c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26/06/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe
Size

6.0MB
MD5

719fe558d5b57fd6732e47743825175a
SHA1

d1e4629426b03645aa6ad91e2f8418d365b63c9a
SHA256

c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536
SHA512

bb460f70c29179e8b972dfa9369ab7f7126d322ccc9b7283a18ddd834e49939dbb4d2764bde8e79d7259289c49605c896945c4898b261f81550e20acd8be86d8
SSDEEP

98304:c0G1E13HhStHxV8ItdWEZ3Xy3cB27OgUWZHwuS2JBAUZLy:nGxV8It/JiY2sWpJVW

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2312	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2312-1-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-50-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-48-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-46-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-39-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-31-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-25-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-27-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-21-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-17-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-18-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-14-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-13-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-8-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-56-0x00000000028E0000-0x00000000028EB000-memory.dmp	upx
behavioral2/memory/2312-6-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-4-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-3-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/2312-0-0x00000000028E0000-0x00000000028EB000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
4928	msedge.exe
4928	msedge.exe
1220	identity_helper.exe
1220	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2312	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe
2312	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe
2312	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4928	2312	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe	99
PID 2312 wrote to memory of 4928	2312	c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe	99
PID 4928 wrote to memory of 3168	4928	msedge.exe	100
PID 4928 wrote to memory of 3168	4928	msedge.exe	100
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 5044	4928	msedge.exe	101
PID 4928 wrote to memory of 2912	4928	msedge.exe	102
PID 4928 wrote to memory of 2912	4928	msedge.exe	102
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103
PID 4928 wrote to memory of 2500	4928	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe
"C:\Users\Admin\AppData\Local\Temp\c30825f4d349ffc0ff3fe7ddc6231c6d882d043e7c5748c5d5f4e61a46135536.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe76ce46f8,0x7ffe76ce4708,0x7ffe76ce4718
    3⤵
    PID:3168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
    3⤵
    PID:1744
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
    3⤵
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
    3⤵
    PID:928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,14463075096080068248,5485878498793177072,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
    3⤵
    PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3eb1c026c5756be4cc057bcdc5b9007c

SHA1
fa28be71594dab8b78081c50042471fa9dd24567

SHA256
3e2fa089bc111b532961e82266e6e774c8774c44c50029ba1f9fb9f5340f4af8

SHA512
8dbb26e2a36215b180d583d855cd11f3d7019b47c544b3d96da9341ea1e11260303755a5360d30e62de6f4482297bdefbdd261c2fe82b61072a9cff0c60418da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8e680c615a827d11d99447a596d6fbf

SHA1
cce3271f752e0f74c190a32ef855c170883f4218

SHA256
c0f18bffc35c6a54bc690473a68f7b3b4bc5a22038ac7400b6d05ed2e61f422e

SHA512
4915a176e81763e74dd420a5830a5c7e874fe8c0bcc39648c39b9638de8491eba6b8efbfb53c40d7d2f1857fada1888fbe9dbb1f844f5d604efa22078966d58a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb29878937c75510589cb29964473d8c

SHA1
aa138784f6e175259dc533c215583e0a8ed3cc1e

SHA256
aec81946e0cd9d785e540094f3575fc09e088ea24505983fd55a77e66c126faf

SHA512
bc510d9efb56177f6e5f5679d42edfea34d8cc3bacaeaf83619d17cbaa51eb475ff5ae315e5d69f12ee4b83c866128f0d9166aa6e6f70973031af0c7d968d31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExuiKrnln_Win32_20230421.lib

Filesize
1.5MB

MD5
ef48d7cc52338513cc0ce843c5e3916b

SHA1
20965d86b7b358edf8b5d819302fa7e0e6159c18

SHA256
835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8

SHA512
fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

Filesize
10KB

MD5
b6bffed88dc920f4daccf1a83dbf7f8b

SHA1
9d6e4a7b272cb725a143a588e1fe7b0ca6374b0b

SHA256
88e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b

SHA512
d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\·½°¸.ini

Filesize
8KB

MD5
1d67dafae0fcabbdc7ffaa3095ca3b61

SHA1
6ea71d27c8bf64ff601585c961a65c1adc9d7775

SHA256
51037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e

SHA512
b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\¿ì½Ý·¢ÑÔ·½°¸.txt

Filesize
204B

MD5
1f176fd422d932b3f73c59cd0e8a4d0b

SHA1
e944c5a2805bb8809ddef9402304a12e6d3a3751

SHA256
f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e

SHA512
7b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

Filesize
64B

MD5
49f36aa007f23eb6c74c4a2a1a3a33b1

SHA1
24bc012bf366135ed5b87fa1fae78d5a2995536f

SHA256
2454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb

SHA512
6788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉèÖÃ.ini

Filesize
225B

MD5
0e66900340fc19323c256461904893d9

SHA1
daf382f14a93f5cc7a839f0d2914a7fe699cbbee

SHA256
3c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10

SHA512
2c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8

Download Submit
memory/2312-56-0x00000000028E0000-0x00000000028EB000-memory.dmp

Filesize
44KB

Download
memory/2312-27-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-21-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-17-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-18-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-14-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-13-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-8-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-1-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-55-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2312-6-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-4-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-57-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2312-58-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2312-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-2-0x0000000000400000-0x0000000000A5D000-memory.dmp

Filesize
6.4MB

Download
memory/2312-0-0x00000000028E0000-0x00000000028EB000-memory.dmp

Filesize
44KB

Download
memory/2312-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-106-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2312-105-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2312-25-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-31-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-39-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-53-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2312-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-46-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-50-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2312-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download