hxxps://github[.]com/VandalRevenge/VZ-Image-Logger-NEW

Analysis

max time kernel
52s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 16:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/VandalRevenge/VZ-Image-Logger-NEW

Score

9^/10

spyware stealer

Malware Config

Signatures

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2028-293-0x000001DDEC3F0000-0x000001DDEC732000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/memory/2028-293-0x000001DDEC3F0000-0x000001DDEC732000-memory.dmp	Nirsoft

Executes dropped EXE 1 IoCs

pid	Process
2028	RtkBtManServ.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com
88	discord.com
89	discord.com
90	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
85	api64.ipify.org
86	api64.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
3680	msedge.exe
3680	msedge.exe
4884	identity_helper.exe
4884	identity_helper.exe
2028	msedge.exe
2028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	RtkBtManServ.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3880	3680	msedge.exe	81
PID 3680 wrote to memory of 3880	3680	msedge.exe	81
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 764	3680	msedge.exe	84
PID 3680 wrote to memory of 4324	3680	msedge.exe	85
PID 3680 wrote to memory of 4324	3680	msedge.exe	85
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86
PID 3680 wrote to memory of 4864	3680	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/VandalRevenge/VZ-Image-Logger-NEW
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbea0b46f8,0x7ffbea0b4708,0x7ffbea0b4718
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16542492946778470861,13415996695307500545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:4752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1924

C:\Users\Admin\Downloads\VZ Image Logger\VZ Image Logger.exe
"C:\Users\Admin\Downloads\VZ Image Logger\VZ Image Logger.exe"
1⤵
PID:1740

C:\Users\Admin\Downloads\VZ Image Logger\VZ Image Logger.exe
"C:\Users\Admin\Downloads\VZ Image Logger\VZ Image Logger.exe"
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs45xVO18kxBvHXdbDmxjXLewBtcNYVjeA5+Jt/dexqYIIHoqGVg2woZFQx8n7UNckhTbmGBRUbxSRaWImyGItPvvSrygD9mi6b/aP2n1APOg5VB4NCBWTfoGRJ9AG84R5Q=
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
011193d03a2492ca44f9a78bdfb8caa5

SHA1
71c9ead344657b55b635898851385b5de45c7604

SHA256
d21f642fdbc0f194081ffdd6a3d51b2781daef229ae6ba54c336156825b247a0

SHA512
239c7d603721c694b7902996ba576c9d56acddca4e2e7bbe500039d26d0c6edafbbdc2d9f326f01d71e162872d6ff3247366481828e0659703507878ed3dd210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7ae2cc32ee600a8e9d51699e7f7ce27c

SHA1
05edb636709b63a03ef685b09117a549eaf58a83

SHA256
a9053e4b3de4b3cb9a2d6fe5b8a6cb3dd2964707da7ab101795964019305e2e2

SHA512
d659d8dbf1b08015f21c0b26afaac7782ba949666c62440ccd2fc0b206be750e60ff9f1a2f813935a868a9801c0a227fb4129a098ba3a6c595f20f3e03cc3198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af5a12f3555d2436635227b747e63c60

SHA1
495bb70472feab770848d9861c3d4f0406a958d9

SHA256
92f0c60f39db5d5759b7c1930e0a5b0a50dcf7e681c6440550bc70f1e170c410

SHA512
639e7edcde752967b519374d8ba0a221f57eb21b024dc7b9a32c2f67e8dca8811d572d3b9e2f00354e2dc49eb5e24b63cdb192c8e6295b358abac917681047d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ca771ab53c2e50ba075abd3de61ca2e

SHA1
798a7e64e3dcffdb26db685b5f0623f69621fa63

SHA256
145937c1d0f9a8fcd57f0469993c8c469523e5ff1633d7a21c1ae1bd2a9dec24

SHA512
1e785f45b050e7a0b336ffd2ad85153e80f517afcb7ea8d60f25fada49c4c45eb6c94a98a74db140d0c366640a6027499073a59eca3f255e7c9d9b4e0ec950d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
f5b764fa779a5880b1fbe26496fe2448

SHA1
aa46339e9208e7218fb66b15e62324eb1c0722e8

SHA256
97de05bd79a3fd624c0d06f4cb63c244b20a035308ab249a5ef3e503a9338f3d

SHA512
5bfc27e6164bcd0e42cd9aec04ba6bf3a82113ba4ad85aa5d34a550266e20ea6a6e55550ae669af4c2091319e505e1309d27b7c50269c157da0f004d246fe745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3fce395-02b0-454d-b0c7-7d1284028fb1.tmp

