hxxps://mega[.]nz/folder/tiMlDIpD#fP2mHs5yrrp4Cor2xihu0A/file/h70CnZbY

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-de
resource tags

arch:x64arch:x86image:win10v2004-20240426-delocale:de-deos:windows10-2004-x64systemwindows
submitted
15/05/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/tiMlDIpD#fP2mHs5yrrp4Cor2xihu0A/file/h70CnZbY

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x86.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000019be7eb961b76eb40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000019be7eb90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090019be7eb9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d19be7eb9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000019be7eb900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Checker.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133602636153686634"	Checker.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3906287020-2915474608-1755617787-1000\{A28BA542-5E76-4076-AB88-F3724870539C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
5052	msedge.exe
5052	msedge.exe
116	identity_helper.exe
116	identity_helper.exe
5456	msedge.exe
5456	msedge.exe
5472	Checker.exe
5472	Checker.exe
5536	msedge.exe
5536	msedge.exe
5024	msedge.exe
5024	msedge.exe
6016	msedge.exe
6016	msedge.exe
6016	msedge.exe
6016	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5564	WMIC.exe
Token: SeSecurityPrivilege	5564	WMIC.exe
Token: SeTakeOwnershipPrivilege	5564	WMIC.exe
Token: SeLoadDriverPrivilege	5564	WMIC.exe
Token: SeSystemProfilePrivilege	5564	WMIC.exe
Token: SeSystemtimePrivilege	5564	WMIC.exe
Token: SeProfSingleProcessPrivilege	5564	WMIC.exe
Token: SeIncBasePriorityPrivilege	5564	WMIC.exe
Token: SeCreatePagefilePrivilege	5564	WMIC.exe
Token: SeBackupPrivilege	5564	WMIC.exe
Token: SeRestorePrivilege	5564	WMIC.exe
Token: SeShutdownPrivilege	5564	WMIC.exe
Token: SeDebugPrivilege	5564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5564	WMIC.exe
Token: SeRemoteShutdownPrivilege	5564	WMIC.exe
Token: SeUndockPrivilege	5564	WMIC.exe
Token: SeManageVolumePrivilege	5564	WMIC.exe
Token: 33	5564	WMIC.exe
Token: 34	5564	WMIC.exe
Token: 35	5564	WMIC.exe
Token: 36	5564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5564	WMIC.exe
Token: SeSecurityPrivilege	5564	WMIC.exe
Token: SeTakeOwnershipPrivilege	5564	WMIC.exe
Token: SeLoadDriverPrivilege	5564	WMIC.exe
Token: SeSystemProfilePrivilege	5564	WMIC.exe
Token: SeSystemtimePrivilege	5564	WMIC.exe
Token: SeProfSingleProcessPrivilege	5564	WMIC.exe
Token: SeIncBasePriorityPrivilege	5564	WMIC.exe
Token: SeCreatePagefilePrivilege	5564	WMIC.exe
Token: SeBackupPrivilege	5564	WMIC.exe
Token: SeRestorePrivilege	5564	WMIC.exe
Token: SeShutdownPrivilege	5564	WMIC.exe
Token: SeDebugPrivilege	5564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5564	WMIC.exe
Token: SeRemoteShutdownPrivilege	5564	WMIC.exe
Token: SeUndockPrivilege	5564	WMIC.exe
Token: SeManageVolumePrivilege	5564	WMIC.exe
Token: 33	5564	WMIC.exe
Token: 34	5564	WMIC.exe
Token: 35	5564	WMIC.exe
Token: 36	5564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5572	WMIC.exe
Token: SeSecurityPrivilege	5572	WMIC.exe
Token: SeTakeOwnershipPrivilege	5572	WMIC.exe
Token: SeLoadDriverPrivilege	5572	WMIC.exe
Token: SeSystemProfilePrivilege	5572	WMIC.exe
Token: SeSystemtimePrivilege	5572	WMIC.exe
Token: SeProfSingleProcessPrivilege	5572	WMIC.exe
Token: SeIncBasePriorityPrivilege	5572	WMIC.exe
Token: SeCreatePagefilePrivilege	5572	WMIC.exe
Token: SeBackupPrivilege	5572	WMIC.exe
Token: SeRestorePrivilege	5572	WMIC.exe
Token: SeShutdownPrivilege	5572	WMIC.exe
Token: SeDebugPrivilege	5572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5572	WMIC.exe
Token: SeRemoteShutdownPrivilege	5572	WMIC.exe
Token: SeUndockPrivilege	5572	WMIC.exe
Token: SeManageVolumePrivilege	5572	WMIC.exe
Token: 33	5572	WMIC.exe
Token: 34	5572	WMIC.exe
Token: 35	5572	WMIC.exe
Token: 36	5572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5572	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5472	Checker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 4892	5052	msedge.exe	82
PID 5052 wrote to memory of 4892	5052	msedge.exe	82
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 2132	5052	msedge.exe	83
PID 5052 wrote to memory of 3404	5052	msedge.exe	84
PID 5052 wrote to memory of 3404	5052	msedge.exe	84
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85
PID 5052 wrote to memory of 1648	5052	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/tiMlDIpD#fP2mHs5yrrp4Cor2xihu0A/file/h70CnZbY
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc26bd46f8,0x7ffc26bd4708,0x7ffc26bd4718
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2296 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=audio --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=video_capture --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,7330721079866564503,16971441148044373705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x2c8
1⤵
PID:2012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5844

