734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Size

39.6MB
MD5

b949ba30eb82cc79eeb7c2d64f483bcb
SHA1

8361089264726bb6cff752b3c137fde6d01f4d80
SHA256

5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923
SHA512

e2acd4fe7627e55be3e019540269033f65d4954831a732d7a4bd50607260cd2a238832f604fa344f04be9f70e8757a9f2d797de37b440159a16bf3a6359a759b
SSDEEP

786432:1fhwEXgLYTou24XbHzjkgV5bQAH/AbkP1hn0qPQPrhBPC7wYqljbdPIa:dqgb84DPn5vhbIPdZaWljbdPIa

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MEMZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "rekt.exe"	MEMZ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeVineMEMZ-Original.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	VineMEMZ-Original.exe

Executes dropped EXE 5 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3456 MEMZ.exe
1892 MEMZ.exe
4328 MEMZ.exe
4484 MEMZ.exe
3276 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

pid	process
3456	MEMZ.exe
1892	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
3276	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

MEMZ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\Pussy.png"	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4328	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
1892	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4328	MEMZ.exe
1892	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe
1892	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4484	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
1892	MEMZ.exe
4484	MEMZ.exe
1892	MEMZ.exe
4484	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4328	MEMZ.exe
4484	MEMZ.exe
4484	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MEMZ.exe

pid process

3276 MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3076 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3076 AUDIODG.EXE

description	pid	process
Token: 33	3076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3076	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

MEMZ.exemsedge.exe

pid	process
3276	MEMZ.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

MEMZ.exemsedge.exe

pid	process
3276	MEMZ.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VineMEMZ-Original.exeMEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 4804 wrote to memory of 3456	4804	VineMEMZ-Original.exe	MEMZ.exe
PID 4804 wrote to memory of 3456	4804	VineMEMZ-Original.exe	MEMZ.exe
PID 4804 wrote to memory of 3456	4804	VineMEMZ-Original.exe	MEMZ.exe
PID 3456 wrote to memory of 4484	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 4484	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 4484	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 4328	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 4328	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 4328	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 1892	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 1892	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 1892	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 3276	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 3276	3456	MEMZ.exe	MEMZ.exe
PID 3456 wrote to memory of 3276	3456	MEMZ.exe	MEMZ.exe
PID 3276 wrote to memory of 1392	3276	MEMZ.exe	notepad.exe
PID 3276 wrote to memory of 1392	3276	MEMZ.exe	notepad.exe
PID 3276 wrote to memory of 1392	3276	MEMZ.exe	notepad.exe
PID 3276 wrote to memory of 5060	3276	MEMZ.exe	msedge.exe
PID 3276 wrote to memory of 5060	3276	MEMZ.exe	msedge.exe
PID 5060 wrote to memory of 3720	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3720	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 3148	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 5072	5060	msedge.exe	msedge.exe
PID 5060 wrote to memory of 5072	5060	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Roaming\MEMZ.exe
"C:\Users\Admin\AppData\Roaming\MEMZ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Users\Admin\AppData\Roaming\MEMZ.exe
/main
3⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=cool+toolbars
4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
5⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
5⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
5⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
5⤵
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
5⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
5⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
5⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
5⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
5⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
5⤵
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
5⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
5⤵
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
5⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
5⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
5⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
5⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
5⤵
PID:5760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
5⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
5⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
5⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
5⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
5⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
5⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
5⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
5⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6012 /prefetch:8
5⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
5⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
5⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5204464437599162635,6723016890416730739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
5⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=expand+dong
4⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
4⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=bonzi+buddy+download+free
4⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=pussy+destroyer
4⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/results?search_query=tootorals
4⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
4⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=preventon+antivirus+download
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa7e46f8,0x7fffaa7e4708,0x7fffaa7e4718
5⤵
PID:2664

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x3c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\078aa93d-74e2-4022-ae25-be3b535d719c.tmp

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\90ee2941-4779-430c-830b-9163d36df29d.tmp

