hxxps://github[.]com/ytisf/theZoo

Analysis

max time kernel
1003s
max time network
965s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
79	raw.githubusercontent.com
21	camo.githubusercontent.com
25	camo.githubusercontent.com
26	camo.githubusercontent.com
27	camo.githubusercontent.com
28	camo.githubusercontent.com
33	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.md	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\✂㖞㘀耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.py	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\訿䞲က耀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell\edit\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\訿䞲က耀\ = "py_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\.md\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\md_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\✂㖞㘀耀\ = "md_auto_file"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3576	msedge.exe
3576	msedge.exe
4512	identity_helper.exe
4512	identity_helper.exe
3852	msedge.exe
3852	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2880	msedge.exe
2880	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1608	OpenWith.exe
4516	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
3296	OpenWith.exe
2348	OpenWith.exe
1680	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
1608	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe
4516	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 3672	3576	msedge.exe	82
PID 3576 wrote to memory of 3672	3576	msedge.exe	82
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3304	3576	msedge.exe	83
PID 3576 wrote to memory of 3092	3576	msedge.exe	84
PID 3576 wrote to memory of 3092	3576	msedge.exe	84
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85
PID 3576 wrote to memory of 3028	3576	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ytisf/theZoo
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96ea946f8,0x7ff96ea94708,0x7ff96ea94718
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1984 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15083347069527623358,3813726239664525647,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7bf96f79he894h4bfbhad3dhf7fbc90ad0d8
1⤵
PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96ea946f8,0x7ff96ea94708,0x7ff96ea94718
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13726854274672096570,2283897381931986774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13726854274672096570,2283897381931986774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault410f3486h7f03h491eh9130hdaf5b6140508
1⤵
PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96ea946f8,0x7ff96ea94708,0x7ff96ea94718
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3540011085878212960,18360756995216634404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1444 /prefetch:2
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3540011085878212960,18360756995216634404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc1c7ee90hc68dh4291h8628hc2268b27f0e2
1⤵
PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96ea946f8,0x7ff96ea94708,0x7ff96ea94718
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7339822399976499558,18070681181987982728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:2024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1608
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-0.60.zip\theZoo-0.60\theZoo.py
  2⤵
  PID:4732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4516
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-0.60.zip\theZoo-0.60\README.md
  2⤵
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2c71219e052bcb49590d66f813fcec

SHA1
d90d391dd58f40701eb537a7c6f0168364aca958

SHA256
70f42aaceee42f5605d7a17b9178d8a3a5cbf8ad24b6c97f5a0a09ea0efad744

SHA512
b874d10b4b62e33358618a7d8c58390ea84eccbe3c9ec8c07332b357f1c98c9b124d2640890c3d512716407e12ef0554ab0dd95c88d40fcd33f54b0c4a088517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
82189e26c57d45de7e292966a2dade7c

SHA1
24692165dd8801f6203f32b5ef7336b0f87abe02

SHA256
49622e3f1a4e45513eacae89203a194e49e16cf4938158624ee8fef219931316

SHA512
6a4da19b81e3d48a459b3c165c8a1330f84024a8c9def78ed49d361d772d469f6f52f82b8f795e3d022536e40e52cb5b964f87e335dd5f0d237bb968498047c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d515381df04a5e2a8ffe27ca3ba6ea9a

SHA1
313e9503b4a5020ec93efb51998f74972b471a5b

SHA256
52052ba1a38de5d19fe3cc6dab7533456999419a9c14d9c11eb583809b979af3

SHA512
45d51c3f55288c1605b3a3bb90a4cb5d31577deed9befe7ca88719142e6d60006621271b875e3b7e91c3dc235195333f46208712b6abfad26525491c542a7497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
51f77004659cab638c80870c59b544df

SHA1
0a2492d3ddc3ae1e8d6c851d851024649b35ff21

SHA256
bf1c6e9d68ce7c6ebfcdd1cafa01af22073884500b82757240f3e4f7b58b843d

SHA512
963ac1323bbf3bb605bcc0dce18f9619cfd3d6a765d41dd7f277f78eb97b816eb37c968f0fc0b2d8b7a1035d2422ef71f70f31b1dc72146ac87d1be85a5fa490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
65c392176f2606fa6e8e611ed96cfefd

