kinsing | hxxps://cdn[.]discordapp[.]com/attachments/1192953634183458836/1200111947216076811/Nezur[.]exe?ex=65c4fe59&is=65b28959&hm=1bc936ecddd88b1e9310f9f5128d1608f295aef31d04d0e3cc457857d06ad6f8&

Analysis

max time kernel
787s
max time network
792s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1192953634183458836/1200111947216076811/Nezur.exe?ex=65c4fe59&is=65b28959&hm=1bc936ecddd88b1e9310f9f5128d1608f295aef31d04d0e3cc457857d06ad6f8&

Score

10^/10

kinsing discovery loader persistence

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-7.0.15-win-x86.exe

Executes dropped EXE 8 IoCs

pid	Process
456	Nezur.exe
1208	Nezur.exe
4376	windowsdesktop-runtime-7.0.15-win-x86.exe
2560	windowsdesktop-runtime-7.0.15-win-x86.exe
4420	windowsdesktop-runtime-7.0.15-win-x86.exe
1400	windowsdesktop-runtime-7.0.15-win-x86.exe
2172	windowsdesktop-runtime-7.0.15-win-x86.exe
1656	Nezur.exe

Loads dropped DLL 64 IoCs

pid	Process
4420	windowsdesktop-runtime-7.0.15-win-x86.exe
1400	windowsdesktop-runtime-7.0.15-win-x86.exe
3416	MsiExec.exe
1656	MsiExec.exe
4120	MsiExec.exe
1840	MsiExec.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe
1656	Nezur.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0305aed7-88ea-4e4d-995e-c09c56c41bd1} = "\"C:\\ProgramData\\Package Cache\\{0305aed7-88ea-4e4d-995e-c09c56c41bd1}\\windowsdesktop-runtime-7.0.15-win-x86.exe\" /burn.runonce"	windowsdesktop-runtime-7.0.15-win-x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\zh-Hans\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\de\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\wpfgfx_cor3.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\clrjit.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Security.Principal.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\createdump.exe	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\tr\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Xml.XmlDocument.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\pl\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\es\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\de\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.IO.Compression.ZipFile.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\pt-BR\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\System.Windows.Input.Manipulations.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\System.Configuration.ConfigurationManager.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\zh-Hans\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\de\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\it\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\zh-Hans\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\System.Design.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.IO.Pipes.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Data.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Formats.Tar.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\ru\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\System.Drawing.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Net.Security.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Xml.XDocument.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\PresentationFramework.Aero.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\System.Diagnostics.PerformanceCounter.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\pt-BR\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Reflection.Primitives.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\zh-Hans\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\ja\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\ja\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Reflection.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Diagnostics.TextWriterTraceListener.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\zh-Hant\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\PresentationUI.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\pl\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Diagnostics.Process.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\cs\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\pl\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\mscordbi.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\mscorrc.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\cs\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Reflection.Emit.ILGeneration.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Collections.Immutable.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\System.Drawing.Design.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Net.Mail.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Runtime.Loader.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\ko\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\fr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Runtime.Serialization.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Security.Claims.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.Net.WebSockets.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\UIAutomationTypes.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\cs\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.15\vcruntime140_cor3.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\7.0.15\System.ComponentModel.Primitives.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICB52.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{565B8608-2758-4BB1-90B8-13C8D5D9A7A3}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e615e6a.msi	msiexec.exe
File created	C:\Windows\Installer\e615e64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e615e5f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A8653AB8-2037-4D69-903D-F1D5FA5CACD2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFA8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D96F6B53-FC66-4BEE-91BD-1A4E944FC061}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBA0.tmp	msiexec.exe
File created	C:\Windows\Installer\e615e5b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e615e65.msi	msiexec.exe
File created	C:\Windows\Installer\e615e6e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D99.tmp	msiexec.exe
File created	C:\Windows\Installer\e615e60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e615e60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF2B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{961F4E18-EF6F-44DA-A61E-8AFCAA87CB87}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC44C.tmp	msiexec.exe
File created	C:\Windows\Installer\e615e65.msi	msiexec.exe
File created	C:\Windows\Installer\e615e69.msi	msiexec.exe
File created	C:\Windows\Installer\e615e6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e615e5b.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0305aed7-88ea-4e4d-995e-c09c56c41bd1}\ = "{0305aed7-88ea-4e4d-995e-c09c56c41bd1}"	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{961F4E18-EF6F-44DA-A61E-8AFCAA87CB87}v56.60.5674\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_56.60.5674_x86	windowsdesktop-runtime-7.0.15-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.60.5674_x86\Dependents	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.60.5674_x86\ = "{961F4E18-EF6F-44DA-A61E-8AFCAA87CB87}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86\Dependents\{0305aed7-88ea-4e4d-995e-c09c56c41bd1}	windowsdesktop-runtime-7.0.15-win-x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_56.60.5778_x86	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0305aed7-88ea-4e4d-995e-c09c56c41bd1}\Version = "7.0.15.33129"	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E4F169F6FEAD446AE1A8CFAA78BC78\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\SourceList\PackageName = "windowsdesktop-runtime-7.0.15-win-x86.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\ProductName = "Microsoft .NET Runtime - 7.0.15 (x86)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\PackageCode = "4607BD783359EE74C90B337EA71931CB"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\ProductName = "Microsoft Windows Desktop Runtime - 7.0.15 (x86)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3774C265BB25E195676300FC0E846513\35B6F69D66CFEEB419DBA1E449F40C16	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86\ = "{A8653AB8-2037-4D69-903D-F1D5FA5CACD2}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_56.60.5778_x86	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\Version = "943461930"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{A8653AB8-2037-4D69-903D-F1D5FA5CACD2}v56.60.5674\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\35B6F69D66CFEEB419DBA1E449F40C16	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.60.5674_x86\Version = "56.60.5674"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E4F169F6FEAD446AE1A8CFAA78BC78	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.60.5674_x86	windowsdesktop-runtime-7.0.15-win-x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\35B6F69D66CFEEB419DBA1E449F40C16\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\Version = "943461930"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86\Version = "56.60.5674"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86\DisplayName = "Microsoft .NET Host - 7.0.15 (x86)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\ProductName = "Microsoft .NET Host - 7.0.15 (x86)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\PackageCode = "5B69673A9BC0DF34892D51F6D389F4CB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x86\Dependents	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\SourceList\PackageName = "dotnet-runtime-7.0.15-win-x86.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\Version = "943462034"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\35B6F69D66CFEEB419DBA1E449F40C16\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CECF0AFFB02504A6772360FBC67BC746\81E4F169F6FEAD446AE1A8CFAA78BC78	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BA3568A730296D409D31F5DAFC5CA2D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0305aed7-88ea-4e4d-995e-c09c56c41bd1}\Dependents\{0305aed7-88ea-4e4d-995e-c09c56c41bd1}	windowsdesktop-runtime-7.0.15-win-x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8068B56585721BB4098B318C5D9D7A3A\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E4F169F6FEAD446AE1A8CFAA78BC78\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8BA3568A730296D409D31F5DAFC5CA2D\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\35B6F69D66CFEEB419DBA1E449F40C16\Provider	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 808329.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 500446.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4652	msedge.exe
4652	msedge.exe
4916	msedge.exe
4916	msedge.exe
2836	identity_helper.exe
2836	identity_helper.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
3484	msedge.exe
3484	msedge.exe
1444	msedge.exe
1444	msedge.exe
3672	msedge.exe
3672	msedge.exe
1236	identity_helper.exe
1236	identity_helper.exe
3008	msedge.exe
3008	msedge.exe
1660	msiexec.exe
1660	msiexec.exe
1660	msiexec.exe
1660	msiexec.exe
1660	msiexec.exe
1660	msiexec.exe
1660	msiexec.exe
1660	msiexec.exe
3796	msedge.exe
3796	msedge.exe
4196	msedge.exe
4196	msedge.exe
2212	identity_helper.exe
2212	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeIncreaseQuotaPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeSecurityPrivilege	1660	msiexec.exe
Token: SeCreateTokenPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeAssignPrimaryTokenPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeLockMemoryPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeIncreaseQuotaPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeMachineAccountPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeTcbPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeSecurityPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeTakeOwnershipPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeLoadDriverPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeSystemProfilePrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeSystemtimePrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeProfSingleProcessPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeIncBasePriorityPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeCreatePagefilePrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeCreatePermanentPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeBackupPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeRestorePrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeShutdownPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeDebugPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeAuditPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeSystemEnvironmentPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeChangeNotifyPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeRemoteShutdownPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeUndockPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeSyncAgentPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeEnableDelegationPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeManageVolumePrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeImpersonatePrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeCreateGlobalPrivilege	2172	windowsdesktop-runtime-7.0.15-win-x86.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe
4196	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
456	Nezur.exe
1208	Nezur.exe
4376	windowsdesktop-runtime-7.0.15-win-x86.exe
2560	windowsdesktop-runtime-7.0.15-win-x86.exe
1400	windowsdesktop-runtime-7.0.15-win-x86.exe
4420	windowsdesktop-runtime-7.0.15-win-x86.exe
2172	windowsdesktop-runtime-7.0.15-win-x86.exe
1656	Nezur.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4412	4916	msedge.exe	85
PID 4916 wrote to memory of 4412	4916	msedge.exe	85
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4428	4916	msedge.exe	87
PID 4916 wrote to memory of 4652	4916	msedge.exe	86
PID 4916 wrote to memory of 4652	4916	msedge.exe	86
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88
PID 4916 wrote to memory of 4804	4916	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1192953634183458836/1200111947216076811/Nezur.exe?ex=65c4fe59&is=65b28959&hm=1bc936ecddd88b1e9310f9f5128d1608f295aef31d04d0e3cc457857d06ad6f8&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d9a946f8,0x7ff9d9a94708,0x7ff9d9a94718
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3484
- C:\Users\Admin\Downloads\Nezur.exe
  "C:\Users\Admin\Downloads\Nezur.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=7.0.14&gui=true
    3⤵
    PID:4360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9d9a946f8,0x7ff9d9a94708,0x7ff9d9a94718
      4⤵
      PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,10472310736855189679,9693425729979151732,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4784

