734403a96fad68cb2ef2b340adddd9cadd5894007aac703dcdb4a4cb8326c538

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Size

39.6MB
MD5

b949ba30eb82cc79eeb7c2d64f483bcb
SHA1

8361089264726bb6cff752b3c137fde6d01f4d80
SHA256

5f6a8f0e85704eb30340a872eec136623e57ab014b4dd165c68dd8cd76143923
SHA512

e2acd4fe7627e55be3e019540269033f65d4954831a732d7a4bd50607260cd2a238832f604fa344f04be9f70e8757a9f2d797de37b440159a16bf3a6359a759b
SSDEEP

786432:1fhwEXgLYTou24XbHzjkgV5bQAH/AbkP1hn0qPQPrhBPC7wYqljbdPIa:dqgb84DPn5vhbIPdZaWljbdPIa

Score

8^/10

bootkit persistence ransomware

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MEMZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rekt.exe"	MEMZ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VineMEMZ-Original.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	VineMEMZ-Original.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 5 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

2024 MEMZ.exe
696 MEMZ.exe
2168 MEMZ.exe
1292 MEMZ.exe
4792 MEMZ.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe

pid	process
2024	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
1292	MEMZ.exe
4792	MEMZ.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

MEMZ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Data\\Pussy.png"	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{A66EE4AD-87D1-4C9D-AC8F-760D0154FCD3}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4792	MEMZ.exe
4792	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
4792	MEMZ.exe
696	MEMZ.exe
4792	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
4792	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
2168	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
2168	MEMZ.exe
4792	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe
696	MEMZ.exe
2168	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MEMZ.exe

pid process

1292 MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

Processes:

msedge.exe

pid	process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4148 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4148 AUDIODG.EXE

description	pid	process
Token: 33	4148	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4148	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

MEMZ.exemsedge.exe

pid	process
1292	MEMZ.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

MEMZ.exemsedge.exe

pid	process
1292	MEMZ.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VineMEMZ-Original.exeMEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 4660 wrote to memory of 2024	4660	VineMEMZ-Original.exe	MEMZ.exe
PID 4660 wrote to memory of 2024	4660	VineMEMZ-Original.exe	MEMZ.exe
PID 4660 wrote to memory of 2024	4660	VineMEMZ-Original.exe	MEMZ.exe
PID 2024 wrote to memory of 696	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 696	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 696	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 4792	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 4792	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 4792	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 2168	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 2168	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 2168	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 1292	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 1292	2024	MEMZ.exe	MEMZ.exe
PID 2024 wrote to memory of 1292	2024	MEMZ.exe	MEMZ.exe
PID 1292 wrote to memory of 4700	1292	MEMZ.exe	notepad.exe
PID 1292 wrote to memory of 4700	1292	MEMZ.exe	notepad.exe
PID 1292 wrote to memory of 4700	1292	MEMZ.exe	notepad.exe
PID 1292 wrote to memory of 5080	1292	MEMZ.exe	msedge.exe
PID 1292 wrote to memory of 5080	1292	MEMZ.exe	msedge.exe
PID 5080 wrote to memory of 5032	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 5032	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 3252	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 2836	5080	msedge.exe	msedge.exe
PID 5080 wrote to memory of 2836	5080	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe
"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\VineMEMZ-Original.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Users\Admin\AppData\Roaming\MEMZ.exe
  "C:\Users\Admin\AppData\Roaming\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:696
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4792
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2168
- - C:\Users\Admin\AppData\Roaming\MEMZ.exe
    /main
    3⤵
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=free+midi+download
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:5032
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        5⤵
        
        PID:3252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        
        PID:2836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
        5⤵
        
        PID:544
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:1908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:3412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
        5⤵
        
        PID:4672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        5⤵
        
        PID:4188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        5⤵
        
        PID:3892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
        5⤵
        
        PID:3940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
        5⤵
        
        PID:2880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8
        5⤵
        
        PID:3128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
        5⤵
        
        PID:452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        5⤵
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
        5⤵
        