Filesize
5KB

MD5
3d1d95145955e9e550127fd94641badb

SHA1
07d9c76dbcb13948efcba03125c4ad6d16af1908

SHA256
3e459b7b48df9836586d7c14299ac3c62396ace4bfd9e84d00ba5029a7bba731

SHA512
388039dd3bd5a89a46838a274d8b5aac0d9177465727de5709c745cbaf81328f60d29ec613899e8e82a0bab579f2a9237cac031dd77b0ec00e47f2a735f6bca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.ask.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
80133ea7eae2e308ce64ac3d4a4b4470

SHA1
fa8f8980609fc0ff3e67cdca34e283219684742d

SHA256
5fc5e01248d1fd04f96e9b81b43709b4dcf690712c3c7b261f98b38bea4f358a

SHA512
066bb0fbdd6a337e4026ba2b86fbc1d39e2bbb7a1b873706b00fe46db15e96db661b91e694859bd2360a859db734cc7faa8457eba8007919867bdaee783e82a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b44f2cab6b8126df245b0251dd8364ff

SHA1
f7debb06350a00799f72cad96a71cdca741e39c8

SHA256
b4baa60d2d997e555ab1c9b342b1dcb09b5b4ac360b7eca06a090b96051841d7

SHA512
74f3d15bb775576aa8ccd5fbc496a64a43342b9f29398fdddc66fbc5ea43af247b69ea7053a78f2381a48bdaee01f46ad2557e7dbee58cb47fe73880fa5dbf2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d7d328dbd53159167918bf38e2a2dbae

SHA1
362e4547a6bb78b09b79bf222d7d58a850952c28

SHA256
3f50e9360a89caa291175ca806ab54426e7d353022ae2d51989f293f35d2ad31

SHA512
af4814a73a5a16c99abe6a03ff6438d6be0210ba7557e45cdf1679101456c0ac92f11db5a6184970322b4a1aee0fe05de012cd605d3cc63a98c5137aada7d4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
04a52848510f83698850b550ea2d96ff

SHA1
f53c2fcb1a3ba5c0feeb884222a3d91ad488df8e

SHA256
4e2644aa3d04089739d50acb3fcbd89e968459d9e4f65a3879c970222de2186a

SHA512
a5470e6ac66ecba9d0ad4d8a34cb2b68d78383b75bf14a90ac5ef80cc0d117f740a12d82c32834beec83caf237b14afa4312949b2acf39c085a7cbce65b02d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aabecc4a93ebb386f59fabe2fd3b80c9

SHA1
292d5e0139f44ed5eec22bfe1a36e246308f7105

SHA256
1de15b91b333a5331c423d0b373663eb4e4311f627a4029b938b6d5373f97301

SHA512
308cf4793afeb4d814694ba6539a88174c580abfd66f2a429fc809f97d3e0e72a49ef5ffff145c308ff9df623caadd3bf378709f0970c29592e6a2d4699d4150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d197e84338449b511dafea2c096f53a4

SHA1
44f5b01d6032fc66da90764d5adc88f77db4cc13

SHA256
bd12a04b154964227db34c4c9f3cb9d0b696da224d446ea123dd4b4c37e83173

SHA512
3e643e504d0e018f5567438b6af38da9404f574d5c168433814a3431452a548eafb92e7324061ecc4a1230187743bab22048b2e0bf88ee7280462f17c30aa82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
47216e2b3600d461866d39a94a15580b

SHA1
0227f900723c708dd7c05d862d9079363511dc43

SHA256
a8955112eb0ca151ec4168678ac8215361ba2851b2ff2418c446283beafd1f46

SHA512
66a7e68424cf76e0574857e3b7914623198d16b5fd82b6d6ffcb51bede65e30ddc0ae5106f956dd946dc4969723a56f2b0c8f0af95b083ddcc444899c15bb8d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3dc17a37e10dee4bdcf7272ac06db153

