2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Memz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	Memz.exe
3040	Memz.exe
3040	Memz.exe
3040	Memz.exe
2008	Memz.exe
2008	Memz.exe
3040	Memz.exe
3040	Memz.exe
4056	Memz.exe
4056	Memz.exe
3896	Memz.exe
2172	Memz.exe
3896	Memz.exe
2172	Memz.exe
4056	Memz.exe
3040	Memz.exe
4056	Memz.exe
3040	Memz.exe
2008	Memz.exe
2008	Memz.exe
2008	Memz.exe
2008	Memz.exe
4056	Memz.exe
4056	Memz.exe
3040	Memz.exe
3040	Memz.exe
3896	Memz.exe
3896	Memz.exe
2172	Memz.exe
2172	Memz.exe
3040	Memz.exe
3040	Memz.exe
4056	Memz.exe
4056	Memz.exe
2008	Memz.exe
2008	Memz.exe
2008	Memz.exe
2008	Memz.exe
4056	Memz.exe
4056	Memz.exe
3040	Memz.exe
3040	Memz.exe
2172	Memz.exe
2172	Memz.exe
3896	Memz.exe
3896	Memz.exe
2008	Memz.exe
4056	Memz.exe
4056	Memz.exe
2008	Memz.exe
2008	Memz.exe
4056	Memz.exe
4056	Memz.exe
2008	Memz.exe
3896	Memz.exe
3896	Memz.exe
2172	Memz.exe
3040	Memz.exe
2172	Memz.exe
3040	Memz.exe
4056	Memz.exe
4056	Memz.exe
2008	Memz.exe
2008	Memz.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	Taskmgr.exe
Token: SeSystemProfilePrivilege	2672	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2672	Taskmgr.exe
Token: 33	4544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4544	AUDIODG.EXE
Token: 33	7012	mmc.exe
Token: SeIncBasePriorityPrivilege	7012	mmc.exe
Token: 33	7012	mmc.exe
Token: SeIncBasePriorityPrivilege	7012	mmc.exe
Token: 33	7012	mmc.exe
Token: SeIncBasePriorityPrivilege	7012	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
1960	msedge.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe
2672	Taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2448	Memz.exe
5936	identity_helper.exe
6928	mmc.exe
7012	mmc.exe
7012	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 3040	4832	Memz.exe	78
PID 4832 wrote to memory of 3040	4832	Memz.exe	78
PID 4832 wrote to memory of 3040	4832	Memz.exe	78
PID 4832 wrote to memory of 3896	4832	Memz.exe	79
PID 4832 wrote to memory of 3896	4832	Memz.exe	79
PID 4832 wrote to memory of 3896	4832	Memz.exe	79
PID 4832 wrote to memory of 2172	4832	Memz.exe	80
PID 4832 wrote to memory of 2172	4832	Memz.exe	80
PID 4832 wrote to memory of 2172	4832	Memz.exe	80
PID 4832 wrote to memory of 2008	4832	Memz.exe	81
PID 4832 wrote to memory of 2008	4832	Memz.exe	81
PID 4832 wrote to memory of 2008	4832	Memz.exe	81
PID 4832 wrote to memory of 4056	4832	Memz.exe	82
PID 4832 wrote to memory of 4056	4832	Memz.exe	82
PID 4832 wrote to memory of 4056	4832	Memz.exe	82
PID 4832 wrote to memory of 2448	4832	Memz.exe	83
PID 4832 wrote to memory of 2448	4832	Memz.exe	83
PID 4832 wrote to memory of 2448	4832	Memz.exe	83
PID 2448 wrote to memory of 3928	2448	Memz.exe	86
PID 2448 wrote to memory of 3928	2448	Memz.exe	86
PID 2448 wrote to memory of 3928	2448	Memz.exe	86
PID 2448 wrote to memory of 1960	2448	Memz.exe	87
PID 2448 wrote to memory of 1960	2448	Memz.exe	87
PID 1960 wrote to memory of 1336	1960	msedge.exe	88
PID 1960 wrote to memory of 1336	1960	msedge.exe	88
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89
PID 1960 wrote to memory of 1548	1960	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb99e63cb8,0x7ffb99e63cc8,0x7ffb99e63cd8
      4⤵
      PID:1336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
      4⤵
      PID:1548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
      4⤵
      PID:1932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
      4⤵
      PID:2932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:2744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
      4⤵
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
      4⤵
      PID:1652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
      4⤵
      PID:2392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:4916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
      4⤵
      PID:2520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
      4⤵
      PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
      4⤵
      PID:1760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
      4⤵
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
      4⤵
      PID:5496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
      4⤵
      PID:5220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9228 /prefetch:8
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
      4⤵
      PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7400 /prefetch:8
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
      4⤵
      PID:5536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
      4⤵
      PID:6028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8264 /prefetch:1
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
      4⤵
      PID:5408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
      4⤵
      PID:5552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
      4⤵
      PID:5520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
      4⤵
      PID:3128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8876 /prefetch:1
      4⤵
      PID:2580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
      4⤵
      PID:7136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
      4⤵
      PID:6656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8032 /prefetch:1
      4⤵
      PID:7040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
      4⤵
      PID:1676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6282842534729650420,1554683933518362376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
      4⤵
      PID:3576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money
    3⤵
    PID:6136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb99e63cb8,0x7ffb99e63cc8,0x7ffb99e63cd8
      4⤵
      PID:5140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+download+memz
    3⤵
    PID:6468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb99e63cb8,0x7ffb99e63cc8,0x7ffb99e63cd8
      4⤵
      PID:6488
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2672
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:6928
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:7012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57e5c5a9236321d336e2c8ce1eeff844