C:\Users\Admin\Downloads\Nezur.exe
"C:\Users\Admin\Downloads\Nezur.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=7.0.14&gui=true
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9d9a946f8,0x7ff9d9a94708,0x7ff9d9a94718
    3⤵
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
    3⤵
    PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:2172
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:2392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
    3⤵
    PID:2908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
    3⤵
    PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
    3⤵
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:8
    3⤵
    PID:1756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
    3⤵
    PID:1820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:8
    3⤵
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16862034797355128940,6023946007158726202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3008
- - C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe
    "C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4376
  - - C:\Windows\Temp\{5C0F1F0C-AD4F-432D-813F-87422A6FFECC}\.cr\windowsdesktop-runtime-7.0.15-win-x86.exe
      "C:\Windows\Temp\{5C0F1F0C-AD4F-432D-813F-87422A6FFECC}\.cr\windowsdesktop-runtime-7.0.15-win-x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=580
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4420
    - - C:\Windows\Temp\{9675E175-E3CA-4297-BC38-925F0F02F84C}\.be\windowsdesktop-runtime-7.0.15-win-x86.exe
        
        "C:\Windows\Temp\{9675E175-E3CA-4297-BC38-925F0F02F84C}\.be\windowsdesktop-runtime-7.0.15-win-x86.exe" -q -burn.elevated BurnPipe.{FBA8575A-5E98-4631-B620-6B4E31D6D5E3} {A36BBDA5-B196-4AB4-892A-0F7B752DFCE1} 4420
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2172
- - C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe
    "C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2560
  - - C:\Windows\Temp\{979ECABB-5D45-4C5E-9933-6929A2EF01C2}\.cr\windowsdesktop-runtime-7.0.15-win-x86.exe
      "C:\Windows\Temp\{979ECABB-5D45-4C5E-9933-6929A2EF01C2}\.cr\windowsdesktop-runtime-7.0.15-win-x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe" -burn.filehandle.attached=560 -burn.filehandle.self=556
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ED160757190E08DD13D252C76B9D124D
  2⤵
  - Loads dropped DLL
  PID:3416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5FCFE8A9D8FC16C6EC0D8474D6B921CA
  2⤵
  - Loads dropped DLL
  PID:1656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 949A77403DD48D19C57F97CB4D2A7E29
  2⤵
  - Loads dropped DLL
  PID:4120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6B39EBC07C1BE3270A9604C24ACA129
  2⤵
  - Loads dropped DLL
  PID:1840

