758c5ad74cfca59b79f12a96dfb5efd90d

SHA256
b08517ea89ad86953b06aab57604841cf2dc141d152b81357b31202dc8ae0c8d

SHA512
1bbbe109fdd19dfb7f65b950f2227eb8d9788c4d43815512a3357c71391774e57937fc1366c9975788702d3d1427bc05322ae71333d2cc419d091e1090f05c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
483924abaaa7ce1345acd8547cfe77f4

SHA1
4190d880b95d9506385087d6c2f5434f0e9f63e8

SHA256
9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684

SHA512
e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
64a0d180d8fa6f7deb7e5f4a7d2faeb0

SHA1
0bd6ca3e2c06a81b5044974c0d998a6225a3e9e0

SHA256
84cc2a567634449f4b56163a6ee3c26f71744216deeb4d2cba18d63bd82ce7fd

SHA512
2260fc4f2c46c5defc35161648690bd17d46ea9c6dd5be4b4fde622b51d7297f282ffe74dc5e4af8a7998b7ddf8ce3ca2e8b2f1e6146b84fe1a1f040738911a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
637f1ee1326a91235325a352c49b2c17

SHA1
234f9f6f52e08db45043c31a5dc3cad1a34ee340

SHA256
cf84be14624b732acaaab7b8f90a2d8328c252765de94d43669e1aea46a03637

SHA512
1a009c2e5d6469ad598df8d6228f94a4f6b910d97ed99a1657cdedb2f8747086e01a65162f1e07f1df8f136ea4a00ec5fad603b7f6061a0b4b1191fecb725055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
3ec378b0febd3500fc1c9131f4381f1e

SHA1
659120b464511cafed4d1e273372cdcc18a4ef9d

SHA256
f286a02e780439bc711f9a3d56de6dd5c03c626b3f8dfc241d6ccdce1ee5f156

SHA512
585067cfdd51f88f8dccce44ce7a8e78dbeed65dd158c95004cb6ce45a8d82ae7810e7a9791a20f1bedae3b4376b9343498395fddf26c9a7e9c91f9e7ca8baae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
f03c1c7b6d2fb75c9d891278fe378a72

SHA1
3254826396fd9424a37930bfd7b744f5ef9d6f91

SHA256
b31996a6126b8cc24d262f5b6a9fa54bac5850888ab9e16eafcd156e02fc8cd5

SHA512
e5ee1cbf3ff5b53d49f9b03cdfca73f582d019c53454637f8f1732f06cff0e10447b8dbbfeb3a5d3495eb10292ae9d5bef5f2fe97bf63858b63c8605ef9ceffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
08ba4ca7cda80389be70060ed0411ce5

SHA1
79e845be4912fe7ee407e44c297c1d402eab4fa7

SHA256
4f659146e1e17a3c483422a512eccbbaf8940cfb2e18501661d993e751346b91

SHA512
ad39d2104539bfa96f47cbdf33af27e909f67086d7f498be0acb3cec86c102cd22c2bb5df94a4f3e9ba2649199af492c74fbd1922fcb1ebfb5c410c705cf0882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
13f6b2f3193994318bc80ecaeb45a8d5

SHA1
b0459e9d9b24d221df2743f0f4e168de6b2dd70b

SHA256
ee0e0b85af6b38e30df177f412cea03ef7f0ad3dc63af4ef2ecb457496b818b7

SHA512
cc538741f9d3e02162d5f8c0673428a7ab393bd8c22c58102718822fcf0ecea4261ba61a14d3969afcbf75fd6bf8618b501b1b22128b7ae06a298f4cfeca637a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c2dc0763a74d72c6d4f4ed9dfac952e8

SHA1
5f7c22000db14952d9c989096db26b8a6b211080

SHA256
4d1a04d5053a1b2c79b70b6154a765ff1b43522a2b47debf416272a2aae2d942

SHA512
f9f99b9ef0d64bacdcab968554bcf41810c115a3a077fae41ae828a05b8f31ee31856c06d3a606aa109082b766c658541b7d9ae84226aa98d1887e190c0b921a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1c706d53e85fb5321a8396d197051531

SHA1
0d92aa8524fb1d47e7ee5d614e58a398c06141a4

SHA256
80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932

SHA512
d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
cc916f5055cc0ed3c301b9b9468feab0