        PID:3084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
        5⤵
        
        PID:4892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
        5⤵
        
        PID:452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
        5⤵
        
        PID:4196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
        5⤵
        
        PID:2284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
        5⤵
        
        PID:208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5888 /prefetch:8
        5⤵
        
        PID:5128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
        5⤵
        
        PID:6000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
        5⤵
        
        PID:6124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
        5⤵
        
        PID:5916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
        5⤵
        
        PID:4968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
        5⤵
        
        PID:5352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6724 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:5584
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
        5⤵
        
        PID:396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
        5⤵
        
        PID:5288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
        5⤵
        
        PID:5384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
        5⤵
        
        PID:5696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1300 /prefetch:1
        5⤵
        
        PID:5780
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
        5⤵
        
        PID:1472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10558360438857338337,11876952883865079238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
        5⤵
        
        PID:5856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=preventon+antivirus+download
      4⤵
      PID:1256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:2076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/results?search_query=tootorals
      4⤵
      PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=how+to+get+cursormania+in+2016
      4⤵
      PID:5932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=smash+mouth+all+star+midi
      4⤵
      PID:5816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:2428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=smileystoolbar+download
      4⤵
      PID:4464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=succ
      4⤵
      PID:5580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:5608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=cool+toolbars
      4⤵
      PID:5656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec3d146f8,0x7ffec3d14708,0x7ffec3d14718
        5⤵
        
        PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390 0x4a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
1.1MB

MD5
60021246cef1f0978983114d1fd51250

SHA1
b4cd22c3fa223376820c53fab738473732a0682e

SHA256
5cf8acb556090e2c26d420340e174d7948ca191e0334ddb1258da8844d4a2f3f

SHA512
ba1395b1814e266915c44e7b72f6f4d3a9528eb60948a1d9a6b501d129dcee6d8fe22125e569a618c25bd89b9128e088b3ba6c0ebcad3804a128f38f0e614b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.ask.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.ask.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a97ae3dc8cbafad7073eae5faa6d92d3

SHA1
f7dc31712f47b4ab982aa9121637daa5a4c73d60

SHA256
d0443fab6ec57722a29827d9953d63c16bfb6c04ee2ab33a4784fb807ae61233

SHA512
19666b25cb56dad4697e4e7a18a072921916163dfcc71638fe9482eb38155de4f41163dc90bee9c6289360c02bb11ce4e6f7bd03bafa9b26a3bb9a39aee0775f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
beb44835c160058c95482a6b19c7be8a

SHA1
9a26440be9beaebb64858a167f783cf5856627cd

SHA256
37a5ab9fcf6106e61450e56063ab4f9fde0e24581ca0d92e1f555906033db3a0

SHA512
d1523a9dd3dd6a9380e4d57b709e903ae8e44409d4f624c1e64a87049fcf2d862bf274518f676491d837de9e12c0c541cb41ff209d96ad421d610aacd7fa180f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d2f75c70f3abfe6941333598de6e36a0

SHA1
1d80b4ff28c6eebddf4905b6bab7842fe30b745d

SHA256
e6f24270e957eacd1c0e9f0ee078c0aaac455d42f56e1e9dccad711494fd6040

SHA512
9b3f252c1da2ef0a0b04c2f52900e1befb1a3d84d57b60ccefd056332ed2e4f1d51c936bd36fcfcfeb56c16562d5b224c57be70679197cf7a5e8c88f62f89d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
40fbb580d4b3835ee3df4b11424199c4

SHA1
5448d091cca39d644e0284f781d3cb4963a22299

SHA256
ec802fbc6682eb65cdc6b533fd84035e16975dac021753e206f50244b4be4b16

SHA512
80730f0f04a8861b96a497504a38c4e5b51657d5705fd9201c6c65ffe7c05306ecadfaa232a9b093f30e78e22773022d2d9c303ff6f5f4d1f40cb97cf11b168f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
28df34a717247b469d1c811e91211e35