SHA1
8fd4288af72ba3f7a0ecc5583a9265723fefc096

SHA256
ae6496cf397848bf3139858deaf567e3df991bab5a7704a0fa7aae95474872d7

SHA512
bc3f24afe6ce0494022d8201a01a60239ac5cfee54e0650a337036817056424b418cb636d58d07e5034dffe2226906202b56509e4cc07562c0b60f618c420080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
493e7e14aceba0ff1c0720920cccc4a2

SHA1
468f39cefbcf14a04388b72d4f02552649bf3101

SHA256
a0dd32ed60115f661a4ca537472e0d4e230ff844d56a3db766299cf4cd817842

SHA512
e16c748e4513ea10bf7124cef7b50dc5f3a1802205af9228e0c33fdbf3c24286739db08db4b813079ed7cc36be43d7457f4c26f00ae3126a2fafd77d2696107a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
99KB

MD5
4c95bb247502ed2f7c6256a286aa4da6

SHA1
50d42c3c78040364b5f4507ddcd413c075658701

SHA256
b8d20b032e83ac4d8f97929325a86c510f1c44d4173a13361f86353ffe6b27ac

SHA512
e1357d7e6f9a8c6f78bc1d1df50782b5127716b248e75e0f39a58cccad35f6d72445f170942ae27d43d35b66d168ad29a58c0a28d913ae2500b92f91051629d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
bdd2e1600f1a2bcda17165ce3ed86edd

SHA1
f2fe0f11bb7a4dc137103a100723eee1577dcc72

SHA256
433f9f434dfe2ca2af176d947ee51875cf365e7324a02367e3eba9c71314634b

SHA512
144e6ee45a6f71d70f4ce6e5a8e72a262b5b5aab5f2970a1f974df3b71538f17f7e9c2dde9bcf7e8103d1d2cc4616d4771703656ec9b7d307ec8bb657b5ffd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.vice.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
5ce93d06765d4b3177af610068819b38

SHA1
f31b00f0b4edc2fa5eee785ad23493cb026b9b95

SHA256
0120b47e1335ff53b4db0c5315829e4a411fac8c1ce49fc1aabfbb9b0f1402eb

SHA512
9911dddd6bb34b935e00b7325bcded5c2e4ccb87a0d44876a127c728d5414af6a65fea1bf98af22838b60de78dd5beb51a006828107761d8b48687b8672e8ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1712d7f71dfcc806b7b4c31c926c2135

SHA1
77a31eab8757f64ce772bb6c16f3f0912570e6b9

SHA256
30bccd4bc3d6fcd6f7caf809e24b0ca1efa5ed32978c59e7be1b149967f908a2

SHA512
2f0627f19bd3faf303dadf688160c7e0fc1693fb08e906a62d3caf37c86bd2eaaa314b7232111ee85a8a3047c1ceb5cccfcee200b27b5fb73c5163072cbb5689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
93c75606ec056e936e333f1f75d3589a

SHA1
b641c52b7fdccba24a8e03e2f58f0721e58bca04

SHA256
18535296dd14bbac5a8be7cbabbb7f3c11d9b8ed03652898fbf21c97c9d3df3c

SHA512
54c3256739e0b53ef81d3b463c2c986076b91fdb81f40f57c09ba2d293a795128f9422f02298b8ace94afb4a9e8dc03add353ff534fbff6002b56a743c06808a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
b4f10cf537d65662c0882c0363a12827