SHA1
c8fc2c6419a6f497b158d989cc488da0cea9fe24

SHA256
14a29dde952bb5fbf6bcb9cda4f8f04ef755c9a479bb2e899007ff9a36dce3bc

SHA512
e37eb93d72e8ecffb0573209263add9c63c5e7cb5bec6f49c461dba4f9cf1a52a0d11f49288b216b192574d2d73ef09d80626a41a7b2118c69f154db7274c01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
87016d9855e0938a982bfa229bf6a599

SHA1
6fb5f052692590f856e9c1da99fb619d651b2146

SHA256
3a2ffe7152ddafd07aac54c6ff1a989301229936f021296e4b9f249c6b984cde

SHA512
0a3ff462f5701742a7ee44a6951a304249c42d2155bf23a49e3731153664b10d7d2c96376981e2e51289ff7d4645f8a1334040f6f567906846184f66138e28a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
740B

MD5
27d0311c3657e82c94ea1e5d4cb2024d

SHA1
7fba615f0beae1f22860f2dda6f15d0347781abc

SHA256
9ad1c08bd708039fd11464cc677867b1523dc3fd1256c520887f80fff5904d4b

SHA512
baa9db15b59c6629b70d24b2579e9233b216487caf8963e06f7f998eab99368c327c6f9b2608ed924073ed6b56c53012dfe2c2563a08dc22f0eaf77a4fd946a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7bb7055f2a11453a688637882d9ea787

SHA1
8bd7e0fd0f1575fb846fc35b3d8b35b6caed99e0

SHA256
d3d3d53ab06314e45020ddc2a8a6c4103cec35e3c60f8647529470a297411642

SHA512
21ce9faa2e1a125c5f1e5488355ffc2bb4189437d67f30812226645de85529af85b8cea60ab25ef73f018d9aba6e65e4227c93b47e7041c5829139fe35544785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18e9305837671e2636f5e36a84b55c0d

SHA1
b823c955b88ceca03017b78b6f99a1c8c68b53a3

SHA256
2abf5e4be8df8ea51894e32dcef45966fa84b06580175fc961ea418062eda0c0

SHA512
655f8143d4ee64cbee198cbeb852bc81500371405651bd8c10d320bd8b3867393bfd1367d68828e72836f0412c04a647c2a087a79be60c8d90be49d9472cc218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
676343dab930ebece0a3c7b163da3e57

SHA1
6cddec728808c7c11e6b29992a6374cb6115e0fd

SHA256
f23f27a127e96c2d4098c99635081ab53f20b8b8796175a77a6c6d7d7939a6d9

SHA512
9e6f55f3ae347c1269ec03c0c4a1ebaf0d96d7faea878906701b16cfb18eca29629d326c83bbf9039f2a49a06b51d730acbfabe3bdf8681b64aae49b0f9bad92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4889edc66a499290a0693f9010023af3

SHA1
8ef5f666d3eb55482b85bf581490561fcddcfc7f

SHA256
08df159ab4376908bd2adadf3873ed1b3878b9807aae49775c6db1aa5958fb48

SHA512
bcc25df0082791aabc9c2816163a49f561b66953461f8f1316d024c631b7ebd60b8f72d9ea7d1d5e6931261ba529d589005432f031fb41aef86cff81993ac815

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af903995ff5f65eceba704b2cd7459df

SHA1
c42b5a78eb23533cf4133b953261aba5dc8e2acb

SHA256
1429d52360c1714020102a5438c0c47dd9996a8877b000b726dbadb0f334f275

SHA512
eff604ca91f6cd1c90b60bb65dd9acdf984228a22de4efa1ea4bac8dfb802b1d77962cbe0a56288c2e3ceb548579c44216ed52fb547fd41d457d6141707c10a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c607227660c4fd1dbc86a29bab74f7cd