C:\Users\Admin\Downloads\BlackSwipe Spoofer\BlackSwipe\D6AFD698CE0.exe
"C:\Users\Admin\Downloads\BlackSwipe Spoofer\BlackSwipe\D6AFD698CE0.exe"
1⤵
PID:1944

C:\Users\Admin\Downloads\BlackSwipe Spoofer\BlackSwipe\Serial Checker\Checker.exe
"C:\Users\Admin\Downloads\BlackSwipe Spoofer\BlackSwipe\Serial Checker\Checker.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic diskdrive get name, serialnumber
  2⤵
  PID:5452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get name, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic logicaldisk get name, volumeserialnumber
  2⤵
  PID:5624
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic logicaldisk get name, volumeserialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:5324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:5384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
  2⤵
  PID:5800
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic systemenclosure get serialnumber
  2⤵
  PID:5444
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic systemenclosure get serialnumber
    3⤵
    PID:5284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_NetworkAdapter where 'PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'' get MacAddress
  2⤵
  PID:5352
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_NetworkAdapter where 'PNPDeviceID like '%%PCI%%' AND NetConnectionStatus=2 AND AdapterTypeID='0'' get MacAddress
    3⤵
    PID:5368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get partnumber,serialnumber, ProcessorId
  2⤵
  PID:3668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get partnumber,serialnumber, ProcessorId
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c nvidia-smi -L
  2⤵
  PID:5900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
  2⤵
  PID:4980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get SerialNumber
  2⤵
  PID:5952
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get SerialNumber
    3⤵
    PID:5980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Feb-2024\install_all.bat"
1⤵
PID:3668
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Feb-2024\vcredist2005_x86.exe
  vcredist2005_x86.exe /q
  2⤵
  - Adds Run key to start application
  PID:1636
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    PID:2316
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Feb-2024\vcredist2005_x64.exe
  vcredist2005_x64.exe /q
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    PID:716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2784
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CFBEC9B77D9C85FBD95180B2AFC1BDD4
  2⤵
  PID:5304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 64DD96D7F4797BD73F0D7F27212B26D8
  2⤵
  PID:5576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5961a1.rbs

Filesize
74KB

MD5
31a93c2077654e5e837dd44fca2bc29f

SHA1
b061e4f46d6bad6962dc184aa147e9e105e60906

SHA256
68feb88a8c0767fe1015be27540e4e0484ff946a52daace304201ed127e4b7ec

SHA512
9e2446936f08216da905b94fb0923b8216f4f23c661e815347d856a7c92ce603d762a965ee41a28f29f14253da0bd13a62622cb3965e7057e91f209037a966f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c0d1a98b6f1297c6b1c29e943ee91ade

SHA1
3b221460928c19c23c287d406e4ea1ac841d5318

SHA256
74214c5fd9a5185bfa31bbb9aaeb9f590f2fe17d822db1cdf9285d8109a92b75

SHA512
10fc0b11520df6d813d11471d6252c76bcfa9680b394f537ff60abdfeeadf0de6da29527346423a7621112d110ace44d3afa13af86f8fc4c334c8e00b2377a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
a89af4aace2175672ce2c298bd57b7da