SHA1
18a54492a0121cacf02276c6a1017e9eb35dae6a

SHA256
46ee24c6f606ef669032ea9e7d0730972c825c29d7dacc900eebe2bcd5dc1db8

SHA512
b9534d3de65a40c6f9211f61548288e5814c050ab99d7f348b4037ec806da979fa876bb79621a8254aecde64078624575e0885c4bc52d571700c663d46c3a86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
4521a703e6544c3a9078bb1c2422fded

SHA1
a2abb64a03e9272ede5c5bf175e674f34d5ddb52

SHA256
54a03fbcd7035aba4c4b1a99c3b37477e9ca8f8e2fb043192de84d2f90f234ea

SHA512
aa29aede4945a7521e63686c5e6d7041df177c73e0c7d627854e8afe61e3c43764ac868aac7eff7d4c5a641dcdead9f0ce4b71f6eb1125195f878427a240d381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\1d6d67dd-46a3-4096-8002-e2c7cd8f9c11\index-dir\the-real-index

Filesize
600B

MD5
1d24325f2543e7c1996bc9f25ecc70a0

SHA1
f55dc9645ce98af0a1c76f9ac04a8aef88edc4bb

SHA256
c413d0ec25711e8155a5d6e39a3f874214e69e5a325c1a532121cae6fa4eef9c

SHA512
521db697e8b418e793696c216574703bb0af38c256555fe7dee59669e08b033815df49b7671839fc6ece10e9f98b8d3d7628ffc2f95a9fe42cdd9b51c6b88eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\1d6d67dd-46a3-4096-8002-e2c7cd8f9c11\index-dir\the-real-index

Filesize
600B

MD5
fa38d1f7e497d8940c06955e5d207f13

SHA1
8b6cd6bf7503b28624f83a12504875d268510458

SHA256
726fbc721dd1408a1ccdfc6c0715dedfd35d33af4081f066d47b8a210eba7d2c

SHA512
d8eb36f8bd2ccb262b37aa958e291576c15b6584e3b2357c1c149c9370f89260502be5946a24703580d46f73e4f8d6217fc3339af760c454f7b844473aef35a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\1d6d67dd-46a3-4096-8002-e2c7cd8f9c11\index-dir\the-real-index~RFe58eedf.TMP

Filesize
48B

MD5
80ce5b5680bf8a453861b5b29efb5712

SHA1
9ca45904d01eb5aa40ced196b8737cb745c29cf1

SHA256
b5715ce23c637563a4a256192731307bafb70ab1dd477363361b4b5f3e1be5a2

SHA512
adb59d0608707efe75e059e07e5800be74e868217fafbf62006f9dc3f75eaf316547cc38c311b5d1779098c49d644c24ed5f0544b2eada4f0b979679546c2839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\9343b04f-f2ce-4f39-9da3-be4fb6c28b9f\index-dir\the-real-index

Filesize
144B

MD5
22df576da8f081edd10493486d8f8f34

SHA1
ec7045e439dbe02c671784bd61b3f3e98c039f58

SHA256
8f2a51e224adab72ecaad341d29c6e724e705f0b1be0a7aa9fc12556e87f9701

SHA512
d76079f0a70f03b928772ca76d8609af310b6ace32700dd0e42797d667734348821ad5336b4918eee06977fd597f482ea0d0133ee97b6bcc360f0419eadc496e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\9343b04f-f2ce-4f39-9da3-be4fb6c28b9f\index-dir\the-real-index~RFe58d24f.TMP

Filesize
48B

MD5
a76f1c6b89045fb88814e247c3273976

SHA1
3a43c4d6a546126b5ee015a6667fecb02ba4bef6

SHA256
135a91c4f04bc726eb0dd5be347ce2cf630cb0ff690e9959953b5936a299d304

SHA512
ac525e6d4a3f7bcfcc2ea58b1ab33d584af74fd67406e82192c96202b4d8232548ca6c78b1de2e40d410bc3322963a558a233d076ce08f2435b34f803d4c1231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\b8bdea49-ad38-42a3-b5fc-843569401917\index-dir\the-real-index