SHA1
f9a445245c5a3f74a8289930c8eb97d02199215c

SHA256
225b50db2e3ef1fbf8452b51ac0dd7c2acfedec973ddb95b8cdee32c7db8525e

SHA512
2b6b98c899f1cd27a07a2474c5179685844c9f2dc806409211ec29c448035603d9c009bb1efaa1dc85751761173b2835c9f2e4d9d81552b5f69d4fa084f8f53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d4c458ec8b980b0b5c638c3db79bb60

SHA1
52f8eb90635c04e3aafcd9b3f31b3ebe5c82f8ce

SHA256
3f93b2f7d28f6375ae7401b13f3340a8219a666f574e32644274345601ef8401

SHA512
d223104bffc0817ee84ec208bf466e9f8ab1eb57ed045d05c16a5b45154c59edd39627970f229973bdbc81a74c01fcbe2b8bf358562be51ec0bbec12080cde2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26d7698802df7e4910e86e3077f00b37

SHA1
16158ee766df458e5d15e8c3bb24942c82f08ca0

SHA256
76323a09d3270dc836f8cfbff76595533a2325bb750ffc13475233c7ca40e9c7

SHA512
bb95b83467e880accc5ce26e131307fd3b81ae0056eb58fa9887fc6b280fe8275bf037551cdc6334358b256c5877d73f2888f68bbac5ef465d5de801a0ef855f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
28c61d9303d545f729f3a2bb82310f43

SHA1
3ec578308fd8308be78316a159151ddd3f996bec

SHA256
c74599084c8e3dbbf9dc66314a1042586be0494861f8ae830324cf96263460c8

SHA512
e0f28cc6e044db193cd0e1872ab3567786e5bd457643c52b3eac1f7a6c4884db9441730249af3f42911307b73e80c5e06812b911c8f3bc85253a7701c0b9d6c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ecb034466b73ed3fae9902c708ae3dfe

SHA1
29ef26e4d45ddc6d665a060481c92c89f1169492

SHA256
89c372bc9c84fb2a4f2eb73b021c45f15c905d4805fb72362a35de4fce6a4cf0

SHA512
97458b9b2746e1dc3f8bbcafbe1dc797ec55b7fe2151f4208129ff7c7d9ca7512e7392a4bd7d3ea9fcca37a96ec4b01d809d236b57dc5bb34c4a632db0be0fca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc00ab8e8940ae1722c76ee92ebe8c8d

SHA1
e05c173fcf363113c404a524c6e8086824312d57

SHA256
8f13abd3b76e4c2369ee158b3295537bf09bcbf66f172fdb8eef1da69e0862af

SHA512
9b1eca201f68b747e7d0bdeabd6dec5a315e44ba031dce722da38583599d167a8dbaeaceed956e5138cb099b4d5f503e4b530d92d7a6a165ac85c921cba19630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a30c11663151a8c51bf4e67a2ba9184

SHA1
a451da68d41df1a56caf88e7416e046d807df484

SHA256
883f66ad164464c4500a58c1ad3eaaf49ef410cf3d8e15105491e0f38c57e059

SHA512
91077e3c952774e7863f27ff0771374d58ed793b4eeb5aff6af912c4bb9d6bfd6efd172e20ced7d419209de658e6500f8a8afe909b26fd5b80b9549cf53441df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8912f72a5cf6287d9cf7d70e08a02b2

SHA1
5d00b894188d497cdd53070f600ec12add231c3f

SHA256
48b45c388dbba0b2878f2ef30f563d3760af133e2a87d3ef72ac8e4c85253e45

SHA512
4fb5de44cf6f46a825a3b84c56d1769d00fcb36d8d89aad184f9df7b2959f2efeed1517b6c3abe97aadd114c0ed9e0f83d323763a802c08f71205462964d0981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc1d878ce03600a53a368763e6e47974

SHA1
f2c1ffc559c333cf02e802676d511ad414765adb

SHA256
fcaa8d32e67626817f60c99fffa1811e3bc9f68e6745a6fa788301bd5d9f3d6f

SHA512
9da1c3ad4a70e894a407631a56db94f4a1d82c022466856df3ca74987c60d7315d0a437fdbdac7132ef40348aada737ce84935caf43811e40fa280fdca547918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b8be323eeca674efce59601ea679ed9