SHA1
e653e6bd20ab4fee35308a52e41cebd5bbfdd0ed

SHA256
ba95c23b2aff2b28bda9ef1504464ec93fbf06098594d458f83f2051d203889f

SHA512
36c1c41ac6096066b970a80cc7ac3c309572b40dd44cc55a0b23c853747f0a02c4f973202da1204be3daa2355108159e6c08ffe8523433254344da4183832fce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
126c78542a782caefb1103a249abd1f0

SHA1
c04e79a6c3caca9c618578c7a7004fd3bfdaaabb

SHA256
6a23c81b6164159557d0c3430d69811089c4fd0dbf8f5a6ab0cf5dfe2881460f

SHA512
17d4a718b980261af3e4bed96ca1583e3c27a63de8449ccb54b727437665cde3aa35d58dee0331e9aef43d20e4f2677e00588ac117a38cf68da24a1a905df1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
907ef230e8cc47549619c7871890eb1e

SHA1
1aa84a1b88783eeb9aabcce7cba11b936815bc1f

SHA256
6769d7debb645abf9e6bb100577d2020c45aef98fc1a291b4f5a94d39dba79b4

SHA512
c34d7b57dc052ade4ec254f269009f024dbcb95f4968f8e80e3d09d61f4cea8a56c189dbf2c77306a2df1e9b25d0f13a51c0c3a6f4957ce6c1535acef5bca8a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f35a606da403753b6c0ea6dd1e8075f

SHA1
30dceafd16cd4787be1461bbe9ea961d1b014ee8

SHA256
2af83c5b59f3277a93ec053605e6753fd4cbbe6ab84fabcc19a57e73a3da3035

SHA512
ce7c1831f35d64df1882d7423b3a42a1cfe1779b35fafe2189801d502bd13c68d7788c68717d9b5f0016c9193881fd50c9fb9e2c7aa9f4d6316b19e671f76e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c8b4b34b25dc2960986f42bbb151b8b

SHA1
c5514eccc8183f38e8831cbfc20ee3ee3389f371

SHA256
3d7c651b2fdbfe5cdf712427588aae134621281c7f9d4d5f6274b6520a86a505

SHA512
b82b15d01691ac29def5adba1a682493d22a804188bcf91c15c9018bcb4857528e03951c4c76b03355d5bcb95aac2af7d9f9fc8742a822aebc3bceff987a1279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3fcff6f8b8d13916de966fec7baf00a2

SHA1
64c69bf64e8d64b7712655a4103492ec2d6190d9

SHA256
4370d1e3744f78410cb6785a7bf9e1cc3fc72d3f246b53af238f8f9626c18087

SHA512
1bdd655cac9dc892e81bd3cbb094f6b625028c7ebb711c355af2d1225cb225780b4512a08b6a23e850b51910f62ddba1d866265eaf8422691d0640abff6d9fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b3bc960e2579d0ae4724d00f985f9b6b

SHA1
2a5777879ab5bc86d0c3c29c720188bd8d97797c

SHA256
f749795704b7ad5be7141f1ce51f0345a95392aed4185eda3553caad3c1e0d63

SHA512
69fdac76911cf595a6ad81d038b848a2fd7baa6fd047c0b3e6e5b6c0c46541abb4d26d43a8c1a2afbdf95caafe98eb930374ac30981b8543450389d21c584039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6a9f0e3e1e93f280ec872202e0c43b61

SHA1
0a8896094c7efba06cd961953508fa359ec7ca44

SHA256
4dc56998daf3dc1d47f85a770f313bf0e3a8e1719dd411f9db2904a64863fba4

SHA512
e9319a391b844736084ab2c4cfda7ad0e606ba18072a0f1b1579dc5f3645a1f7ccf72e778b183cdc3248af1f9053a51600f7e1f9bd78a0c92f48cdb13b5b477d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579683.TMP

Filesize
48B

MD5
d34c62c582f2595a98b5747de7a93f7f

SHA1
5d27083424b59bfcdb8f9ffafea11afc847673f0

SHA256
a4a86ecd44b26055898d9b569c4d8f85bd98ed10a2a179d73a216dd60739d30f

SHA512
a377f5a601d4f2f71d5220892c8b06d496e07591adc3ae696cafc715aafe36a978048018b6df56caa42629c1d85a9701144cb481ca287e4823b6e48a025a07b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
b357c33901b55d886238a14222895cc1

SHA1
bbb9eba81921eb79d78142682109b5abb7e0f936

SHA256
8d946e7d51cfe20df1ec8b930189c47c370eae77d428f6d2e93370f9672a360e

SHA512
3b05b3689bd9e7fd75e24840745972c87fe2b9a7abb19533e3f27a3fbc94ee7151565cfee27e73a222f7cd3c883b55360e4e2f8b94a5135dd33bc984983babb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
c9814746fbc92665eab54976c5bd3992