SHA1
f71ee74776fa7357320afaf6a7875d8ae2766cb7

SHA256
af1ff4a99c1dc79430b34db1485804ae94d7fc6625fa25dbeb78eaed0be35d78

SHA512
a90382ab84b96db41ebaf87f4af20b61d66899c66f9f6631bc9f803a85a6ec0365fa4ca53ded35fe2483d2f251bea617f8dca28b7044e1038a0a68dc84ea3961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9859ce109451609886ae6100fd11f95a

SHA1
d2123ccc633c07b3a5c4bba0971e51d655d5f2e5

SHA256
6c8d93b46c2b6d4bbcab84ed36a9b9ce5dc7509b336d0829ec9f0fa507e509fb

SHA512
d7d0d374da99bbb0ff993dd5f6256aeedb85b5e8f56a2ac8959f0cf2194c344b5fc6382821d1eff2b31d1194dea957df3e658cd694a2572606153b276a65f87d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582ad4.TMP

Filesize
2KB

MD5
446c56003c38db642a9bae8191f0c9d1

SHA1
86839bb0173b974a063b04b6a68b28230a695618

SHA256
4ad9a1f4221007fd86049e19998a71398559ac6eaf94a040bd4bb4cbacbcb6ae

SHA512
b27edc6ea04bff4411cf5494e3664c45fbaf8a21e798166bac2480b197a923e21f7e1beb43b1b51c2be75be1cb2f842f4adf5068b6b3e8e57e7bcd5bb7068a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
286e2ad9dda50ae4937eb9145968fcf5

SHA1
10f50f667f630b94a5c9746c1883438601bbbb90

SHA256
86ba4bf6c21edd2dbc7aaf8598ea08635931ee660271d7da5e7be5299144df6d

SHA512
f553e42973805f66784786d4b988aef63717b8d8e0210e7dc532613dc6043fa6492dbc2a42c06d60307731c4e89a133689104a03cac61b6765d05818a552c5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
20ccf44c31995e926bde84f358140ffb

SHA1
a2b2f1fa040e72fe6b6ee806a6af13ebe5d2e7df

SHA256
795b7e555699990ec36610c677afb8011ecc1da284fe308693919dbe00fea077

SHA512
90bd5c1bce0b88a6c52ac31be5114aebbd7dc272093abc48a52027e9ae0e26658467209569c5d48312a6aaf268e1e2a47becb466523a762af1dd53399801bfde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
27cc68b1942d746f53a6008d46bbf722

SHA1
b899f835c5e57c7eb3a7a50d459398c578e58328

SHA256
444b5ebeda5fd943b01a01f03538c974420903eb6238ac84cef55de02255c545

SHA512
e99c3da20296e118c40f519c3479ab9f35adac21c54a11f162dc5892a82a740eea1ba4df19bf031d2bab4deea38a1f3a14fe9512f3087c6c78b7c19200147b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb43adb16c9516bf4792954578616f61

SHA1
611078dca5237def300c2d1ee73a8d499f293804

SHA256
039e6c8c161af768a7563a73f6d0f16ec7708daef55f3c4650ba35ce99aad714

SHA512
588d41c91a5c35acedab50d3f6f464797ba1543ceb631aa365593611501be21cd30d9227b44d75a886a78b4e35090bb4691c555f4e3f9f92ac42575485faa542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
697679243ac19487aff72b5ec9121c66

SHA1
3c7b7536974de0497a21f1b5f195128ba6551e36

SHA256
ecdf120b08f6c8f434aeaf07e95f3873e7ab4e4df8fea299e5a4b118ab59786b

SHA512
1f3da9b2c4c29e9ffaaea1f936a932d8bb3d696fcfcea2b2891e7fb62d0d4e072a8f44f247c3d4a79880314bc922e5bfc73c75f85840a46bc9060a9124260838

Download Submit
C:\Users\Admin\Downloads\FORTNITE_EZH.rar

Filesize
7.3MB

MD5
d0f7a613d9cea62f52b63130003a6293

SHA1
57a2989034e945480ac4ce149f91d3d5e73a87b5

SHA256
f4fb8eff29f4f9df0bdbc593b2a5fc59ae4ebf80b83153caaf082bf23ca9e5eb

SHA512
92c078a9540fecf9c5e8b054f18a77305e4254e941842e6fcc73d17b991b3a13a1ffa98219b6ffb81dcd496cbadf2ae4bfd5af53d53cd2b1f6d2913ebb387d21