SHA1
b4c0e15805cb114b244dcd787942c32c418a8c72

SHA256
69bbecbd316a0082db75a35b2a47129200765a6ecf5e69ceb9a39692fea9974a

SHA512
a0cff248285e59605167f3a4ce8591300ad33147f18e39e67ff2542f5f44a66661b0a090994aa6e5e482604e851bc02ef1d45eae973a2dd21e236948d1d8175f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8787170d-0db3-4334-89ff-7507a5f080da\index-dir\the-real-index

Filesize
2KB

MD5
e8abb47cd43e1f6540a64e521c0d4683

SHA1
d6525df7021817b18e8381c5b4910d47aadf8e28

SHA256
5b0512306b70e66d89d63c17a131822b645cd63c6d19471830c4a901e23cf383

SHA512
f017ec6e3d6ea8cc3aa3715ebdef8cd356aa224f28cd0a1ecc0dff4d1e69f6b84dbd6fcc2fe1c81ab24d7c8a7938014b890afa6580a293cb2c9212dc618da9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\8787170d-0db3-4334-89ff-7507a5f080da\index-dir\the-real-index~RFe599c65.TMP

Filesize
48B

MD5
4790ad7c5963da91c2eb5fcc08877de0

SHA1
2081f88770c81db15d71fa62899d99674e7085ef

SHA256
486f14dc00a6b2e4980817fb9d9624d2c31981157b05bd3659caf41389758d8e

SHA512
594c05a9e820d09b8d04e4e813a01118823d029ad09442811b77a68684a91539c298143940d9db0d98fcaea8ec80cd3e697458b2c54e43777b63aa203807f0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
79870b441792a299d2775448be71ebb7

SHA1
fbd3a5936ea3d9cd03db157e4cb4a0778101394e

SHA256
53c48a20331fd9ba605269b4f44f9e1166fe5d185c0808c2b59719827b455257

SHA512
0815807f6599db976d33c26ec7eec96c3650fe9585bb9e08027a92fa89178b8664f1eff09a6139c0283bb85d292c4e8360235264bda5fd259c410966a205a77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
15bfbb9608326e7e0b18e198925d1712

SHA1
336243ac033bf06b801dd63416bff47efd434e66

SHA256
b41da8d4e001a54bfba40425922d690aaad3db5d431e161b5de5a0ce7ea4d7bd

SHA512
fa92b0b891288ec0fc614d3aa0c34bd1655c2bb8633a4fe10ca1b6c27ac476c183503401140083c7115d92ee545d277fc7919ca41d595c3b551e7e00b0b1a824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b20c365ed30de247a67363b8be7d5882

SHA1
548e7ce4dc19a6a2a8ac4b799e176776eb013826

SHA256
4ee564464c6cdd73cfe954d2671995ed1639038534301c230d5381121cc55d5b

SHA512
6dd73660a70d66a3a652853613aa6af0f1fae7d707bf4c3de0b1d8e6124df8adfcc2e3c00e261480d0c9220a0f131f27a3ac9191ab9334811ac54c9ebbd43194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe593510.TMP

Filesize
89B

MD5
3f9b50f37dfcda4c79ee71c1d0ff192d

SHA1
fa76cfb0d380547347bee262b0dfb5873e7efe67

SHA256
38463b35d5f0d2359bea32022eca32b62a63cc6678f72e9cd2274d78b2fd55ec

SHA512
19bc3ba5932d9e316804029ad7cbc6c56cab5e7ddf438a4c48f12b0819cd5fbd164d6c39ebd46b81e2545067524457442f7891a0fed5e082b6e235765c01e3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a5da51cedd0eecda4538e78bf4a0e2c9

SHA1
328fe82e64421343a1a8b8d1b4d9d86af16777ac

SHA256
1d5f7e2899f5309713a2aaa03526a32fb930c5f721f7f5d30ee77a3f3c70b789

SHA512
cb81676f981024652728e2e691c92227fc9b0e01dc34eeed06c2ecb183c02382ddf827b814c4002582ebb93f6dcde1b3e02575118c00dce1c8174613cbf43d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
89181a58d763d107b8669f196bf1557d

