hxxps://mega[.]nz/file/wulXDAYB#wkhhbD3MKy1lKv3cdU6CV332wSs4UVx4x61xwZnltcc

Analysis

max time kernel
143s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/wulXDAYB#wkhhbD3MKy1lKv3cdU6CV332wSs4UVx4x61xwZnltcc

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3096	TeSpoofer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TESpoofer.rar:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1388	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
3596	msedge.exe
3596	msedge.exe
836	msedge.exe
836	msedge.exe
4016	identity_helper.exe
4016	identity_helper.exe
4144	msedge.exe
4144	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
3096	TeSpoofer.exe
3096	TeSpoofer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3084	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	4824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4824	AUDIODG.EXE
Token: SeRestorePrivilege	3084	7zFM.exe
Token: 35	3084	7zFM.exe
Token: SeSecurityPrivilege	3084	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3084	7zFM.exe
3084	7zFM.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3096	TeSpoofer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 2692	3596	msedge.exe	80
PID 3596 wrote to memory of 2692	3596	msedge.exe	80
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 1632	3596	msedge.exe	81
PID 3596 wrote to memory of 2192	3596	msedge.exe	82
PID 3596 wrote to memory of 2192	3596	msedge.exe	82
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83
PID 3596 wrote to memory of 1836	3596	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/wulXDAYB#wkhhbD3MKy1lKv3cdU6CV332wSs4UVx4x61xwZnltcc
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d6a83cb8,0x7ff8d6a83cc8,0x7ff8d6a83cd8
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\TESpoofer.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,9819332088750067771,17470184576493470759,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3476 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4736

C:\Users\Admin\Desktop\TeSpoofer.exe
"C:\Users\Admin\Desktop\TeSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4604cbec2768d84c36d8ab35dfed413

SHA1
a5b3db6d2a1fa5a8de9999966172239a9b1340c2

SHA256
4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

SHA512
c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
577e1c0c1d7ab0053d280fcc67377478

SHA1
60032085bb950466bba9185ba965e228ec8915e5

SHA256
1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

SHA512
39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ae10b669ee8caee80b7fa277468bc0fb

SHA1
1146b0924cad5ea290cef6027973cd13b6af6d70

SHA256
4e6419abf8202d36c41fef597596fe6de944972dac0856df2e8c36aa8f445aa7

SHA512
1e666d98ed2cd2e672fdf81f035e929085c68ccde676999f1b3e179aa650eb179e433aac5b873bcb612f7900dd6944866b7ec755135d2d3fe2d5dfdb9e16bd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ca71232e00b415fac0d2497c3666ea84

SHA1
3942e2ae582efa9792bc4fb52c658e7562e91365

SHA256
0de33e9286369d0cb61dafe48644b929ab3fabd89a25e94dd5012845879fdf59

SHA512
76764cd8414091d6a187d09d7241cd633c025101a04982e32d20ab1509dce255d239829bef7d04bcd82f1c8fbca7e7ec338eb75cb22ed0db645184669e63bdc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
e08735d8d04f386ff229cfdd8a901096

SHA1
e90c5ea41031dec6fee120cc3dff12883d030394

SHA256
dc42a69331760dd72e43c530f6bfe4baeaf1e8ac68edd7e6ac80d131afe9c0d0

SHA512
a1459dfe83ad0ce30a3c50bd9de00e56a57f66b6b96eda248288d5de02cb0bc5c22797e0a33188bfc09a66a0695e6b3c57ba5f0d743abf2c6e5a4b66bfd75386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ef0222076a87dd3e3b6e0f8e809848d4

SHA1
7ea7ff2a0fd4de9dbed715263e5388b5088a74e2

SHA256
964eb2050bc616a6eeb6d3f4991beba586549cb515679137b3a5642a27ba9498

SHA512
77581e4b587b3585107f7ef01c3662186b40f7f7d7edf7eda5f6e724465f945043f87aa20bac5b11c17bf071c5d6f17045041c79bdc0ab8e06831345d7c2f1ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be2a89a0ee92dc2f460d6b9012554fc6

SHA1
8012d3ba1ecbea1097e470d4f02e5c85e25170ad

SHA256
675e993356d0f901efd8a5fb0c00d6745353213d0431eaaef168767271d02525

SHA512
855cc04cbde5fbe77d52fed47cf1ceaf4c799b5660252b7a9715e964ba4cf22ad1e9d141c669697dd9d5ac946db086714c32b08ebedae7590ba79a167feaefbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ba9a515839d13386cebe089d4bca00f

SHA1
e831801a68292a1938075d3bca9cf80dce0fba9d

SHA256
044aa19c304be1f1bf798907b023f4439fd0160090667d3307f851b482ad9419

SHA512
b2a18afd425930c2ef3053604f0c3f57d3eeebeae69ecd6d11861f7e3f6df7ff9aa5bc21c9a4b7773aba82914b39b4c3b1244c277e2c8cea5036bc0f31b7fa5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b79d66a78973b2e38ec5d1114a9bfdf9

SHA1
bdab6ca06f62a2c70c0ea4130aee7720e40ce932

SHA256
307693f533fd1c534f205379e18bbec8f9f288a2454eccd4b2d330ef02724033

SHA512
bbeed3a56710dc95afbc341c41aaeeb8aa7804f9373d64a6697bf634d227807ecb022ce74efad505c452c2d8690fdf56568e45922caa44282059312cb514117f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c65ce1302dbda9e84829eb6a6f4d3ed8