Filesize
1KB

MD5
dc1df2f09b0db46d822e77b2817cddc8

SHA1
26b878697a5360f8af3afefe471184eeef643304

SHA256
2376fbe35ec583cb83eeab5fad7bce109e6df4c40bb107233b2ad6783287b4a1

SHA512
c298c843f89bddeec68c029075e2b99bf21536b1ab4248d4e01e5e750c77150e57bdf336b68d2809460df8e7c6286b35f3c37f94a4229b69d42acc7dc014da32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\b8bdea49-ad38-42a3-b5fc-843569401917\index-dir\the-real-index~RFe587e82.TMP

Filesize
48B

MD5
f931be32a2f5c68536bdd35a557abc7a

SHA1
4722bfc9fa23265082e5f43518d3fc1cab5723ba

SHA256
8d081ebc65958fa06dd6fa561d0d22d79a56ba7fcf248b05683a1bc8c54fcf70

SHA512
d6c8f6c06086b9e5180db97faa39bd6d36a5bfb47f0609bf603f2ea3fb31ee28da75a8b21df21479576d4a81e6cc36273312b599fca93008a9174a7f56cc0651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\da826850-de5d-47ef-98c1-7724d6986590\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\da826850-de5d-47ef-98c1-7724d6986590\index-dir\the-real-index

Filesize
72B

MD5
9ecd34b7a83fce12e9e50046d523b98d

SHA1
6c5b8cf5b48bd8c9d5e07035de5b8e599dbd8a82

SHA256
8198af79aef1a1001f7263e93b750458721d34747d3db4748c79ebc074df7961

SHA512
092d22b2ff35a576bc0355ef92d5c9de6bbd9b381fac75be15e95f60833b15c9fd7138fe1eade85267d9f2ac380ddb66b4d194e6d7be9e02e6d818626e47cd37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\da826850-de5d-47ef-98c1-7724d6986590\index-dir\the-real-index~RFe58c84c.TMP

Filesize
48B

MD5
7ed52537632b7fae6b0541f5c55e83cb

SHA1
2f156ff47c3a0432a752da3c7947c3e40161076e

SHA256
2009455303be60560e994dd58bb9c79f17f8a3c768e05c4f35ba7859d32a777d

SHA512
94f8dd1a8ab913910cc7d11ead25e40a94fc8cdf458caac7b0f85307c6c33decbde16ed5f16963b4361896cb08197e15b22710f19af624c5dfe26a128b8f2699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt

Filesize
176B

MD5
d58f8781d62d0a2353a3b5f3d00b8429

SHA1
ab8064e9093ab1a63d248a70e19087852f972ef8

SHA256
bc505ebb31a157a67f0affa258683e4e90c6544a54001a996871e3cfd934ad05

SHA512
29a64cf2be2a7342db5bb25a92922707800684ad2dff3f3320f686b43bf828d36b2734c21012e1fdfa7d3f4e1ba7aad984847d81cc3a8fbbf0664e3d3990b8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt

Filesize
241B

MD5
0ff17c8f55bd88a4ac239f96f0d7f2e8

SHA1
369f8dd00b25a30d8c182facf67a810bfa61079c

SHA256
621129dbf29ccf7ed8ed0f66ae1029c46214a18db2c927f2a5a9b27052b1590b

SHA512
7e227463cf78109a88e46e1ea2e97b377c0efc4bde264b3be02ead6e21c62a823a4c54a76573ec2eba0de60ccba463f79046e775dbc5d5fbd59ebbf1f876a7db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt

Filesize
307B

MD5
fdd0d5a97f040b71cc4c28431ce43058

SHA1
6632af26b89bfc2a0fd952037fc2db13b6a480de

SHA256
8f02552f18b22116edbe26ffc3a8a76d2dab2686a20fd6dd0ae67bb8af209635

SHA512
7bdcf79d4aa92dc1cd884a3b85c818d7d6522b9e2f64190a9ba208b1edddcaf124c894fb904d284b73b85b451910c6b628646b8bf7039cfdf2f55c562a10360a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt

Filesize
302B

MD5
0f22c55cbe085f9ac0ae07c2e445b29d

SHA1
6900ba458554cd206565cb7e775fe9cf6fc8a5ee

SHA256
0d47c5418297199ad6b925ffc308cace7dc4e9bc666d26d11c6796cf4b64b531

SHA512
5c34751cea3b3be877a639804d7072d2e4be3f86c1dc32f7f577d420b41690f62d4914828b32e79f4b2a0892cbfc0d036292cf493ea51438dd7c961f90db8a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt

Filesize
302B

MD5
76f2fb48a259219780585802926e765e

SHA1
f73a47b482a85bdad5e2b28daafda1c6dda44ff7

SHA256
c3b693d70f3c4fd431233aa62d803944c07f11adcb1fb7012b6cf886f858153d

SHA512
7aa16e5eb078d13c6a5657d64b88de8f97ce338f6222e6214068d473652be0e44beef013d8a3dc8245eedc47c4b676ab8b666450ef7492fca99adb1824ae72bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c5ce88bc72edbf8813410e12eaafa3c8e5ceb644\index.txt~RFe5874ed.TMP

Filesize
119B

MD5
18ed827ddefbfd7c32d1a0bffa755344

SHA1
ceb33084b90f84ce48511a89812ff1a00af3c6ab

SHA256
7b83efd2edeecabe2c1b5bc33425dde5917e81979d74cafdee177f1936c6a9d8

SHA512
6fbc50c59f518d960ca2335c5fe3531a1c805dc1cafd53e04b4ea7715968d093df2b6026551158b0777793f83801eea2fad1469ff32e147d84bb26a99232d4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1cd92231bb5730bc88413b59dd678dea

SHA1
bbd789447c46afd0855e15887bea1b2b125dd00d

SHA256
c4a964ad1484fbee3a78eb9f19d8713c85485b62501b310bf3b97eba8c519bac

SHA512
4b322c7ab42de04192b01757c20ec6e47b21df9b003356d0f968414e5f49c907973b87aa8725b01c654b853da8fe96efd276ff34848c9d138a2907a9226c0481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe587366.TMP

Filesize
48B

MD5
700907fb4768ac8391763a02178c6e81

SHA1
c82703db199d95c8653468672ec1fff969fc45a3

SHA256
720779148f0c8303d62be959d57d382a57ae6ea099ffca691ec0dd6bd8ed3ff8

SHA512
9d4c347c698dbc41bd934602c71aa7ace77e95ccb7dd46172abd55c88f87864a8983270221cd5cb05e6d8773be8087460fa6033e52cc601acfdc55ae0b7c5c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d40088c8a91c8e9726dafe04a3cbdd8a

SHA1
9c4f4d16df8155a077d5c4a8fedbdec532f3cb40

SHA256
7c3bb4ab9bedf2b4e164d7dc0b1c5215550f3ad61fa5ebde65656d38d10491ae

SHA512
ab1a4db65fc000d0ccbb561d41844c2f128c2b46869a5bb7d8c11e327e1c3b4468669ed6349f1e2c5a723caa5a690288672c61fe725bbe17aa10bb182ced2461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589cf7.TMP

Filesize
3KB

MD5
f0ee0d061749e848bf740456fb8f34dc

SHA1
032c5a943d708b38c395dde949aded65af76279c

SHA256
6355953bb3ffe4f4bee75ec1da26a8e00834fc84c3e4459f0ee7ae92f592584e

SHA512
5521dfa79750c65336b6db1c090bb4cb1511e19a320f27820f9fe0265f25be41e71e443a92acc3b3a58c3b3586dd96e1f7552daef6bb83caaaf75f648226b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
73be83266b8fcf900a2b2f68cf7192d6

SHA1
c213bb50470b5fe530807ec62cf8a4ab1179bf92

SHA256
5cd1cf7d84c91809523bf737ce6856163791729e8aeae65b21924512661e974a

SHA512
66f0e6eeb8714b8f05b304935df8147ba33badebd321b6392ee3ee3febc95d2d9a8e8ae3945cffffdcd5951bc0fa2981b8ec9ab9018744a165e66e25f2693091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3a925f5f4fd11c74ec55c4e6e32bddf

SHA1
4a8b9e50c3be6c1ad89262d9e01e5a724fe65105

SHA256
c09eb3d04c4f53f55b3339eb99b87db6bfd866967834de926d9d91a539397261

SHA512
7e5d5fb778be66ded4caacadcfd0e4530da1f93d64f4fafe818c3feb44ddc86bbc06c1999c563815d1752d1a49dc8c8910fdba438c94c9500ee979fe4f218d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9ad68fc12802fb48352b07cd653cac9a

SHA1
91b036364bee4f0a19469796dbcfbeec301e9af9

SHA256
a6658a09410833b1a13ad27448bb76279c8bc80b8a2aa02b5f9196abd1eb32f9

SHA512
c7c1415e4b2e74e757c7fc005b0422a0c260a20a4cf6ff4f76b54a13e3305fb90f8442bdc8017f82c7f89d1b3bda22839035115b1d4635ddbd74822c9321a759

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2672-1759-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1761-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1762-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1763-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1764-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1765-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1760-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1755-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1754-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2672-1753-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download