SHA1
c7573c6ddf1d8876d88f3e656b810bf5bf65afdf

SHA256
bd6e4c79c22a185b95b3d7ce3ea9ccee0da942e670c1a7ffec2f15ced000a066

SHA512
92de69f6df49f7f8d5894dbb01b990b02be42b8a84cebecf91e29421beb3f97031384f7da566deccb74b955b9fdcaf6bcc6dbdf50565589c4b479f1687a7c374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58847d.TMP

Filesize
48B

MD5
02612792b4ffba5de68a5a045b7bee51

SHA1
2d6b9001419edc61ee4e5c1ae57624019236cafe

SHA256
fb8e197b52300ad3ec3b551f3f17851fefffa0590d783cd5c171b346c11010dd

SHA512
600325391403cbe76aab2f303ad8b6a1032f0ae4f920859bfb763dfebb904d49f2dbf9a3dac7aece65e2617764ad867f6eb044851270b49918a457b4a5450379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57a04f4822b7bc03723ad9abbf693383

SHA1
a1ed4c684066ad54d6d898f3680933962595ef00

SHA256
e01ceec96f63e793b232494275e0694a98eb4bd28a3bf6881038ad85b580dbf8

SHA512
350d1df28a03ee9897cc041997c5d4a90d548d4c58d2e17bc3cc4352d0f8c01f3e34011ac2f521bde0bd4e611bbf2e2be620aaf79d2198c80f56148421a15583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
289d6e4aef8ef2dc578a215d9f3c9572

SHA1
a2f33af6963c289e99d26f4fbcf1c058485b69f0

SHA256
7124e56923a6c23ca67d721f96f0209c4f3a4df19a9c99ac640aeda327539c77

SHA512
2940e012f5cacdf24454a878034489cca2f7f2612a692e5b0a847a4ca24dac4ffce38652d20831adaa5fa243a222e85115cc832f071b48ac6426c619843f4c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f826.TMP

Filesize
1KB

MD5
ff46a89dea3053d61aa968dc4910c39e

SHA1
52c4ca2cd29a971d46937fa4260d345168f57fdf

SHA256
4b1734f96c37ebee2d230bc23e693c0fe379a31b3b92a992c064d383803a6816

SHA512
d9919731426d9f6b810e616493dfc9823863721a4685ed319c74417a5c4801c09fe52a9b33d5fdbff19aa004a2e3f88075f8ac9385cd2fffa385229b5bd6a957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a3f8af43afe98440060ca3e164ea597d

SHA1
64c79ff1562e728ceddd1f064db755f43e5ca116

SHA256
4fedaffd5b4fc0b2c080c28fea8c6a558ea1dd19731ecaea895bde901578bf1d

SHA512
3a730e1efa188e185a1f455634d8aa0156a4e18ada4a8d73572155aa010bf3b9a69660ded3a3fa0ffafd86253640569d3b5670b8618792141f2bc02f115993f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a885e272786e031baf9a033309c32bfb

SHA1
b8023930e0c957f6d4056a437180bdce885640d6

SHA256
aba3ce155d615a797f67f54d8c55af6dc751471033f92fe933b8a399c9e10f7e

SHA512
8d756e827e9c867f05f2a527be42d0bf5ba535ee3c06c133f8333c75b171104ad9349e80012d312f929e88e4c973b49632ae6275ac355eb26a0cc9abfab839c0

Download Submit
C:\Users\Admin\AppData\Roaming\Data\10.bin

Filesize
452KB

MD5
a2f47c218e2507db3b22eb7e6d780001

SHA1
218a59915bfede4b5cbf2427200566709aa05bd5

SHA256
5b60fc854544978a715bcbca8f5a3abd28bcd0bd8b50fb953318640f7a266d37

SHA512
ae7152c080773d3910eeb05a47cfb551875e65dc5d88734114d03a6526348164caf179f2fc3b743850ed90b4fb80542e8b36ca31b3ef8168302500fbc0a701ff