C:\Users\Admin\Downloads\Nezur.exe
"C:\Users\Admin\Downloads\Nezur.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1cheats.com/store/product/41-nezur-key-bypass-lifetime-license/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:4196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9d9a946f8,0x7ff9d9a94708,0x7ff9d9a94718
    3⤵
    PID:3284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
    3⤵
    PID:4204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
    3⤵
    PID:2752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
    3⤵
    PID:912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:3352
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8
    3⤵
    PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
    3⤵
    PID:2992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6615448954450357682,7014984174457494429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
    3⤵
    PID:4680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e615e5e.rbs

Filesize
49KB

MD5
e6c241443e43d55d1a2856bab1f5ab0e

SHA1
e987aff3e255a71189b76948436356fc322283eb

SHA256
8982657e298ed1c5860097927bfaa87c9d7f344be8a291e71721d5893ed8fcec

SHA512
a4edb8891a7f8c29126e768c4c46efd1870955fa0652617803f24dde2a98662cfa8d90f8f4976695c442f93a0c39d719c36a2987a9e357fd8632bacc72a578ee

Download Submit
C:\Config.Msi\e615e63.rbs

Filesize
8KB

MD5
9cac1bfa1a90bb52bf702bfb416365d8

SHA1
d053de4fb31f6b4781897ab29cbcd2fd559d1261

SHA256
4d0869ce9d4ba1d2ed54855efd74d12b4f92a624677269f50a98905253f19fb0

SHA512
dfd3b8161b1222471e219ccc42bdd8385370aaa9116649256700e527d8f142b27b7a56f352a3a38679d2edc1eaee7ea62de2ae2a1dfbb089b72630d2908a16eb

Download Submit
C:\Config.Msi\e615e68.rbs

Filesize
9KB

MD5
78977891b89b67e0feb616ad704d1a77

SHA1
4086bd604ca2dd10a53f97d5d3353ccc7be4e28f

SHA256
1e0065ae1752e42ef71e51af9823da941d01466674165b75b5c4e82aa379f32d

SHA512
05e0291196cf69145ee06bb33cf8887c15d74971ef36f8ab5ef9529dfd54f45c33948b77e281bef183fce924a5b6d030d9c39f7fdec73e292b84f2de8e98112a

Download Submit
C:\Config.Msi\e615e6d.rbs

Filesize
90KB

MD5
2a9e714bae69b8199e855040bfad02b3

SHA1
69fb0420e53f8fb7b72253fd230d1609b60b798a

SHA256
70be910bf2c1dd672e7b5ef261eaf65c5d59e48b256f6f7b0fbb5ef51681024d

SHA512
ba644c5cf1600714e33adfebebd8d6547973e7debaa37b01dbbee8096ec0e2b946cf1d4ed2b83551de9025e138676396ab39c69c5a1c89cddcae4861378c2b11

Download Submit
C:\Program Files (x86)\dotnet\LICENSE.txt

Filesize
9KB

MD5
31c5a77b3c57c8c2e82b9541b00bcd5a

SHA1
153d4bc14e3a2c1485006f1752e797ca8684d06d

SHA256
7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

SHA512
ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

Download Submit
C:\Program Files (x86)\dotnet\ThirdPartyNotices.txt

Filesize
85KB

MD5
5c13a5ea8c8cc3474240981d0ffa88ff

SHA1
1d8d3ce27d9dc3d9fb4fa4b06c20137d25879d80

SHA256
4f9bb3901879bafae3a17c6c4009ee5c15384a06fc234bed78937969079c77da

SHA512
32ea79ff5194d8a18e75f277aed5610b4955db15b0abbcc2664cf07f372bebfc57eb665ad078dc3da3ce5ee0d8856140c2a1bc7032b578dd103d43998d682d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f06fa5a7ad9ffc231e1b5fe9c409b45

SHA1
f6e64e5a0bb9c2eaf3eec1317afa3208776eb095

SHA256
ef0509bfb8e736586ee8c5a9d0bad862374c5987056d0b1e654e795f42a4ce50

SHA512
b743b05b073b5347ba1eb4b457a8eedd141caf2b70ed07a169836b1d2ae74657d1e093b78c5f31be25186d0e29a26ba95085b92bdf5c5765e41dd3b37bbf0ca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a01a8fcc83f4b4424728cf29832cda71

SHA1
f9021ca75790aaa6d4afb275b3f84e8e1a661a21

SHA256
5b6eeb0770d08fd26e78cd488a9c3b641a132abff6fb262a763eef563eaea807

SHA512
8563d477a2e47af2848b8149cbc8eabbeb08721a1167e2f130abe43460b10ee423c759ec9c4cb1f5069e89b8fe1c641ac6db1e77df3681e03427fcffbc56ab4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dda929dcf8d18926179c9bbb346dde30

SHA1
69d924b6f99a2a6608451511ed8bde937c645fde

SHA256
060aea4a7530aa9224b7f6935ad86baf8d1f8c17069ffd975780bee2540c556e

SHA512
25421ba6089016e611877102f72d14b7638c47b7e59d89a4a47d98f8e1a42443a97014e7531c4b403e854d12eb0d88b8b9c6d0b98799b02d0ac566189d6d6ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
aa19a048652415961df0a78c8d5d5ed3

SHA1
6e95db96ec309412bc1f7b0d8965bfe38d8d2677

SHA256
36a236e3dc9193d1c110c9c2de3ede4ae827de4ce0652bacd87e9691ca35e7e4

SHA512
86e1e15b1a83cfaf1f9042ca439d9f8b2bb097bd90f0b64840d5e801d2bae2e7370328e150c7c4d1d6e981ee7ac79d43a141e43651ac9d428bab10b07de16284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
8fbc4420aca76432efade4fe7004457e

SHA1
f6f6ad4c89b1eb4375209858d82f9ea2c5cc83b8

SHA256
aaa25b24542e1ef51da4580b112d313311079f01ccae86d88179760653da154d

SHA512
b925a639d79fbf67ea2ed54ff8ee8b6642982b5006b1993dc6ebf2f9c05f23fc80988e416bbf7e33fb4d8b17cb3f2d640413057daff96e3abbe5abfcfbc5ee83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
ec370b249072d65792fc4aa9f8baa785

SHA1
2fc3d87e18ee7bd248abff2715875451702228de

SHA256
18d7e3fd23e554e402748c4aaa2055fef3d932ac99b4d5a3a9eaa28babede408

SHA512
fb3cd68865b7939197ab0d3fbdf3bda0645068bd6d48ec2e7431bac03e402521bb6f910c06f89a90c8623dfe34ba118a40e1f44863e3487a3a81cd4991bcf6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
2ed5cbbf54aad4eac82cc44fd8dc5776