SHA1
a81caa6092ffdd8fadae18e9d0326851334fcc1a

SHA256
31e1b5c245780becce773c83bb840b0e5fe171defab5dd8493f143215ec91f77

SHA512
6a13246599d24b7a2b589f48e85ec511489be387332c62788c6eeab8b462baf3853bd2994486c53726a6eba810e3dbd466d906668225b2d2248fdda9520b25b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c52637c09caed46b132454b1c3a70d29

SHA1
794e883725dfd8c99d20c354774298da5e245e15

SHA256
1d885a1a5f4eb6d53827b894a7b31175d32e2cc45dfa8db09e3d2e8ae5b6fafc

SHA512
50beadbb47f9e4139bc1e90476b55d6d82e95b08bb15087b9d097001ae18fdb1fd56a8a556f270acb4308e1e70756a70e2909a33cbfc1e77988e04f249797add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7768442d607510c18feefab30f91d426

SHA1
eddf0ea8778f58ddfa12ee9cc67275f9d8323a36

SHA256
d661e81925ace2be069c474b03f618def8f5386108e362baeeebc7087cb136e8

SHA512
f6b48b4428c1c0c95be3c288fc2080f59cff3c718b678ecb515ae9256db0c4d16fa029d87506adc4dca1d9e20bc10dded8746f19ec7b8bb31c936ffcb8d02d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e222.TMP

Filesize
48B

MD5
4ca4591541ba6023ecb6b516cd307b02

SHA1
a67769ca6a11d57e89100f002b227cf4eb763d98

SHA256
3d9ade12df2e1b6a1039bf6b8bf419cc0db72e274449fb51b510a8395bf9aa6a

SHA512
59f74395dd679f59100c9df5d149fe7da71610c781092c3c48d5f16a3a06ae69b0cccc04907316506582e0e0a9d27791efac0b96aabcd09c76f73be75799fb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
349e04bc3dd215580b694dd8ce2de7c9

SHA1
70c10f42e1133fdbd97e236fc6b1c2d552b06f4a

SHA256
43d05dcbe2a4bb93fa6adc9943bcf924a80f932e84771d8475eebb3de5958236

SHA512
484b4fd2ce1675ecc50cf4454c3eb1d8dcfe770448c8e4ba7a012ae6b60cd67d21e2e083233c551c16581bb96e9df9e411ff7933a521c0beb8d81baaaa926f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0a00cfdf94588fa21d06e6a3e2cae73a

SHA1
32ba2325adb3b0390999b610cb8fc47ed84e0ad7

SHA256
3e772c9a984db4d34a138885a0889f56b73d82963d32a7e176ec8f7de59ad159

SHA512
420cf9b0d1bd93d7ce911578100f5bd73ed3d9c2f9baa3fe1cc665237f5ed84837448d042147b8c347a22edeef3b8f0266d5e27f92c88a72b2f126e2b7d78a3a

Download Submit
C:\Users\Admin\Desktop\TeSpoofer.exe

Filesize
2.2MB

MD5
b6247da8e1d2a667dee4a23c648b27b7

SHA1
15e8b2288b05784c9175ce68fb198b92d193f879

SHA256
3d4ab0b541a125a5935aee3a92de3524a8420ad77002bc6f61438b21431a7aff

SHA512
07ad9b51b98967ef91616d7bef9b48e1c457f6ed63b834dad1c71ef5dbd45ca978b68088fc3d2bf5eff4aaba2dad7f7bc02bd9bf543167f1abb17f3f85b4b444

Download Submit
C:\Users\Admin\Desktop\TeSpoofer.exe

Filesize
2.0MB

MD5
11f465634596ea4b9e5491f9934f621a

SHA1
a93a66500d236487ef510476e5507cfdcdde8834

SHA256
799acba1f19193a9185308782e8c363bcfb709bc1cc5904d502803be14b28ecd

SHA512
173f12c445668d2a06b6f4ccd25ca1efa20df9a04814f197cee21301d1b0aae0a71477b10a5ccb9c60b59faa9de45bb1a798b514c2c0de0229348bfe17abd61b

Download Submit
C:\Users\Admin\Desktop\Tutorial.txt

Filesize
119B

MD5
a64c4b5df1decdd02173f3ed82b8a030

SHA1
8ae3958a62b22c8234a378eb41da23559692ac87

SHA256
fbfa032ea04c548de37109ce8011bc5fe63393da575feb638ea1dedb2669c058

SHA512
c54fea28592c70b52ac9bfac907a8ec21227d56805307e74d6e2cefad4a437f341d22b3bd0c12cd0a3a7ef7ec9ec54128ddec58112a2b6d94c4d52e9e415a2cd

Download Submit
C:\Users\Admin\Downloads\TESpoofer.rar

Filesize
4.1MB

MD5
74b22be72a80858706ac0e46d780ec4c

SHA1
75acb69813059a796c3cf424d43942b7ab5ead1e

SHA256
28af333bc28bc699f7c05c0490fb4589742893b06ecd96b0191423b15bd97bc9

SHA512
d1d25ae10dc7b7175dc2d6bbc34e9318ad1af99a8ce4d472be0b4e0dbb6177d658eb4880fd0e9907e827f07aacb970992cc6552e0c9fbc053046bbf61e02bdcc

Download Submit
C:\Users\Admin\Downloads\TESpoofer.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3096-861-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download
memory/3096-863-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download
memory/3096-864-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download
memory/3096-865-0x0000011C8C570000-0x0000011C8C5C9000-memory.dmp

Filesize
356KB

Download
memory/3096-866-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download
memory/3096-862-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download
memory/3096-867-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download
memory/3096-869-0x0000011C8C570000-0x0000011C8C5C9000-memory.dmp

Filesize
356KB

Download
memory/3096-868-0x00007FF6760F0000-0x00007FF676AA7000-memory.dmp

Filesize
9.7MB

Download