SHA1
17ea03b0ad0517415ae218fc684c4a511a78d696

SHA256
d1bd0d7964bf6cfc5a3b514f4c08d13d77090eb673050b56e4c2f80b07359126

SHA512
fdd5a20c6998804565d8e9ba12db5d56895c15beaab9a9c88ff9174b8a64bcee86279031c58bb6ff5c126e6038a17737d8c061a404666e125d7c43be79c2b03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58916d.TMP

Filesize
203B

MD5
07f6cb91707ce2978dceb78bce004130

SHA1
8f7b46e00160d4d772cd78a68cd1c6586dc3f400

SHA256
0d301f21cf5ff54e8c0cdcd722dc1fab346ac9ae767d9ef15c98402ff20de471

SHA512
1fd5d584a8ff1650cca2159c9b4def78dc74ec02f3eca1725b2baf4e090937e53387b001733ee138e429989723abdcaa2ded88667ecac863f946bde644b9b443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d5ba3612bc65f6e4c73e347e3337f713

SHA1
6f1401bccb5d6c04cebad56c40c9c429cac52996

SHA256
62d1747dc99744cb324b793230e7005cfdde34873cfbb5aaf7f4045c33f744e8

SHA512
81e84f4ed683528a5d4aec59da4f88ba04ee3ec4f4177ffef3fa32ddea8f8c6c7fcdfeec2457715b847b1d556f8c8d91adc3ca0cd4fad0a279c7d23cd20380e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9356641c0d861a1b7083259ae3a42f7

SHA1
4f268abd9e90ffb33b9d157614222f82bbb7b039

SHA256
7a3f666300a92170741c0ddbe67466c0442cc4e5c38006cd9b43ca0285581b65

SHA512
4665a3a3fcdc4969ea52735ebeffe1fcdd3ed3b23521be77e103ce75b1c6acbdf6b55fd3bdc2deddc6709c9b40b71ce815f9a0f50b4d0de7144439a84490eb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
247KB

MD5
cc064d4b81619991de8131a86ad77681

SHA1
88d80d86cc20c27d7d2a872af719300bd2bb73f9

SHA256
913ee5a1cae3e5a1872b3a5efaaa00c58e4beb692492b138f76967da671b0477

SHA512
5aff0eb26cfc187bf58721b2b6d73357d9f1e66d1ac5340ad9ddc08b40ad0eda27a144cb3b650604637a7476c282ded83ed890de98a73ccaf0cc021da3a9eb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
312KB

MD5
77a9bff5af149160775741e204734d47

SHA1
7b5126af69b5a79593f39db94180f1ff11b0e39d

SHA256
20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038

SHA512
bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
2.6MB

MD5
b20bbeb818222b657df49a9cfe4fed79

SHA1
3f6508e880b86502773a3275bc9527f046d45502

SHA256
91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

SHA512
f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
3.0MB

MD5
6dbdf338a0a25cdb236d43ea3ca2395e

SHA1
685b6ea61e574e628392eaac8b10aff4309f1081

SHA256
200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb

SHA512
6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 277292.crdownload

Filesize
40.6MB

MD5
18e837b85348fe5efa5b02f53a2aad4c

SHA1
f6cfd105f3101040f651862d8bfd97982408999c

SHA256
51799c7a698132d3acfa56d7e5f2e03e0ede11ccdf9e96e3643d8b93f6b387ac

SHA512
8e83cd1e64c35d3d383e41bef04c7f423eb8fca9ad7e74a2d37ddb8f121f16096ec753164632f56722ecf55113f8fc7ca3bc2892064b29e55b049ac169b0eca2

Download Submit
C:\Windows\Installer\MSI63A2.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\e5961a3.msi

Filesize
64KB

MD5
51a641f01caf80e26d2b3e9967ea6f0c

SHA1
9dd7fb6ac4887a43052f20574dea4f7f38b45ece

SHA256
9f111dbd2d7e6fab3f4085cf2221d394d11a1a565b1e58cb4ce91860a7157e49

SHA512
7350a20249d9cc73501613d7178ca291b0a9f0e60af1c119847e398382369b131f1250b86f5c1158738971b43e2f1423287f207c04fa9bbafc5d3e62e27db370

Download Submit