SHA1
fc3ef1d3a0f968434908511ca78f0762446243e5

SHA256
0bdc80727e03a7087f949278c267ddac5c88de64442a34dfe1ce31e22c22afbb

SHA512
d18ee40e8025223426d166899fd91db1aedf171568263c39d37a258d6b85689f2834e7b2394314495dcb3ad8e6d7cf6ef3bf668780fe3397dda01ac8b99fa757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec89d12dacdf25dd996f297585dfc9b7

SHA1
f19b9fbb5ef040edeffcfd78c6db933b8817a4a4

SHA256
61bded1301436e7a2209ff94d10ccb09de8d7fea284de05df42741f810601d82

SHA512
d7316a0b5b55ebd3a51551adf180ae23232f67e66beae23a06da046b9c22c9a6270e03d53e9eb4ae756bf4d950f2894c23f096f778ee7e8a4f21efe2e8243ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4332c2534a8b386587dd0a4a456df160

SHA1
ed6e040ae2524b2782b15f943499860b7bef6890

SHA256
35c033344e061fe410370ed4cd4ce49b1bd69b6d70cc7aa3b672c3d23f6beb02

SHA512
b27a5122d6b81af33deb71e41805d32f697e9a54f7b4a484a97f28fe170157c4cc96dd90eda89ae6a4cf544fd1e787d7255d1c8a5394129d469fca3da7a75fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578d2c.TMP

Filesize
1KB

MD5
0c21afc4fa9edf81d6fdd4397a60b413

SHA1
af38a294a5115dc01351270d6f520dfd8f26809e

SHA256
4bde6a2d9cf7ce9ef9f35fccc372307b529b7ac51fdec49b7df40a0b4e078243

SHA512
e60cf82d6c470617679c53a22d06443cc233369d478280a61fca8985b5c13c03f21a370b9845f66ed13015b4cbb4025ddf94ce29b3786234cfc118bc832498f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dfb7950e8c59fb77e393bccc091eb4e2

SHA1
76188fe9d3606e648ff52d00fe978e5bd94d1051

SHA256
2087fcfe1cf45ec9e8876473f4902a648bd56d72b72b7ee4320f0b6590f72f4f

SHA512
ac690286867f33691809921cbd0782276940ec2aa335f42ce23cf4d123ac0ff7c6521b325f1e93a66fddd98c91d4e0b8992fcf18ef4638bd72e1be682071a20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
797123d39b84fdf129af92ac05b85fe8

SHA1
fc70c1924df6d6cc1c1277aba83f8646187622fb

SHA256
508fbbc05840e0623af9f18331c03101898959092c65dbba2a2500c8b4c98139

SHA512
e437831f6511113ff14072f96da1562ac559e2118fa50fa1153176f906e0a85f4a4cb70b17743df316d7b4000b15883ec03f74744e645a0f6952f643ebcba08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
eb1451e490c16b3d4d2f86c9dda7fe3e

SHA1
0396350379373378a163dbd3fedf688366b1795b

SHA256
7f20ec06533b83b196b449e90e7c97084659c668ef5aee59411ce6244e983749

SHA512
c81c196c1dbbb763764c440f090d19ec5ea9aeb0b60796ae330d40689fd0df8fd14858fd6951eb9c49479d9ea1de2ed81bd68e9f7336b5028062cbfdb352b1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
99b084c0b18549c459514d01d4af3822

SHA1
46e8412fb35312794955930faeff725a71c2f097

SHA256
6032d50b8406b757e2f0511e9a2de139c60bc7687ecab71ddc9573c047dbfe06

SHA512
561153503bbeba4197a7c86c924c2b8028d03a52c6625e62c21557cef6502c5c5fbb3ea0dd5df278c8336e06631d96c784513b4112d59cb9f9ceb28dd9fd4178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
91190134926eda667e32178523e07695