SHA1
111cbb5cca68bb2b49b553149f5b5b728ce2cee0

SHA256
dce99c7afe71a892eec5bb20e88d41671d8e5f5ba25d8a81a2bc72a8c610cfdd

SHA512
ce6ec436d7cd47c8ba597b0f56ac6ea5790b6de060bbcf278599b100b0ddeea82906c8966540f052f537bd4298aea784f8dba608f70393cbc0dc80883e9515f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3c0ead0e482cc9f2ea12ba23057533bb

SHA1
6f990c0a8d76850da499404145427ec67907961b

SHA256
c95fcc25be675ec256c95eeb16985a5e626e1cc41bdad4f6a2d3dcda3e8360af

SHA512
a28312d7c5566ab79b7eac32668d56634dd073521d840bc3c662310a6a3b40376ea6fd1de3f354ed3909f7471a42d10228b85dc4cf091b34c363ae977dcdf0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b66f35f7ff7b1d0843c9adac00fd3301

SHA1
52229b132ffae6797377fd39cfef38d873e3e91a

SHA256
17f874b34f7075efe9a0c3373035051044d6c0b9b73779925821c8e7255f441f

SHA512
a61138472835bf2ec362d35ff31b4828f4133f275b16e53fb76f39154f2a5ea2ea3eb77df1075b8440d6f142baea27ff8bfa4bd14b53dc270a5f03a7ac812dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f78f2d2587efa0c15becc610e5e0ed16

SHA1
026ed4b1b8ec5a577914d04b9dec11aeb65a871d

SHA256
4848558837af8ec8a5dda1119f1e6a55e4df0804be7cf63612c2d3fa821165f6

SHA512
5fb0477ef433eba5bd9b8a57df24b99fb40bee579f9ce0ab5f80f4f77c5df04b5d3fbb0d3824cb7f69f4650c34f1a4e73d345eac2c2682cf3de7c14c7f2115ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a2052eccfb6eca41de49e8b05d1787c6

SHA1
b5b39d5f363ced043f3f8dabcd5ebf1b68da9c8c

SHA256
b2fdd46154030391807d47a444d60a13eb1b1f327c7c053db930068a2241a2b0

SHA512
0f84ec38ebd2496a8f4af033a8263a1e4aebbaf303f06eeb549751e5304212a70b3f23f40dd4e8fdecbb4a1d13a771243d6343ad00f844533cfe1ee919caf0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c62963bee1260be11074e2377bd787b8

SHA1
8e1733d59e76959fcfbbb9139b4dfbd37f6b64e9

SHA256
0de1a829eae627e47cb0c5f8f6310a0c41d781400e98307ba2e311f3ffe559c4

SHA512
83fb407429e4dbba5e0c2bfa415cdcee5951f0c5b440fb0e439a3e910b767de0cd1cb1d0d7316b097cc8a4f435914490201408915f7cefad3610e34ef768cfcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6bd30f44-9391-45a2-b465-61ddc87c5855\index-dir\the-real-index

Filesize
2KB

MD5
39e20e4ae08de5e4511f828ad99d9305

SHA1
99f6b0369b3ffc7eccf1954802c6504210c5442c

SHA256
21f2f423f186ce8f667a1c8d49e9baa9eaca4d5b497eb9b450754bc143174267

SHA512
03a8d05fda7610e5689a1e77c2a5a6d98682088aece4858a4ad6604d6d105639b3a68ad19765f4c59829c656ee81809fde074b8b915f24995b4032745d599310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6bd30f44-9391-45a2-b465-61ddc87c5855\index-dir\the-real-index~RFe591776.TMP

Filesize
48B

MD5
1fc389aa7674111532a1602e6524f8bf

SHA1
fc799c737fdec9afc33a6111f82ba05d9353b14f

SHA256
5e28bcec3c9891bee6ef001a7082ba4978f08c3a8eaea134203067cf84edbb48

SHA512
e58817e74f06b62bb7b9817bb55a7de1287070b959a2b774db68967b24bc259b96aaf433d16151c1ea8d43bb4af486712becc5d92b93625c8d470b114d335208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
355b43ef5d55efd2bc6b312c235ad6e8