Download Submit
C:\Users\Admin\AppData\Roaming\Data\2.bin

Filesize
353KB

MD5
8766dce04feb646bf62206d64d6eb0ba

SHA1
91c5d588028c6c949e9cbcec950bcfaa35a791e4

SHA256
f87e1ab69bef059744ee9244f37b0f21ef7d7b06fc5245094cfa22637ef6ae9d

SHA512
0bc8fc880bb94ad55a732f2be207d88a6bb0ae8d97f91819e889d04420a71ae5d91af21861bad351c5fd7f4e944c1899b17df326bf19d310cc31a95fd38ee6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Data\8.bin

Filesize
408KB

MD5
5ada580c290b53327fc8db29d5cd66c5

SHA1
a504aff6a9fa93bf4ccb69df17b5238804c659f9

SHA256
5dcf1f4b285a6dd70ec7acd77eeb5752a3d381a8a697eafd394fcde615f3ba63

SHA512
36da1958e7b4fad5367b257d9343c4eab59d50b01c610514d48eae2d0eeabf7efd06dd8fc63551a0a7e11df91aa3ceb063003cdd9c30c6755431ba218524fd49

Download Submit
C:\Users\Admin\AppData\Roaming\Data\9.bin

Filesize
13KB

MD5
f0e3d4ad2f1d09acf314a9e7a92777ff

SHA1
958224c3c98945c38f4e12ad6d1c64c4b91e189f

SHA256
b897644e314b31e0dd5159d061b9e77a512178f29a9f36076ec105e286212bb4

SHA512
28ccc056d2f5bde039cc3502a584cce3baa5cf9700fda8775344935438a6951989b3a24903693ac5e5292ff250cc27f338b783b29191948bed7ff4cc8038c8ac

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
21KB

MD5
5761ae6b5665092c45fc8e9292627f88

SHA1
a7f18d7cf5438ee7dcb4e644163f495d3fa9c0ef

SHA256
7acabca3631db2a73a5e20abd050097e44390ead1d74717aed936601904b73c2

SHA512
1d743b407663e00a296c2ae45cb5a05a0866657afafbc9e8220e4c1839cbab2c09bf2a3510ec8016f902ccb7254edddf2a3412e7f5a4cafcabbeb5724a67b46e

Download Submit
C:\Users\Admin\AppData\Roaming\data\12.bin

Filesize
4.8MB

MD5
89d0a71f2cddcd6ec0be6ab9a8b8f703

SHA1
373ceca02e5a58dfdd1e335387060cb7dea06c17

SHA256
0b032d7ec4549cdec1345d92c2e59d53438348628d50ec28274eccc8c159cc26

SHA512
2991a3e11dba87c4a9956a3ccdc9d41f6e94e7e1c533a68425c6a89c4bf8f7dbbeb88c8e49a9201e8090726fbc4c51db9dcba8d3e179795da666493c18aeea84

Download Submit
C:\note.txt

Filesize
133B

MD5
910efec550edf98bf4f4e7ab50ca8f98

SHA1
4571d44dc60e892fb22ccd0bc2c79c3553560742

SHA256
7349f657a8d247fc778b7dd68e88bc8aba73bf2c399dc17deb2c9114c038430b

SHA512
320de5e34c129dd4a742ff352cfe0be2fac5874b593631529e53d5fe513709ac01f5d1d3dfae659f36a2a33aae51534ec838f5d3748cd6d1230a0f3d29341442

Download Submit
\??\pipe\LOCAL\crashpad_5060_ZWQNFASOTSSUVRXI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3276-50-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download
memory/3276-53-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download
memory/3276-52-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download
memory/3276-48-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download
memory/3276-54-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download
memory/3276-55-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download
memory/3276-56-0x00000000039F0000-0x0000000003A00000-memory.dmp

Filesize
64KB

Download