SHA1
1f241acde5d07385a1b8292a15a7eac42210ceb0

SHA256
9abbba88ff09ad728a9d85318aead1bddf6cdd547dccb668d1185dae9b50c78e

SHA512
879d616678103f8f5af772b6f4101cb510c4cef3979c40bc4c8ef4e4e1758f3d58607044626e5ac030770c8f2ac3e55bb3f0820ab86ad271409deb1d8922dcb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
77a81cfd969133685b33cc385b1c76b3

SHA1
c621f8d7a1f45cd0ac83a5b0efaffb57a2279fb4

SHA256
018528b05e22df9a9ef453bde018131e12f85d9ca134b5f7321f495897ee5933

SHA512
fddbfe38d8c15916fc44eddf42f31dc3dc8b260b61bce920ab15fe1fdc0b9e7b4863f416a23b0656111281f15edd04c9e518d0f1374b4c5889091358f9b8f8a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
251d1ca4958f0b7985f5d0493de4a1ca

SHA1
d003d7fc39491e23f740e6c26c17b57c33144cbb

SHA256
c01c410316696a26b0302add923f16250f18ef0bb867c644423325e0d781fce5

SHA512
e3178bc373f4d311a0e9dbce2fa73dc38b52ec47c5ec43581409e3761c5cedae1c91ba2195132ce5d9be915834ef51f1d6f5c1e2c46786e31ea40ffb9d2382d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
c76b6817ecd5ee957b326061bc67b822

SHA1
f27a5c5c8c5d256c11c74863fcb8762834c02acc

SHA256
7d68a8e4fe73bc0a795a789677b416108b1a724499c99e5536e8f83121c83ff6

SHA512
44166fcc84e93e2085b366bc6c9ae080b44b7b1463f29e8f60efbc4da29a239dc15573278f18da31082e62a70b0f1313f5a2b0f43cc7bdc737bb3de991239533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d60eb1343f54b416d8fcfda6574ec442

SHA1
222cee13f7e82abafb065d761b14568d84fd28f1

SHA256
42616c7275a4d714a857fe87baa1e746589390d5bf4f54d3fc6741c63e88e2a7

SHA512
f9ad0687706f93e0e4d99461fa8764ae8a32b772e55407bfe21415450e942059c7bac7118ce1c095e237a3d4d43e4271ae7cb73b9f44c66db59df13b99cd7e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
dabdfd8f8373c722dea31c2ca602b7ab

SHA1
a4ec92c3b5c8616898590a3a12c3e5b71e114c2e

SHA256
e6842bd804db274a6bbd7936a0200ddc53043445a3495e0c514f40b95485ba76

SHA512
ce8152589edb079515fffd2c1725266671046df26e51408ab1bd639e111427f2850669db92a0e61e578b03c87bea4db88a4864399f39ccc46690e30d1c277f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
c6495e45a3541e0673e37c6926f7f14c

SHA1
2f1990ae328d35d714f69de7ac4c05917a430710

SHA256
23c2861455ad2303dd885e3b5c481cfce436af76d8c3c34e896cd640ea1cb71c

SHA512
4eaff69c002a90622ac66c2ab5e9eb5e7d173227160d9853ae6c619b1e071abddfdd3648c7b92b8a50450bf4a103fb52459a28f92ee12ec1de1092fc135fee3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
155038bdf6c0f3a67efb8a3f83108810

SHA1
2c6728ecd3394bcd44f7f2f14c1d01ab716d158d

SHA256
63eafa81844050ab36c3772454cf45cf2062e4b65cddb3710e6b62c0db623a18

SHA512
e5ec32376892fdcfdaebb89cf31ab730676cebb9df969a15ca9693f6ba0748e3420285953423595f98e8b85a003f110c9c33f4ec78b319c37d95cc34ce3182a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
264B

MD5
ecd1f5cac9dbff016b418ae6fc45299d

SHA1
24f8be789c5ec5713e854030ae2e886e257d5551

SHA256
0eedf1bb902daf9aa01f4a6d9af721de61be7a38c0f116f98b885c53baf7f98c

SHA512
34a0b3abd4b93b9a2fc1e6cded4a7cc8842d8fcc383a0b74a7fb38dac05ded29e8ddce72e7f83d46d2665c6765177f0018d2897cd648803cc464a4290ad9889f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
264B

MD5
e1f6462747fbfba5a718bdeecff7494d

SHA1
9a2ca729b042a3ff5d5f853015e8a5ee6d9d9c6b

SHA256
bd18da885a77b38af716733fdbe5c4a255e2d5c2bfb5aa19f17d17f1445785c7

SHA512
ede421b4d2759cec023c98c77fdbf5c63e9498e85a828274e765ff13ded5e68f564297922486368f2dce4a9609b841f62a9b6dd52445ae05abd4c66a7fdf1aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8f0e57bff6260b370f29d50882bcc518

SHA1
ba805719447f67b54d9e55800e1f4887856e9b77

SHA256
66e279eef01740009de6840df0d41db608996a56a2cb301a0c5b7ef5a6e37fe7

SHA512
386348e901c1ce2971cf924544a07a82388e688979f6f8faa5c1c04e15ca6624302d89d2d20fb6cc1b98a3490245a937ae337d1953ef1c0c6310fb3bbcbf3d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f0c1ee11ef1e5717d53cd9cbfc5f99b2

SHA1
0982cbf5cc2814dad5689ecc3ce300591249dad2

SHA256
50121d1340a9a2bca49f3537e92f977b60eedae6f4454b0eafb324392103d155

SHA512
276a402af89ea0a3c2f5bc353130c83c8110cedf6d8fa0ac123d6ff7ccbe2338436ff091ec057140928ae6f36b4452e23fa4c48e2cfb3f7ef997169eb7245b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
35ea15123d3c66a4908678e8ad66b7b8

SHA1
816f4a6cc9b54a965922190e6196c4b898324e83

SHA256
20efd9f5a6e44350b3d13ddef8700bbaf3912a091e222b822dc295d48aa07574

SHA512
3463cd7613730e13b0997d37acb8d55411b35e6b63ad3cd89bb31f10ce3c354a11b6744c27b12519f1c1e863fc9d786ef74f871836b7a02fb063c370dea22814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9df01e0b013c70ebaee7b6b72147f6ad