SHA1
194e5ec0bb586a12082ef11b1ea3d4cf53cc27f3

SHA256
c033bc1b1f0b0babee9fb73d741a9f91130330761196d4927a9aa9040bc86774

SHA512
a55d4fbd8dfad10c3140a68ab510e0b4b0464a7196a7d0063c542390f82f74e77616ab4e41abb6637158d835c9fec5d8b17031b9cfef884e6290840a8f01c45a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
c37888d356e02b186662f029fc09d211

SHA1
92cfd67e58a2e57b27e8d7b74c2285b6ad5ef806

SHA256
976d19eba923380a74196c1085461211d9e41f63ef729492ee5b676539b84ce4

SHA512
3a40d477e43fe327688e00f430bb498ffc3422b2a073c528ebf09fd9f6da2e02172143000dd1203baee332d648a6c48d25a3c29bc80142c41273ad17bcfd9477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
5925e98c615f32b9ca2399d8bddd1379

SHA1
4c854f998583340bbc4953c30750c164a3560c52

SHA256
f0b740865e2d9c063ac4e6cc708098b111ed2e73d9800a5651b967ef38e38707

SHA512
60a701bfa7653fe1e5633811209806b9d7b958cc92db263457942871f5163c7ef4d33a8a0e88c3b5ec90dabbfa917dc66e6f4c90038a44f3dec2fabec9410524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58b0bd.TMP

Filesize
89B

MD5
04a9cde5815da7bc17721c696ec20f62

SHA1
8e0450e5f9a089b4e6414e01cccdf1034c0cbf00

SHA256
af4727444157652297448c47e2b8ee072b2d52114b0fe29cbd98a6c03fa20f2b

SHA512
066d88c81494ff7737f3be4a76404d24e8de89ff6bc4dd5ef26548008f2399b6673066c8f767467bdde60cea438a708bb6fbcf7a3289e0c05b79edb172126903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
be1ad09a45d2874e360a6f70aaaca311

SHA1
76dd4a093de40b9909d056c538ca467c63a174bf

SHA256
9331c3feb6b02d2f5218f47f28483a9fc745063aba96716ce67d2b8fab57d32d

SHA512
cfb1981c96d758ddaae75315cd00de1c3d33a4cefc3b1f5375adc1810b35c91f18341db8d03a2e8ff83719a2a9a085a2ffdf543ac8f5f7f69ba02b67fcd393b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
77998c591093ba0ec351f75161dfe7f6

SHA1
49dc4d2ee2a07cdbe0d1e8d8fb46fef95880f423

SHA256
16c863816a7c46774f9ebdfab70a12db847e0e1cdb6513ebbe1433e5b607e4a4

SHA512
2f0215ae6b0948789facb3cdd66c186793ff465d80da5eced24345792debce3082ba704be6f2f18abb7f4ec3a3fcbc98799414cf05cadf90eb537af567a2862b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589788.TMP

Filesize
48B

MD5
a85b804a70228d8190228eaf4a52ee18

SHA1
91a023e6274fe9c5b2336a67cca7fe7cf26031ea

SHA256
53d9879c68ec84c0779bfe4827ef2c5cb2c4ba9405f2f5624f4ab6b88287e01a

SHA512
d3dd93149af267ece0fc910ed5694ff8d37aeab6ccdd7699a5b5628a850767162875b56c744d2aa81245b83260d57c8768323e7b28557880e61bf555fe44c611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
124676d51152b09a75816ed425aa6048

SHA1
4a97ed0a3599badeb4154741b70936d9804dd0e9

SHA256
853fb55622ce75cf9eef2d9a74897a4ebe871c91fa3483ca49ea071b023b868f

SHA512
89fb3924f03ffd5bb3a5b9e74174e5d77cd3b47c190dd22e6414155fc3b6886cef172351ba9dcdd58c348a936b24d9aeee6339938216602483352468368e75d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8dd597047bd39ee7ecc1cbb51a4c2043