SHA1
7d4e6ad9fd9aa5e40fb79528fd326c671712822b

SHA256
7b54d34f496a4dbd25f95900256843142ae589c43d723f6b5ecbd2028699a34e

SHA512
7ae1f3a56ba83724339a69ab11ddfd920c5682fb8a0f72363b35ad8ab1a32cccac4e260296d1db83de39a63cdd55c64caae8fb0bd9bf4499da345ddccbc12c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
11fe91a28a549a762945d10a5e546c79

SHA1
fec029ec71625fe1c57cfc55712080089ac70910

SHA256
9a82ef04be3c2bb613f82f1b5494b2124a49f7e40e01db4bbbc93579a1a6bbc5

SHA512
ef244702511baa4da5606861c709d0e81db6415acf6e2dc2561f12b1d1ea982ca0bd27031c0617dcf78c8736f36f05467f194e03dc9f9b5d8264d54efa7d0b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
842c268b5bcaf4f5336d4150e3478a7a

SHA1
911e551be02df5390f99c5e374bf695ac8950ba3

SHA256
839c5de08709ff7a2cb4bd4090f01a5d79746fab5b93d76566c203c3ceaffdaa

SHA512
7baeef1a33e9e266202dfff9eac77795fcc19fde7a2d0509dad813419a55ffd25bef7fef39da4dec08fe11db0a97541add62b5930368a8e6ba8161b368117c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ee66be94426a261cedadc7557d21d171

SHA1
6f23a4f5d9575624ded3b7b3f17ae1313474555a

SHA256
bf7227e9e2f4f7a23fa8b156be8b1a153d3db7bd4182405c512cd4f8b689e19c

SHA512
c45aa683ef82d5d22d07f612233c97828c647836a015fbddc8067d1b876ed7bce709c27d5eed3e4948671e1010e204fdaa3c3b6f940b528c91c8f134cac60f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1BE.tmp

Filesize
24B

MD5
f732bf1006b6529cffba2b9f50c4b07f

SHA1
d3e8d4af812bbc4f4013c53c4ffab992d1d714e3

SHA256
77739084a27cb320f208ac1927d3d9c3cac42748dbdf6229684ef18352d95067

SHA512
064d56217aeb2980a3bfaa1e252404613624d600c3a08b5cf0adcb259596a1c60ee903fdc2650972785e5ae9b7b51890ded01ec4da7b4de94ebda08aeaf662df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1BF.tmp

Filesize
24B

MD5
db7c049e5e4e336d76d5a744c28c54c8

SHA1
a4db9c8586b9e4fa24416eb0d00f06a9ebd16b02

SHA256
e8830e7ac4088cf3dd464caec33a0035d966a7de5ae4efc3580d59a41916ff7b

SHA512
b614037fb1c7d19d704bf15f355672114d25080223e7ee4424ad2cb7b89782219e7877b373bbc7fa44f3ad8df8a27eef4e8ccc765d44ec02a61e3b7fae88ae69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C0.tmp

Filesize
24B

MD5
fc94fe7bd3975e75cefad79f5908f7b3

SHA1
78e7da8d08e8898e956521d3b1babbf6524e1dca

SHA256
ee1ed3b49720b22d5fda63d3c46d62a96ca8838c76ab2d2f580b1e7745521aa5

SHA512
4ceaf9021b30734f4ce8b4d4a057539472e68c0add199cf9c3d1c1c95320da3884caf46943fc9f7281607ab7fa6476027860ebed8bbaa9c44b3f4056b5e074d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C1.tmp

Filesize
24B

MD5
5f243bf7cc0a348b6d31460a91173e71

SHA1
5696b34625f027ec01765fc2be49efcfd882bf8e

SHA256
1b1aed169f2acfae4cf230701bda91229cb582ff2ce29a413c5b8fe3b890d289

SHA512
9e08dfbbf20668b86df696a0d5969e04e6ee4a67e997ff392099bc7ff184b1b8965502215744be7fe423668b69099242bba54df3f0bfe4e70acdc7cad8195b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C2.tmp