SHA1
df291b062e77456e8e7f380a329b517f5891780f

SHA256
d587915c57ebc41e0d9a642f27c5dd1558097a6ccde94d05b342bd31c2949023

SHA512
d68ad77b0c352023230b2023f125b0e116ae883bb26c963c4a81762ba0629464e9f9c3f0cb9c75712b270b14671e93fcb2fb6fed58d1c5c74ae856d9e94fac57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7a697d91d24f87a0c9cd8913c6d644b

SHA1
b016f8b917c5455e6e8b780424cd828013e8fe1d

SHA256
11c6718b9077da57487e4b05a8b0d09f698dffc5a7d5f5266fefb880456bf2bb

SHA512
ecd48f855a8c0e57661178529a119842a79abbb853c68755c5887cf07058cde150ab8aa91256ff603cd5727313716e43744c0db4016173034f86c421b758e23c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ffec913fdb43128e7e088c0b54e57cb

SHA1
f1e4994f73b2a37ad2fe74bd40f619489ba50113

SHA256
eebcfaa0b121041d2382e122722a6c7f0d8d41748514f767889d4958775b14d8

SHA512
bd508b82e3a6556dabb81eaeb911d02cfb5c9d29e17c7a259588e2c0ae8af061e4507bf094184378a8878fb38aa41f561620fd896843d2c58f512cf968770b28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4af7aa413dda308e52d439d17990043

SHA1
7bc627af4ffdd613018f46ea92d0bf0e12855207

SHA256
588ec2322a22b1cd01bf1ceebfd360526310a6d15cdc2a7261ab5cabda0f740c

SHA512
55482837f20e53db7ad83b039fc59a309a86995b92b7a964ae45873f3239329cdf2a735efd482a326c2997f9c06198d4485d7c54b7265c28634a38789b3290e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff201c31272ec433e4575e68b6942362

SHA1
e70e9c52b285edf6362edae2f55a52cfa3223b91

SHA256
4ff5f453ff01d51e9b7be67a011ed2099d1ac986ea1362d4d92912fb7ad77e8e

SHA512
9fd445b33ad3960a9d333b82c4789e671c08222ae3f65b0c454bb4b81a2d692540720bc68b1a5006260c43505e9343dc103e4eadc62c22443e9923dc8bf2d01b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e38791ff88729d41423e3c017908ced

SHA1
03cb458760d66a1c6623e3ef358bf580fda2f825

SHA256
19efad6fa64c4745140d5674393561cec6b7b23092158fd03944d9d2e9810349

SHA512
a88c10a72c56a475bf3e41dffdc03f3d6d27e525fd0105af5ce433015a58e700a79c3d85f4078ec892227048bc91b20ca0e674ac7e4108954850c2a82df633e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4672366060c7a81885d8e2eb3502c873

SHA1
c91d18d07462c4b534ca29c12ebeb5397795488b

SHA256
93b3fe88904bd0e0c7c66784911c9b34c6e48b92efae4d7380be356d912a1ccc

SHA512
f66b3e29a6fe62f43af7bfeff0fce5f42a0a64aefcee363e1f14fe70037ca423206417f0424c861d350857ba14aaa361dc62eb41b5a4b31a379b744139aa1c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
434b671f443e2e9b7a94d6664c175560

SHA1
7799436073710c55525475f1d15967abe408bad7

SHA256
6f26f074222bdb69e9ab36f0fa78e0bab7a9d9dea2f1dbc501fa3691a747af8e

SHA512
c0340bbfc97259563eb2847f899818897075e270d8ff6204991c33570db3d11ac629dc84ced2e5f19b34f2fb2533bceab550d8920ac558a9f84c220126c91a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6f7c2b6f5cdcff1a0f9edb52c1d1f41e

SHA1
dabb134da6f694ae9e4b52e9f73edada5c5b6854

SHA256
5ab3ac18f65f38b034b26d677bb019ab3663130038bd5f80a6c231219c151f99

SHA512
c7c0a0bd8c0e91d3bbbb20d1e24bd0f5195843772776b1d960687c93ac1f2a7ba93b3e9fe0fa4f113b71527d331226ff4a984d7b97c2167911464965ecc829b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
66b15569769159e206d324e89f084ed2

SHA1
7c07fe1e07f868e7258435a50cfb91bba924fa8b

SHA256
52f4b1775f499a4705126eb6de588fd70e0d38a4afb823495b861353218f7936

SHA512
c9667f736ce13624863fc05e5bb536167e1667edf2900f74aa1cef33605cf0d6a94ef85c05d2b2460041e310fe7b532bc51e05e7838d377260790ad9ad76d3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c95c9bbd5bdc70077af0db1cb9dea967

SHA1
beaa67c7ab09e75034266e64efdad74986a7a32b

SHA256
2650b4fb8668d479be6ff43e1d8d70059689c1a966a249b7f48bdfbb280074a3

SHA512
a66da8442d6d12a64f6978e9887ab0f03ecc91a73818935a7fa124ec570e98ff983f6fb3cb4e74d7088a1713eeec68df22fce24ba1cfb00bb76ed6997bba0084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
194B

MD5
d7d9437445aa960dcea52ffe772822dc

SHA1
c2bbf4ac0732d905d998c4f645fd60f95a675d02

SHA256
4ff49903bec1197017a35995d5c5fc703caf9d496467345d783f754b723d21c1

SHA512
335eb1ba85670550ed1e1e4e14ea4b5d14f8306125bf147a42de4def5e5f75f14c422b014414030cf30378c04f748ac875cf056adda196511a0b057b3598fe9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
e9e69ca7636488731a170035e618681a

SHA1
f2c5da8d20ae2cabe1b9cae107a590d3df27644d

SHA256
f811a9cfb751b0460162753b67a06d30fb380a306914b710e32c854f4708ece6

SHA512
7aa40d3942b59624e404a2eb3f6c0908875200a57a5b6ec21a793d3e8135990fe7dd81123c366871bf9722db2208b34f80ccdc00f1a30a00fedf02360bb21f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13350673515564113

Filesize
2KB

MD5
bca27f5a5f1bbaacc7064bb6c47c061b

SHA1
e8dba1f15bb6cad64f2e08f7c54beded6893d73a

SHA256
4697268e3753725ec4be2085cc2e987668f22c7bf99ba5303a7623f8e77fe528

SHA512
f5daf6c095127c0adef55491565781e1be1fc4d71f9e9a4026a0255f57ea4c298f924e5a3f57f65282d3974ee4e5557f71661744c1af784a0871e3b0dac9d0ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13350673515911113