SHA1
4cbcddd444c044a234ce50207fc533af034272b4

SHA256
9d80a5a9cc0fdd81b2b4cdb96a355f87f2349b619839ba1e37fa99bac9e79c26

SHA512
b2e03848a9e8ab89cac412f524e4cce2d980572f313d3bdb93af28e5c5cc461e805a3cffd4f955daa5a524606b0bcff345457ba049260c1c807798e2e25fd6f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f7c184f0f1ab3442d6ed31fab20e1edd

SHA1
0fa8d26bd944b707c09e0fbebe51fc7fd6331ec8

SHA256
eb9ac238612398dce87efcf053f2e5863fc0b7e8bdf435aca80ce52e50459d5f

SHA512
63dfde1e1baa87b20887fd53d8791521814699d0d9799cdbe6f323d1c6d5e6e43fe1b1f8cf62566c496c9e4762c85ff626a2a8d0d8b8bbf8a44879706a4eff3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7a0e22bb2c080eddfdb6aaf1eb377a04

SHA1
fd4cd540275a66011e4d39efaecee87ae48d28cf

SHA256
cf82348ed3a151a581de4d426d3f5af3612cebf781a869d20db048be79cb640b

SHA512
909fa6599cbed554d479de52e520725e4559999e2a63d49e62891cc1a5f01fa9c7a46dd64c24d0b6095a9e900b064c0b46ac01ea872bb99ecb2c8dde64ea8439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
47568bee429f76759e850790d132e71e

SHA1
5d240744f282a7e69f2962070d12ff4b077f864b

SHA256
f3685f73108c75a9f9200b4ede93e969098da433532c8490ade7e5e9c6276811

SHA512
3d7729c7122bb61bc2c06176b90de5b3155a840b189bad2bfdcf24df428cf4af4b1e896f82f58e9de06606c4e0048a0a4d73d75c965d1f34bf73b1c42c15537c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5892e4.TMP

Filesize
1KB

MD5
47996393ef8f6a8b839d59c31ecdc430

SHA1
fcc1fd6681c13a598af621d2b544f2472038fa7b

SHA256
2fb878c78bd47d8c738db98742b7813b2e35d43466c6042e54b330a0a6f4aeb7

SHA512
fc24b89f0b7915af8aa6890cf6f9438c848266e627d43169356436133aa8ac58f6f8419b5b44f1d6866681f4f61cb847be6c37f24fd4ca2112b4a690dc2c4400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
024bbd3f37744c85512bb57355465572

SHA1
604978c2924b21eb1cb1ab874a62eaee0a7deec0

SHA256
b1b0ac6af0d6e696ef6bbd6eed6f16f216441831dc623bd562d678d056e2b319

SHA512
5e966eabb8c1520caeda4cf4023d630c14ecb9394d5d52575a6d7c18ae5c4cfc733d9525611ce09e7b91c54b83974987394e11e428103311fe12a8e0a525bffc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d5e3b463759cb11132b1b6a4d828eaf4

SHA1
b2cc19984ace2dc24cda001fc39783535190f0bb

SHA256
07343a97d9697ead2439452f79a41940f06f2f08f1b184fb0f2e78661c60456a

SHA512
f97cb220eebff444dab2e52edb8a4ef63df81b58170fca270046fdb2c7381d5a74a71988d8b1240a22f39cdd5f1cd3b8604a139822c69812838f2aa5a4c42a4d

Download Submit
C:\Users\Admin\AppData\Roaming\Data\10.bin

Filesize
452KB

MD5
a2f47c218e2507db3b22eb7e6d780001

SHA1
218a59915bfede4b5cbf2427200566709aa05bd5

SHA256
5b60fc854544978a715bcbca8f5a3abd28bcd0bd8b50fb953318640f7a266d37

SHA512
ae7152c080773d3910eeb05a47cfb551875e65dc5d88734114d03a6526348164caf179f2fc3b743850ed90b4fb80542e8b36ca31b3ef8168302500fbc0a701ff