Filesize
24B

MD5
379523b9f5d5b954e719b664846dbf8f

SHA1
930823ec80b85edd22baf555cad21cdf48f066aa

SHA256
3c9002caedf0c007134a7e632c72588945a4892b6d7ad3977224a6a5a7457bf4

SHA512
eca44de86bbc3309fa6eab400154d123dcd97dc1db79554ce58ce2426854197e2365f5eee42bac6e6e9455561b206f592e159ef82faf229212864894e6021e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C3.tmp

Filesize
24B

MD5
2d84ad5cfdf57bd4e3656bcfd9a864ea

SHA1
b7b82e72891e16d837a54f94960f9b3c83dc5552

SHA256
d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

SHA512
0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C4.tmp

Filesize
24B

MD5
635e15cb045ff4cf0e6a31c827225767

SHA1
f1eaaa628678441481309261fabc9d155c0dd6cb

SHA256
67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

SHA512
81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C5.tmp

Filesize
24B

MD5
2dd3f3c33e7100ec0d4dbbca9774b044

SHA1
b254d47f2b9769f13b033cae2b0571d68d42e5eb

SHA256
5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

SHA512
c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C6.tmp

Filesize
24B

MD5
d192f7c343602d02e3e020807707006e

SHA1
82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

SHA256
bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

SHA512
aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C7.tmp

Filesize
24B

MD5
f6b463be7b50f3cc5d911b76002a6b36

SHA1
c94920d1e0207b0f53d623a96f48d635314924d2

SHA256
16e4d1b41517b48ce562349e3895013c6d6a0df4fcffc2da752498e33c4d9078

SHA512
4d155dfedd3d44edfbbe7ac84d3e81141d4bb665399c2a5cf01605c24bd12e6faf87bb5b666ea392e1b246005dfabde2208ed515cd612d34bac7f965fd6cc57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1C8.tmp

Filesize
24B

MD5
2a8875d2af46255db8324aad9687d0b7

SHA1
7a066fa7b69fb5450c26a1718b79ad27a9021ca9

SHA256
54097cccae0cfce5608466ba5a5ca2a3dfeac536964eec532540f3b837f5a7c7

SHA512
2c39f05a4dffd30800bb7fbb3ff2018cf4cc96398460b7492f05ce6afd59079fd6e3eb7c4f8384a35a954a22b4934c162a38534ad76cfb2fd772bcf10e211f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn1CB.tmp

Filesize
24B

MD5
419a089e66b9e18ada06c459b000cb4d

SHA1
ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

SHA256
c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

SHA512
bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
8e87050701e696a0f6c0113db8b4f429

SHA1
c6af5f5aa55565848c80d505585365ce7b3389ca

SHA256
d8837324d6785bf06d9eb97c54993f2e4d427c41b5192a64488d0416b7d38c30

SHA512
4995237217764ec57a2c27e49a5f7fd7a4cf809b2b7a242b78b7357b52f15df251facf21cd5f2387f2f4e739a28e405b06a2bdf8f6a877d8a7dda173c1140f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
d72f12d683411a57197a2d0829965021

SHA1
64313580ee04a4f6d3ca46d971233429062a9eee

SHA256
af2b62338ce8e9d1dbf4af23054cf8ebe9da4fdbf48399b3b7880c5cc6f6b263

SHA512
69a21ca617483ac037543550dafcd56a4da312344a232a10fab650f2411e9aa7bb0be049b4e8450c277c08e9f46963a7ef5489571f85c40e98a95c997f9a13db

Download Submit
C:\Users\Admin\Downloads\Dino.zip

Filesize
249KB

MD5
3cdb9b91b2d8b971a2cc708968097337

SHA1
e6c442016aa3c25c54e32cf9637a0b79ebaaa5e1

SHA256
66fb3bfdb601414cd35623d3dab811215f8dfa08c4189df588872fb543568684

SHA512
d7800cc749410f0bf1a316d4c6af5ca7bc0bb4f19389937fc9d5738b56800f4d04bdc541a587a76226cf3c8f3fd7a1c84cafefc3d5c3f2baa04857b61435fe83

Download Submit