Filesize
2KB

MD5
a7f24be55ef58eeb70dee45983f43de4

SHA1
17ae15fd834e8e05872516a76dc48c8353ccce61

SHA256
87056c3a8ab5dc76164ff9c60da8c2ca8c0c111766f6fa3c5aa00a75f5417366

SHA512
751b596b1cf8a78a3060aa28fc53f7276d7830772751328d3ba17784551a843fc370b638f5732163d545503ef7025fce0eb530b22684473c0f2800b305ed2636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
100B

MD5
0e0656914cbaf19d8d838bedd1193581

SHA1
972c9cabd247b1cef238809adb692499fec10828

SHA256
3c0dad0c1d9105bc9dc9227d5c01d93bfdb1e6c6510c1aac1675e8056d6e1ea7

SHA512
1de9243fa0a8e6c190698197fe799b2dbc185b7ae8aef18a4a588e074dfc6a6d5e6f23fe3734bff13b758ee351de6f10da278894c23fc75c8aac21395bcec722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
46ea3f6feb9a2344e5cc9416955cd6db

SHA1
b2359469dbeaa976ab42dbb841b9f1e63aad2663

SHA256
7c13ca42733991cdf463bb9954d26859aa41b4627b787bc289813623b119f8ae

SHA512
9663cba7a2d69582d4b04ae1924f3712300d6a14eeea093e554bb86334ba82e495185d61f068ec2e8b2be3f894df474985cbf905e9ebf551a206c1b447f0cff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
b97d509170c5a26295e192df0c17c068

SHA1
1a68409922cde9d399ad5fba56a594abb060368f

SHA256
4ef01d49c78efce3f67f9cd2c1d5aada030e66b6f9cc2239cfd5b8850a48a3a8

SHA512
310827a0aa2ac0280f9dce68162f936d33d57200ff4a64248325ff5ee48b8a84856824f4be75c60bbe3f1ae09aab6518351c1e247d1f40d70593bfddd57f7cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
0b0f9b9edfad214c9becde86f76a1200

SHA1
21a106d48ea8fa3f8d5899b58e98f584e2db4482

SHA256
694afea8bff90db67e62663c1b7ac73872eab60db1ffd80674db0db886991c2d

SHA512
76deeb2f5ff6778872a9e603b22cbad0a09a5d881bc2da9e03010391a41544b25d1802e8321d980ddd5788b1b682c64a1b4c4abdbfd4aa4528ce2718857be431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
fd98e74b7b8c7ebdbdc562fe0d74296e

SHA1
6d70ef94504d912e7b65ce7eae07ec611fcd528c

SHA256
bdb7e8696eb65f22198b24c058a283f050b56afc3c57a5407c507e05a985727f

SHA512
e88c2a87f0552a8e383c59caf21ae8e2181da1c50174bd0535842e06a5660764b638373ffcceb7ca1743b52a54b8ae39e3c1aa662e6b6d8553a3c33fe4ac0c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
783ae7f83d5820c4dad35cdcfe1872ef

SHA1
5563fc8c532749defb75d5ab5de0884a85150dd3

SHA256
b474dcd2374affdc8680d04f5ae78ca4fdba4040c2e16fd9d6b55cb69299a128

SHA512
b657d2e4ff8441a2e5e1571b7f2705f3be59e988903cfb53335e7c29ebfaf540263f5ff1e6706596549ffa991b648a5790fe5b54e93c4ecfe3188d29659aba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
f6801864184614062609c46b568bef4e

SHA1
fdc85b5b00b25bfd661d57ff5bdca6ebd72082a1

SHA256
b2e28a9d4f942ef445e3643b418c0d8132b1c1b1c65e5e3c6af87ca96700fef5

SHA512
c6759bd1efad1daf5a3756625a5674d49ca92869b4d89cd5aa0afb4d7965faa30a8255bb58f0db7ca0ab110df29aa8411d4f3f34b767517ccf545f359da68e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
4b2b5d5ddc715008bed15336d8d4eb70

SHA1
80fb2e26dfb725a9da1ef3d612b5878c77201c9b

SHA256
69abe01714040609d6bfcffb0c097c815898fe5fc53b66a02492cf168e2e005b

SHA512
0fd8cabc4277b386fe0208f82dcf0e1fd9d639a57f2d99839a10cae8816259d34e44409496b303dd623d5d63126113e6eeba4e35115e4e1a71e3e33206cf394e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
707B

MD5
8584e77ff0a7bea5c589f4ea28964875

SHA1
3a300b2435022d584dbf2bf832b5577402b45b19

SHA256
5e28f77d3ef67ddd8058b5ae615e177b781e1866e18c5ada81603a62baaa3ce3

SHA512
ecaa7f8e1b08400ff556d75378c428f399e5968b565d8cd1f33052e0b8b5751fb72650776dff50decadce89c40a1903decdd37d2fb6830054a8af4235dd1cebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
41195e0840b97d572ebc67e0c602bf89

SHA1
496d7f13703637d22fb300f8eaa236739d38d86e

SHA256
82cfec365ada9e8d490902f426811c959107803955165db22c5aa8fe430dc70c

SHA512
09e2d3a578f9ebe45d2c531a970d9f92070542c4e658e2ca1e84f87c14aee9290ec939e38d1cd78edbb3b4dbff2ddd2b3e5245f42dd26d80316ab18c65e07752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
d8e3ad90f2a19f789a905f4e242c181c

SHA1
aa77bab18f103694826f309ad7df9fa961b79ff1

SHA256
8174e70bf82be87770012bdd13ccb558b0726883a334d6aa49d56c806d33ce2e

SHA512
075fb7d63eb3e1a81e880ea496a9b183d87b73d78a37b0a96260e089c2686a924e0b36fe6da6cab4e75fadbc2f6bca4f4781328d435dba5d6837905c200d099f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3b54e0e-227b-4a0c-adb1-1d201816f588.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
139B

MD5
5245b3b22fa1d870dd8e45788d82b4a8

SHA1
f906054b5d0f43e9ea05648ce825336b92a52b4f

SHA256
7d5afe0fd514c62188b8a745687b6f1df9d81da92e9b5c34d38e2fbeaaabcbc6

SHA512
eda3ef29f3a8d8cc5df90017821928e673d06a4f071cf481668422d3f78c608745bc1a9e0c2b3bfcca3732693051091fcd54113c97d886e9e10e1a457a53f0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
70b3fee39b400bfe0d0a2faa8cadb77b