Download Submit
C:\Users\Admin\Downloads\FORTNITE_EZH.zip

Filesize
7.3MB

MD5
d0f7a613d9cea62f52b63130003a6293

SHA1
57a2989034e945480ac4ce149f91d3d5e73a87b5

SHA256
f4fb8eff29f4f9df0bdbc593b2a5fc59ae4ebf80b83153caaf082bf23ca9e5eb

SHA512
92c078a9540fecf9c5e8b054f18a77305e4254e941842e6fcc73d17b991b3a13a1ffa98219b6ffb81dcd496cbadf2ae4bfd5af53d53cd2b1f6d2913ebb387d21

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700b1.exe

Filesize
3.7MB

MD5
7e39d7f3ff9248fa10a68cc4852b497c

SHA1
872959d8c20c35aa736636e3a0012fd1e0b8b769

SHA256
323da212626973c6edb9ec614cef7cfb047181d4ea7a0611474ee24453358d35

SHA512
d95a340028f5e83812508e31b92391b3f2ad1899188b3f88a65db5fdc724df211b7e1e7a7656bd1765dad833e8584dba484eb382f57dc2fd7539e8fd1eba11c6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700b1.exe

Filesize
3.7MB

MD5
7e39d7f3ff9248fa10a68cc4852b497c

SHA1
872959d8c20c35aa736636e3a0012fd1e0b8b769

SHA256
323da212626973c6edb9ec614cef7cfb047181d4ea7a0611474ee24453358d35

SHA512
d95a340028f5e83812508e31b92391b3f2ad1899188b3f88a65db5fdc724df211b7e1e7a7656bd1765dad833e8584dba484eb382f57dc2fd7539e8fd1eba11c6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700b1.exe

Filesize
3.7MB

MD5
7e39d7f3ff9248fa10a68cc4852b497c

SHA1
872959d8c20c35aa736636e3a0012fd1e0b8b769

SHA256
323da212626973c6edb9ec614cef7cfb047181d4ea7a0611474ee24453358d35

SHA512
d95a340028f5e83812508e31b92391b3f2ad1899188b3f88a65db5fdc724df211b7e1e7a7656bd1765dad833e8584dba484eb382f57dc2fd7539e8fd1eba11c6

Download Submit
memory/5284-684-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-685-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-676-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-677-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-678-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-679-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-680-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-681-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-682-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-686-0x000001ABFE390000-0x000001ABFE391000-memory.dmp

Filesize
4KB

Download
memory/5284-675-0x000001ABFE740000-0x000001ABFE741000-memory.dmp

Filesize
4KB

Download
memory/5284-659-0x000001ABFE150000-0x000001ABFE160000-memory.dmp

Filesize
64KB

Download
memory/5284-683-0x000001ABFE760000-0x000001ABFE761000-memory.dmp

Filesize
4KB

Download
memory/5284-687-0x000001ABFE380000-0x000001ABFE381000-memory.dmp

Filesize
4KB

Download
memory/5284-689-0x000001ABFE390000-0x000001ABFE391000-memory.dmp

Filesize
4KB

Download
memory/5284-692-0x000001ABFE380000-0x000001ABFE381000-memory.dmp

Filesize
4KB

Download
memory/5284-695-0x000001ABFE2C0000-0x000001ABFE2C1000-memory.dmp

Filesize
4KB

Download
memory/5284-643-0x000001ABFE050000-0x000001ABFE060000-memory.dmp

Filesize
64KB

Download
memory/5284-707-0x000001ABFE4C0000-0x000001ABFE4C1000-memory.dmp

Filesize
4KB

Download
memory/5284-709-0x000001ABFE4D0000-0x000001ABFE4D1000-memory.dmp

Filesize
4KB

Download
memory/5284-710-0x000001ABFE4D0000-0x000001ABFE4D1000-memory.dmp

Filesize
4KB

Download
memory/5284-711-0x000001ABFE5E0000-0x000001ABFE5E1000-memory.dmp

Filesize
4KB

Download