Filesize
6KB

MD5
c6973a4e90a868842bf4d9b6487a410b

SHA1
8ba3d8e423177998e4d9d5448584b2e31bc999e1

SHA256
e2d794962a9ab4f9bdff103ece68fb5f36e27400ce16bf8badbab3ba56165f71

SHA512
56b1c1d47cdbf2af3a66fad4a4862acea6ce5a3dd4fc0ac1af1ef50a7b465bc590f5e3631e7719049537c8730a0a997cb9ce20352a3b60cc56056dddea5e1367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a5420e25416744d2a013517609dd825f

SHA1
ef9adf4f24222c29253182299f885649f5f2a654

SHA256
827cf84606eaea26f6efbc60eaef46cf7379dc1a10ec54db47752d8fd1aeff38

SHA512
ba5209b50dcb40342e8e6ebda7b476999836a7e262b39e158a62dd8046045f45535467c5fe6a04f8e3200111f64a905de181c240152dbfcd939800c956f4f9ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8bba85d550d3e351377ebc919904a87

SHA1
baa87c6171277273439e4c40a1ca11ff6b25723f

SHA256
3f95a1cc7528ae865942bf7f785c23df5d0e4b2ce2210b96f2a4d9e3046cbe7d

SHA512
6a4c0fcb4c8677f7004cbafea843e6a8b227e68320f195346c80355ff4925256a63dd17d12176efb55726811f3f0ad08beb6d8f891449b2dad09b0977be313e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
108B

MD5
1ba367d0f9aac0f650e65ab7401776c0

SHA1
75cf3295125cfaa0c247ebccc57e63f915198683

SHA256
68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03

SHA512
45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\whysosad

Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\Downloads\VZ Image Logger.zip

Filesize
10.2MB

MD5
6ba7f2e9f5f1112c9e0e44ffc99f09c9

SHA1
311ceacb41ac02180d78e159123508467264ec2d

SHA256
032ca5e1aa4a9f71e612c3f43e7214bd61d29e697cddc83cc6d699471fae5d2b

SHA512
024d00c1f47e59acf33b19f826f97c1083c8218d40b8c4621a34cd7845b586db1a5700804c1ec61af8016711267f590e38330f876aaa372e123d6a154e123c37

Download Submit
memory/1740-279-0x0000000006730000-0x00000000067C2000-memory.dmp

Filesize
584KB

Download
memory/1740-267-0x0000000000D62000-0x0000000000D63000-memory.dmp

Filesize
4KB

Download
memory/1740-268-0x0000000003300000-0x0000000003310000-memory.dmp

Filesize
64KB

Download
memory/1740-266-0x0000000000D50000-0x000000000104C000-memory.dmp

Filesize
3.0MB

Download
memory/1740-269-0x0000000006080000-0x0000000006624000-memory.dmp

Filesize
5.6MB

Download
memory/1740-271-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/1740-265-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2028-292-0x00007FFBD6BC0000-0x00007FFBD7681000-memory.dmp

Filesize
10.8MB

Download
memory/2028-331-0x000001DDECAA0000-0x000001DDECAC2000-memory.dmp

Filesize
136KB

Download
memory/2028-291-0x000001DDD1C20000-0x000001DDD1EFA000-memory.dmp

Filesize
2.9MB

Download
memory/2028-352-0x000001DDECE10000-0x000001DDECE2E000-memory.dmp

Filesize
120KB

Download
memory/2028-293-0x000001DDEC3F0000-0x000001DDEC732000-memory.dmp

Filesize
3.3MB

Download
memory/2028-296-0x000001DDD3B70000-0x000001DDD3B76000-memory.dmp

Filesize
24KB

Download
memory/2028-297-0x000001DDD3BA0000-0x000001DDD3BB0000-memory.dmp

Filesize
64KB

Download
memory/2028-298-0x000001DDEC730000-0x000001DDEC7A6000-memory.dmp

Filesize
472KB

Download
memory/2028-299-0x000001DDEC7B0000-0x000001DDEC860000-memory.dmp

Filesize
704KB

Download
memory/2028-348-0x000001DDECAE0000-0x000001DDECAE8000-memory.dmp

Filesize
32KB

Download
memory/2028-338-0x000001DDECB40000-0x000001DDECBE2000-memory.dmp

Filesize
648KB

Download
memory/2028-334-0x000001DDEC390000-0x000001DDEC3C0000-memory.dmp

Filesize
192KB

Download
memory/2028-335-0x000001DDEC3C0000-0x000001DDEC3CC000-memory.dmp

Filesize
48KB

Download
memory/2028-336-0x000001DDECAF0000-0x000001DDECB0A000-memory.dmp

Filesize
104KB

Download
memory/2028-337-0x000001DDECB10000-0x000001DDECB42000-memory.dmp

Filesize
200KB

Download
memory/4756-333-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4756-272-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/4756-270-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download