SHA1
f0ce30ba6f47105bd2808d35301ab64363252a8e

SHA256
50c96928bb5e943300fcfd4e565161936970d7f76eb66da32502a8f02d21c888

SHA512
a848b6d16d9e368b818879011e4c3d1c3725ad5eb425b72d4fafdbd45aed8131f6ad2491f952d6e8480f9eb136e97f9b7992c07b7929b94da806299128e29810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
5KB

MD5
876f489529f13378a52faebceb353af1

SHA1
df41326ada41c140f071bbe7c46ddbf3af566917

SHA256
7bd8a5e4ce927eb7e7c3d40f24c20036b0375c5642692d900a4876d030ad2621

SHA512
fa54987952556254d4c65ceed4f355e9cf85f4ab80a59ab73a4df242a4f524c9365d9b0a81d1b343c801c83316859d5691bbe05464d04e27731f3e16d9c5c602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
c233b92e8fa902b0cd47bf7b56e7c1e7

SHA1
94bf6f807110194b0820fc859c05a4a58a113ce0

SHA256
b311b2ea48f65ca5514b589b10f394b580d366036855cb3da6e44ae26d95c7aa

SHA512
14dab418d4f2cccf02ec7e502ff4d212ec46456261e08447c701d25839fee733c6b263a1b60348cf8032148ae55891e9e9ddffc9639c60604aba8514ebdceafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
53bf83030c66d441635ffa7b96b2fb7e

SHA1
aa332a7337f1e96a6accce8a0f4b20b530281813

SHA256
761bb94021bad4b56e39be7f4d13f80ef3a7ccfac4391b5311859e53ded50adf

SHA512
6a66b0324889c871f5c15b80cab3cc7445ec0687efcf086eeb1ca4275eb92b35b752ac6cfebae2eb4ce7dfc498432e947999de2a6e82cdf4be8374613cb596f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
4e819e79cb85d8347233afac665f5e26

SHA1
9989cc99b29ee2588fad73c8a0f6b23bae9cc14e

SHA256
ccaf8dd82027ca0a9001c790944b7cb0eccb363e460b2fd3a1940b9870174160

SHA512
4e878ee73ddb7f13fd7b79818235437f149decd17fdf223deca07e163d1aabb84e50d93417ad1be63cab793bc6b0db709c7d38ddd6cfb5f08a39318a0da9fc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
914fdf1719c8933443f7702889ba5019

SHA1
24e54021ca8eae63475dce5d6a4a3f14332ea347

SHA256
f643f8d0a508ddf166c1733da4ed7e9fbf6b06e602cfd4408a616eaeb2a30ba9

SHA512
37b7b087262a9b47b64b013adccfd772f1230917b304164f1e73a1f0da888fb7e24c1870bdac86f244733d3b4a43d161a0c98db5b4776a213b1aac50a772f296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
5fc19ad9b5e2847670335bb236f7356e

SHA1
4a4fa521b7e9e8843c2a43109fd87c07efe291d9

SHA256
87886bb0f6068a89fca57b0044955651ce63b3875a19a72a7757e421552d8d0a

SHA512
3ed418b8945a7caa16122d5e74adc95503e1a9cc84160afc6b5639edecf9354d4beac516806c90b8950019bfb4c82fa196607fa1099190c2bfbbc6b1159728bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
07573b00f1bab1b4604d69dbb17809f9

SHA1
5369b182a2772da5be2946c6a466f7854b0b2b54

SHA256
d3f9068c3b3583d4142e4a2792cf215431d5f7c4b90e7322a45df03853dbc0b0

SHA512
e150a4b839ee2458d7d883dfa971308116c1e8b42fae3271e2f1e8d64548b6f17a4f300c9d87d7d9f1b1a727dae1f83133ff33e9bbea6bc0072a89d3118e6bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a7517c1ac124de8b4686151516527654

SHA1
7eaf052f2e2e9b84c4927a099e256b27a859a049

SHA256
5ea8d1ce7b8282cbc8142db6d18287704e6291765176cb23709a61a82980da9d

SHA512
e405ff8e57f81507af080bbbfc8d69dfd18f93444bffa4309a9ad9f220e219c6efda8b31db295cff9de647ea96c90bbc19e7d9b1b6411d7a7cfc6441c3397c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e58f93995060212c83a3d487cb0cbda2

SHA1
7eb6d4f63dd9a9629715c8b0436905b7b4384a6a

SHA256
c757e938553c24655043a990da87fb361b7d68f5f0ec885992b43f7c1467979d

SHA512
596371f131b5438dad68d5e0b764dbe521c97e0118d6b961f1432cc8bf777e52cdaf4732458571aea0d216e596f8dc7dd1a3f598c835021a74910a7f4add2903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ef8b607ca24c84f0603f45454e03d156

SHA1
b969523f1925cc13d835f20b3dbdd196dcd6b9f3

SHA256
8b0047b4af56906b970331bf77ba2830d852ed6bae733017eaaf699e6d938e40

SHA512
13d8ebdadf762c4cc57a33b0ae63381b3f9392526eb6c3e04ac47d7babcd235eefb8408341757800ed63fb0aa9703ca99909d7ed2e60fccdb8238e35efa5d4a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d88723fa69275a47189329557a5f0999

SHA1
36c7a10fd05508c746d14ddf1790cfe083719585

SHA256
abe4e444905a07ef67e4dc8d87721d17ec93bcb6036170dbaaa41861e73f6852

SHA512
60869aded622620148dc8c0518cf0927b986a2907f2ebcf8dc0e836efc4ac6ed018318f96ef845c6c5e950e897b95cd3a373419d59ab92145ea93fd8c39d57a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d724e5494e981543d9fb0a6b7003f904

SHA1
12bf4eba2440d1e14f4cecce4f473d8fdeb587d7

SHA256
08f52cbfd584a2bfcbccc77b98d1b100b737e5eab9328203865cc6788418a744

SHA512
0f64df6c7313842fbfd510ebf2522e66e8bef1fbb7e8f6c4be5dfef9ddc7f3ef3ff80aa51dce76ddec546a3e62e9f28f593bf873ebad0a9a0e74456f38968635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd072831b12963f46c84c7d2c7b1b321