Download Submit
C:\Users\Admin\AppData\Roaming\Data\2.bin

Filesize
353KB

MD5
8766dce04feb646bf62206d64d6eb0ba

SHA1
91c5d588028c6c949e9cbcec950bcfaa35a791e4

SHA256
f87e1ab69bef059744ee9244f37b0f21ef7d7b06fc5245094cfa22637ef6ae9d

SHA512
0bc8fc880bb94ad55a732f2be207d88a6bb0ae8d97f91819e889d04420a71ae5d91af21861bad351c5fd7f4e944c1899b17df326bf19d310cc31a95fd38ee6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Data\8.bin

Filesize
408KB

MD5
5ada580c290b53327fc8db29d5cd66c5

SHA1
a504aff6a9fa93bf4ccb69df17b5238804c659f9

SHA256
5dcf1f4b285a6dd70ec7acd77eeb5752a3d381a8a697eafd394fcde615f3ba63

SHA512
36da1958e7b4fad5367b257d9343c4eab59d50b01c610514d48eae2d0eeabf7efd06dd8fc63551a0a7e11df91aa3ceb063003cdd9c30c6755431ba218524fd49

Download Submit
C:\Users\Admin\AppData\Roaming\Data\9.bin

Filesize
13KB

MD5
f0e3d4ad2f1d09acf314a9e7a92777ff

SHA1
958224c3c98945c38f4e12ad6d1c64c4b91e189f

SHA256
b897644e314b31e0dd5159d061b9e77a512178f29a9f36076ec105e286212bb4

SHA512
28ccc056d2f5bde039cc3502a584cce3baa5cf9700fda8775344935438a6951989b3a24903693ac5e5292ff250cc27f338b783b29191948bed7ff4cc8038c8ac

Download Submit
C:\Users\Admin\AppData\Roaming\MEMZ.exe

Filesize
21KB

MD5
5761ae6b5665092c45fc8e9292627f88

SHA1
a7f18d7cf5438ee7dcb4e644163f495d3fa9c0ef

SHA256
7acabca3631db2a73a5e20abd050097e44390ead1d74717aed936601904b73c2

SHA512
1d743b407663e00a296c2ae45cb5a05a0866657afafbc9e8220e4c1839cbab2c09bf2a3510ec8016f902ccb7254edddf2a3412e7f5a4cafcabbeb5724a67b46e

Download Submit
C:\Users\Admin\AppData\Roaming\data\12.bin

Filesize
5.4MB

MD5
9e0ab3181d32ac9950dbe1026b197207

SHA1
d8b53f3a93d5e2df9507b6256f2e414712347256

SHA256
a3091d14161d268924a4d6195f820c64b1811d6afbd6948dde29e267ecb56cae

SHA512
424f8f0a6e945fcd831ca0d0f73f898dad0214f38cc477cb3be8b161836e349cd5d629444033e134e2fd6b8c85cae088f177aea4e26d7192a4f60a5739584c2e

Download Submit
C:\note.txt

Filesize
133B

MD5
910efec550edf98bf4f4e7ab50ca8f98

SHA1
4571d44dc60e892fb22ccd0bc2c79c3553560742

SHA256
7349f657a8d247fc778b7dd68e88bc8aba73bf2c399dc17deb2c9114c038430b

SHA512
320de5e34c129dd4a742ff352cfe0be2fac5874b593631529e53d5fe513709ac01f5d1d3dfae659f36a2a33aae51534ec838f5d3748cd6d1230a0f3d29341442

Download Submit
\??\pipe\LOCAL\crashpad_5080_DUZDWEXOHIHPBDIB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1292-55-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/1292-48-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/1292-50-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/1292-52-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/1292-54-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/1292-56-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download
memory/1292-57-0x0000000003D50000-0x0000000003D60000-memory.dmp

Filesize
64KB

Download