SHA1
ffe5d6a6f7048e583822d02d0a824345897dc14d

SHA256
f8131462614f91ff33667b82cdebd5869f839c50d382ed10fb62d425110d2888

SHA512
2f0e212852fec6d448442da14947a0732efdbc829f756d1a49434c1985719ed03ccfee2adc2efb96dfaca35d7a9dd7508490371bc7f9acb71db7b90196c49691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
22078dfad7c3853615685616c16da25c

SHA1
20bd30fa0d97a5682c5eaac163dc9f4742c40fa6

SHA256
c21fb433a06f337d388b526a11407da2962049187ab9240c163ccc55d0ce2005

SHA512
33918ba5da58ffde5ba7a57d852689046de0d10a7a1ad9901b0f98509dd7dbdef0474031d6af3c808480fbb16cd0b31963fe097061d93951d672ce113e161c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
3a11f7faf4bfb3eab4064cd7a2c6a1f7

SHA1
432db9deea327456b997dd41b851e4c20adce1dd

SHA256
59bea6f1473929e7bafb1a584ecc6fd40f25fa6f890f85a3c5e96e95dc136121

SHA512
f9e85d10623ce3dce925a8ea0f7511408f380e78bcc943ec5861bd042943314a40f6dd9e1ade5f268ce3d3aa96e8f868ed1f05fe78e654482d23f2d906c206ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
5B

MD5
308070a89e2b366fc779058f42ed7db9

SHA1
bdc0074fdd0200518e38432163a40864e1404f5b

SHA256
a4fc9840f62917a7298e6ea70f872376424ca7d3113a1304df801ea35bd26c9c

SHA512
537734eed00806a7fcd203371316dab937073cb785a79ca0023cd1a258e9ae53d3ce5e75b3cb68d2cf2db01f8ec18ccf9307ca6f0c86be122749b571b27b9ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
f27f2b716c3e998d06a6dcc1a79d37df

SHA1
5699c21459058513aad841f8336d5b3ade953fcc

SHA256
e40c50d82fc2c0da35b8b9d1442455b1b2a3689aef10fdd28b539c42b56d4601

SHA512
2a535ac64f0e383beebb41caf7b479288e5069182853be3117700f91183b94dedb644927773fb544db5774e8fb1a2c168da9f7648f1352cf0c2e4c840cca12a7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 500446.crdownload

Filesize
14.6MB

MD5
4c5acb14fb2c14d6145748dadfedcb35

SHA1
f17350d6e2a95ceed1e29fba222ee267c2897b26

SHA256
0078b7a05b1d4141dfe1e553d884956071fed02d21e4d11f1913405551a73fc6

SHA512
8ed9ab3440b3d41a4bfaec6d50a8bc52b7acf3b50e1a7e77d1b7d5d559afe59bcd400dc3e1e1cfdfab2559e176d476e05222d579313b9f5f0dc9706c36f56df0

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.15-win-x86.exe

Filesize
4.6MB

MD5
048c63fc37ac563196858ff9dde38294

SHA1
afd357912089c54a6d80300c636cad43ac917771

SHA256
d054a0698c95a494c3d560669a62b383e61bc9a773649c7478eac4677524e2cf

SHA512
e1671c55f3da426f69259d2ff4ba25088868992f5093a435314cd64a6606ed8f630165fb4a64e134cbdb04e75093278bd3ba4ba5356df41a464bb157520c5c47

Download Submit
C:\Windows\Installer\MSICFA8.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\e615e5f.msi

Filesize
23.7MB

MD5
b6b9d8c4ff319052ca611a58d78ae1e3

SHA1
653586e12e23bc7b7d7209116682a0a0377dde5d

SHA256
7cffcc6d90fe68b86feef763310a409fb17cbba979a685a7ab53924f60d99738

SHA512
e7cc75766e1426cb73f304e529077209e9411864c2326840ed7015ae2b4329c111e5c65fe149329d8c85cdf8e40a51124e3bb0ef455e4d1dcafcbc4c4663b47c

Download Submit
C:\Windows\Installer\e615e60.msi

Filesize
784KB

MD5
59d86bb5383eeac8bba8283a20be0055

SHA1
012b9cfe421ca5556c00b74e642bb9e142fea64e

SHA256
65d6faaaec8a0bde1ca8c8549800196845015b877e3856429d89af43e438d282

SHA512
b64a18689ae80dbb686b66a73e09ca2917b90302ce150b965581a8eec68c59a1732b10759f8ee9e87e67ee2c861b3214314516638f1e08bb26752dbefa070dac

Download Submit
C:\Windows\Installer\e615e6e.msi

Filesize
26.4MB

MD5
11a0af2caba2216b54e09382d00d0126

SHA1
591d86acf4940f741cf3237c05c24d784dcaa963

SHA256
6965fa26a4ab6057c92516fade20e623b1b1643ced9314328b762135c2d4266c

SHA512
282d8ae7f66993f4d4725b1470cd2bfc3dc9a1770aa44c09c70240fbd6599d3da2b1e6515b2a269e17bc6e9ec4c0ff17a264205c0b9f5c1226585fb688b9884d

Download Submit
C:\Windows\Temp\{9675E175-E3CA-4297-BC38-925F0F02F84C}\.ba\1033\thm.wxl

Filesize
5KB

MD5
d5070cb3387a0a22b7046ae5ab53f371

SHA1
bc9da146a42bbf9496de059ac576869004702a97

SHA256
81a68046b06e09385be8449373e7ceb9e79f7724c3cf11f0b18a4489a8d4926a

SHA512
8fcf621fb9ce74725c3712e06e5b37b619145078491e828c6069e153359de3bd5486663b1fa6f3bcf1c994d5c556b9964ea1a1355100a634a6c700ef37d381e3

Download Submit
C:\Windows\Temp\{9675E175-E3CA-4297-BC38-925F0F02F84C}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{9675E175-E3CA-4297-BC38-925F0F02F84C}\.be\windowsdesktop-runtime-7.0.15-win-x86.exe

Filesize
610KB

MD5
fb39099fa5e536604ec91e44e7fffc1f

SHA1
64a54139f47405fe7b8ebd3a9ce148caac147d43

SHA256
6c7187ac2d63598d846792e1ce77f1db3ce438f39d8cd4589d61ffdfea6a83c3

SHA512
0c76fd68ebc7a923f1e8c48b1391a5158ced2dc4bd6423d491ad9389060dbca6f9e67f26c9f55519e96111791f6e75b0cfcb3b88bb58ad2f7f32ba9f1bed1707

Download Submit
C:\Windows\Temp\{E2E15BC8-0496-429E-BFD5-C967B71B206F}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit