hxxps://www[.]mediafire[.]com/file/1oc1e04quduokx1/WorkshopDL[.]rar/file

Analysis

max time kernel
660s
max time network
653s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/1oc1e04quduokx1/WorkshopDL.rar/file

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5152	WorkshopDL.exe

Loads dropped DLL 27 IoCs

pid	Process
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
376	raw.githubusercontent.com
377	raw.githubusercontent.com
379	raw.githubusercontent.com
389	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WorkshopDL.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-195445723-368091294-1661186673-1000\{2623602A-B393-4A01-ADEC-3F8C9EE709B7}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1560	msedge.exe
1560	msedge.exe
4524	identity_helper.exe
4524	identity_helper.exe
5932	msedge.exe
5932	msedge.exe
5304	msedge.exe
5304	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe
4464	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5152	WorkshopDL.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5444	7zG.exe
Token: 35	5444	7zG.exe
Token: SeSecurityPrivilege	5444	7zG.exe
Token: SeSecurityPrivilege	5444	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe
5152	WorkshopDL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4844	1560	msedge.exe	82
PID 1560 wrote to memory of 4844	1560	msedge.exe	82
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1020	1560	msedge.exe	83
PID 1560 wrote to memory of 1916	1560	msedge.exe	84
PID 1560 wrote to memory of 1916	1560	msedge.exe	84
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85
PID 1560 wrote to memory of 4228	1560	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/1oc1e04quduokx1/WorkshopDL.rar/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8be5d46f8,0x7ff8be5d4708,0x7ff8be5d4718
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7664 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8076 /prefetch:8
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7928 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3104 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,17464084004187283693,3269374158108121341,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5740

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28368:82:7zEvent27804
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Users\Admin\Downloads\WorkshopDL\WorkshopDL.exe
"C:\Users\Admin\Downloads\WorkshopDL\WorkshopDL.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0dc31145339977b457eec605c4e1a567

SHA1
deb6ff8183afdaafd849858c821af52f93936e1c

SHA256
4b1ef876e1d4f2c9726b7b966222c336d0be026c588178ad40ab476be4d353ec

SHA512
ef095404247530ade966bae7d6920f0ff060852e3dfb545f4bbca384f88d0e2a4622b55e4b856ab63f6e6c56196a8ad1257711b53a2fcdd89962d1252b6c4e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
31f5155eeaa8631c1c80614efb4e73cd

SHA1
aac054ba3a9bd71bb2644cc541aad11a5f119017

SHA256
7e0833f04bdc7ed7a88940d793f110d199368d7c2ca55eabb154de84a355d7cf

SHA512
94c43c4e59ae3745fee5157852c279110de2f89dd1562c47627ef960a70790db0b713155817ac7ac636e43f0218f73d35c915f9de61df019ba65c09730a21452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68c948c6-3b19-4a15-8d29-4d9a47a53a04.tmp

Filesize
6KB

MD5
d75eeacfaddc094d87079be40d97b077

SHA1
da5d787274d92901c0b6084918fcc6181f381601

SHA256
bc46d0d7122c927d5ac10dad77bb248a24360cdf1195e86bef91554a65dea033

SHA512
1d1fd93f18014c2578b2904eb09132119cafce9f97e5e7f7f0c7e6dc8fa3e5ec23e9560b1a071f091aaed4bce4fd07de20ed868f5a0104016030da450814eb27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
43KB

MD5
586bc8c3e55d0cda0c86100582258740

SHA1
11e3ecb7e608f91a0b0e7615c57ab85c479427bf

SHA256
3ea058ff6c4cc8fc825f4af3a604a153ca99bc40803d180378fc6bf7f9ae4ef8

SHA512
80fa128224de44d7a4c19bef633d80d32a2c598cbc736686f1799626bc93f0b3d43bd78367eeb5c5dc46130bfe220a5adc2ee6fbcd6ceea2a1ab4860a63b1904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
1.2MB

MD5
74c0a9aceda2547c4b5554c0425b17ba

SHA1
d5d2355e5919dcf704192787f4b2fbb63b649b0f

SHA256
3b9e3adb939801b9ada1ce67afc7decef4538c016c78113697b89a35a295dd8d

SHA512
e178dce4a59cf184bcca3523e687092f4edc2a3c7af4eddf1ca1965ca06347eadf8901f851260264c14fa052331b2d1aeef2a6b9048b87758617285c9650b479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
75d454f93c66334d6387e048b21b9267

SHA1
dab188d86053f76a9565e85711992a3ff0b1af48

SHA256
5acabe92d251959acfdcd21510d7abb52ffb1c7be8d4521aa02345e193c8012b

SHA512
d8ef6023d4bf3f37cd3a2b0488db1db0923a7073dd1fdb8b79741f5fb370108367142605e50cd587494c6097194af118a381c1ee0abf191a245d56a7551d7d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
30f454a9f832320c5c0ea0bd87055958

SHA1
a19ac15caa1d481efec7bdfc733edf8077d90e22

SHA256
b54049e9e8c4d1d4d2a61d9bfd236ee3f7ed47cb54b62a2fde33f69f09b021b3

SHA512
0efb43405cc1507bc6caf1a06894137266e157a16d4f5a6063da0cd073db5527d6149fd73209e92a5dba7c7fc4ee6bbd443d358991e7263f8e1adc45d3286347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
d8813dc2c3def1c18dcd962d6add8b24

SHA1
56a97b73fe115008e5bcf028ca15907518bb1beb

SHA256
07f3ce3738ca6e8e65665d3ecc49be0db45dc9b734c469d875a93e5b97471dc1

SHA512
f2d7b31012ae0385e59be7d70bcce6734c31287e7ab6052d662757f3e45d73ee904f121e624673015b7740731c6338ec9d2aa3c1b603c94ded7719b1a5fa1b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b668752ee390cab39dfc2ad585e4b67a

SHA1
c747db924c7fd196afbd8418f2503f25a4b62fc1

SHA256
00f4d6e44d8a1ed5b95ff78066c440931d194fa35350c252630ba84afde004bb

SHA512
d170b8982dc76e22c8fe8926e648e17e0f931c9e7f1252c1c81c5ee55d2a11c7762f968c380ef335ce35514d48af1cf266875e03e36b81364d372ede78912dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
9bb0c15754fe88f7d5b72bbd7c8aef03

SHA1
96d8d436606518ffa4fd24bf30d22165d0555df2

SHA256
5d8486bde5efc24794b92cd23bc026865769f40235722e945d2745813a57100e

SHA512
40a051c7b1dcc0fd75d05e2a81ff500d282c5ce104c8a501518c2c03b1bf62181e0c0cfe76426f05001841e17b13a43102795514eddf4725cf8dfea0a90769dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
317b69d03afac79d0039ec4b0f9568b3

SHA1
e2d48a386770ad2553b32958389fb2f3b680f162

SHA256
b9057c3e4dbfb9a82d5d23f14185ff10d42a48a201c58dead9e6a036773b70ed

SHA512
ee6f864228e82d71b9c9f51755c9d6adc49280f1b48ec62d19284cca61a3a8eed3e700d67d20ed3ad7eecd66131bbf029fb11b910ee1d378b3571f5e11ea58e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
9c2a0778aa7a5abc4e249a3397396d81

SHA1
ff53a3d01854b88924c3bed36823308c636a73a7

SHA256
43afffc59b988f406c6d6019b0e4376b06c43d91a6a34fa5bb52603eeb1f0f28

SHA512
cd62b842e1bca4c4e121940861f5e2e8c7ae4eda92b425d9678868835f66853c676dda9fe96a0c8bdd3449128a5ca691a7409e8054cf357575123f77324818b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
349d0ff8e3aec24a79fe61bfc7760599

SHA1
3c93d5f96db18cd0aaaaef06a0bbdb50d3f5ed74

SHA256
b012586e80db766d9c1286ae01380cc950ae87fde8781c46e30674cc4a30339d

SHA512
9483f717ceb70a8b05b7f823e2c5574e1667b425401b7e5436f935d2d5e981fd02cdb72462f503494261bd736c241b95572d5a80c82e9d7293098e8a5b669935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a782a183c47781a5f25d879ae5f1bd03

SHA1
fcc36720ed7cc445bc491600fbfbbbf6fcbe5205

SHA256
76b85c0d23ac5d6f55a39162c6d716d91280eff60306cfb689775eb5927faa21

SHA512
727a0b6c9c45f4d4d440a9d65cb56d79366581ccb9dc50b949057ea583fa707f553396a0d5a41116b91ed427c684bbda26aef29305353937fe7def205d74aef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bf368bd54f99e792ff2978a3322de777

SHA1
141203c42e1034c573d4de4c783a002ac7f231cc

SHA256
a9da5a6d02853ee4a93e5a701ec98ba8449e70bcdee69319defe750f40fa7a7e

SHA512
35818849f7f24d155b892127082756dc6a2185335d51a48b06319277e33088659623fb4c3f9d3b22068d69c35b4ec28fa9e5db42afc9cd91386c35bdb9c22310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
93b865f00e20dfa9b2b283971148dd8b

SHA1
7f9eb35547e7d495b2268d992f48fb00ac13c117

SHA256
384fc49c3ee1056a257a1307a5bc620ebdc51787b87c5f8b40cf227bb6951f7f

SHA512
479d6df169bc115bc8f507f584cdd684bfb8c63c6653dc1117b2fac4f72416c813db0ad313f43accd240779acd51d2d203d908cea96f990431cd342d979056b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ababb1eaad87f4190d93db3b77be2728

SHA1
340825f74094ae69ca69fe25b611696b6a1398a6

SHA256
fbd12f17afc99c3face2cb3c4f71125653e01584d2963aeb6b637041bec4af8b

SHA512
40286ff750f06f0178a2318068502bb7e9482fd536edb04ed66a0958dfb846ffe521c06e81a354f861a00068362ca7ecad1e2798a5f2be9dca674b665941b5bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f702.TMP

Filesize
2KB

MD5
8308974d15ff75e58625aecb25bbb8c1

SHA1
b84e0e9610748d999feea5e35a6ccb5eea44434f

SHA256
dd279d6599d5c730ec37187f4102770a6c92d4e1d39b6c8169310e0dfeb4ad05

SHA512
5ea9d7b335d27a6e326a4a1464a537ad344f78b283d05c460a9e47c97724abf57308de1d51065fdf469fbd040c9cc9551907fae60061041848b6618f7cd719fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c79a1440dbfd588393a9e7f53b049dad

SHA1
c767aa9bede6bd66dc96d831d8c6a2e1f4324ab2

SHA256
da84ab26b2b0114b02a158a5b109637df55cf4b1a1e0e8ee2dda44a07bcdd604

SHA512
1af0d0d792b25cd72fde9e307d8307208ed7c67904afa93b99ca0d55d715c00ad19c10d96698ca3051c3ea32bdeb45513018ad83215f9f7010d0aefb99e60989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b05c8d10efec1d0723ffab69cfec26ed

SHA1
dec7f606697d70bbc0ad7f15fa1c0dd6e45b3ce0

SHA256
2502fbb52e6033218d3b21b86b36c5096948092841608583d98435aca1c238ba

SHA512
958a44b8939fbc8845c81d99cd478ac57db68c3872f9d4a525771cfaf982df494d247e20379111232ca6c6079f2915562a53ed445d300cdd37962c5b23da8cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
780431679a3b040c76d2c0330594e3ac

SHA1
4eb151bbcbd0f3c06901273c338464dcc96dec3a

SHA256
335db1a201b222ab4b2eb6cab869b28cd6dd8c4b1a2c1d835d38b5a1986c0c82

SHA512
c878e8b463d3a5efd5cd67a4d52572c981c8e2bc821c21acc4a40bff0d6fc253b5d9193ef977ee26f757a65fdcf9bef7c9095b8fff14a1209dc6c70264e765e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ae7c61c4296d8848522435e31eb4610f

SHA1
2574ed6e143797904d18e3ca11d368cba90e663a

SHA256
a0cf6ce0a8a6a4e9f18c5c0a4b12f21d94d4fd91cf48ce9f0776fbb05983aa2d

SHA512
9e68f950e0ea568ccc6c031660e335558df932abf91715fdccb48ea16ee434228d20aa0ed34b26232aa6bfa3d512855e89fade415cb212ff9275c0cdf623e737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8eb751228018a77f260b885b72c6bba8

SHA1
118b6523cd3b94ff51734dbcd8d4be6ff1476ac3

SHA256
439d97e33976474995a3cdba187640d0d842a763edd799fdda8c24b96cc2c700

SHA512
f148aacdcfb1762b86dffa3e20ae8586efb2b23afbb7a253c64ac9aef94954b8db502a7c75074e007a68bff7eafe74ceb04c07b2fab1ec9652923b8f6f7e3f7b

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\Get.mfx

Filesize
340KB

MD5
c61fd0d847df328fd6f0a98e4f030f41

SHA1
c3d8c3493818c44723e1466b411a3b5e188d823f

SHA256
791e717345991c4bf183c6450667498a89b59c4e8a5abb52e2751fde63d3ad43

SHA512
72cb1345af5834cbc89c9244c935cd62ea7a9d19d34a39eb6d69c32bd10302c1c0a9c0573278e6424bee1f0a771ea46e7fb907c630742dcfc6bbb572b393970e

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\KcBoxA.mfx

Filesize
44KB

MD5
08ac00f4d05e68d8b5ab6870bf1f076e

SHA1
b8eb503bf860df5938df5cd59cea47392d129217

SHA256
1cae93696ec030be6317a338c3c8bc4274a53632c03ca60aab0bee59d361a380

SHA512
1da050749fb1e8f2917e550a86933b9f69cf4e972f1a166d0c24a2c9e1307fbad88aad36e7f1082d481c116f36e8e2b3327d630c136f02f6f465835fbd76db2e

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\KcBoxB.mfx

Filesize
40KB

MD5
86d2b0df60742ad2678a9b6f8683ea7b

SHA1
9c37306d8f55f4be975dc9c35e2346e5a7916ff9

SHA256
7f129f2a2305fbd396661ef2910ab48346d589f20ebc7eb85249ecce80d307af

SHA512
9d8d5e1583d5d6eb88be7a58bd2ec5676b3ca34c71931d0a6a755333be231f810765f8b9b8725c53360dfe0da863b97aac262740c159e6374326a723f36632f2

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\KcButton.mfx

Filesize
40KB

MD5
b848bbf535366b6053f7bc8ab87fc5e0

SHA1
19d8a51062201531ff58c898925e53490c22213e

SHA256
94cea0df9febe19fc2e1a905bd7df0bdab63797a42a7006f14bc8838003e5a45

SHA512
cc6df5fb9ef537a255faefb890ffd07556bffec5abd6a914afeb004b77dede2db21dce1179a36b8641e7150e8c466345a58288835722639c1fbb7e5665122543

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\PopupMenu.mfx

Filesize
28KB

MD5
8e72d5048207379fd8096a03adca1f5e

SHA1
ebc29b69fca4ba0e362776fc0a1eb77693941e57

SHA256
ab2b5ad61b63a0f275c3531e88e903f9ea0c7b648136d59ae73b9a6229d44b5d

SHA512
3da95f1fe9c48a6399ee6ebdb3d3a26c7801eb53ff0ef2983912c7f85de0d5606fbfb4ad57875ae8a4fc27aafee61c9b832801b5c6e15be78cc9ff2be19d0acc

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kccombo.mfx

Filesize
32KB

MD5
d65a417eab8450e73f92585214df6621

SHA1
e82d9d88f9f27152f88ab9c46be91f42057ab4e4

SHA256
046d8726045276064396972fa12421d7d83b7d665d23d118e04a9e94bdcd1c49

SHA512
707f22dd54ae34bf2915e2eaac8f35331fa3e6d55b133a9b503cabf0c3edf2a6ba8586cc33cbb95eb27e79c836e17f9c3bf2525b8ffb284938ec7bf9cad9b14a

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kcedit.mfx

Filesize
32KB

MD5
b00898b2cf3f8bfc98d782fba8b5c72b

SHA1
4851163436946fd145048104bd1a47d34840fc3d

SHA256
48bb645990f1a703a1e9fdad3c765824db23c8f5e25b388c82dd25cb83fe31d0

SHA512
0ed0c44e3f0f147655ebf0b1a2627c7eff895342a09c0410405b9b8c5dfa9c1da588731873ec2c03259a89a58b9c4c7cbd5119c5e4952e8d024aaef36e7b6626

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kcini.mfx

Filesize
114KB

MD5
7c0cb7fdc0d3519520cd4b8137edbd80

SHA1
bd4eddd8316a51baf4a3ae68b56acfbba734f46c

SHA256
d1471b2685d45956c323baa2cab11dfe479eb1021f04e2949f03557527c5fc84

SHA512
601c16892bef77d5842e0778f27d4f82e19ae66333b2b75c9a34b3ba6441169946e1167ceb21ed270bddba305abfe50f2e8f8ab2e9dc410c96a31944e597034a

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kcinput.mfx

Filesize
11KB

MD5
a9a43b0c7db4d5853a235f5cdeb3e6d2

SHA1
7578c57007f21b21203bad8d7e5c67f980d4872d

SHA256
63348ec89cf004c64688fadeb78e0a697cfdcac1cd8c599c66a2a5aacb8407a0

SHA512
25e48926bf433f262abc92be5788b4dd8b8e87ad2a8fb23be6b219e01a1ba69cabba6dcd80a8a9fc746f303be4411b6f8d2097da7b208e2c3b12c0b9bd5ceecc

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kclist.mfx

Filesize
32KB

MD5
de7d289ea419cc82784cefc87e652c70

SHA1
9035cf539cd9d3c14fdda73eb2c23452750cfade

SHA256
c83bcec56f1666d6871e077cc54d0ee7f6462773c03afbb301b9180a4ad0a31a

SHA512
f02d5aa3822218517d3c6f9114f0fb90c37ed7281ab09f3a868f251e2975d6da10bd1616a9e13eab0e1f138f2bd2e7953686d3cf7e18e2a67b1bba9fbd762ea0

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kcriched.mfx

Filesize
52KB

MD5
d162868d7be1a7128e04f847f3b8c542

SHA1
2c4f036ee14885fc96804fd9f8dac68f9068dbbf

SHA256
274a7d1e89514f3c9809ac0baa5faeb31820340d7e032479ecd3e6183ad79887

SHA512
d17c57266a61da4f4864cb110d76cf71e86fb182a18cc5e250f40ad3e7feed39ca0690c637a3d4db45a68148bfa7ff2426fc9337f1764372ab67c97fb2c901d1

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\kcwctrl.mfx

Filesize
79KB

MD5
2c34e977f898ab60eddb72075c4be223

SHA1
adf883dd06e5ae340a03e6c22a56a4c0caf909ea

SHA256
a0ada42e3a4760097c1c2f98905f12b19de47159543aa21e1c604dbcac7337f2

SHA512
73402857d09e5a0e8049bb7adf3bbfdfc9ac65966217751cbf6db2bf532aa3f92ffc3a1a5dcda638e83d6ede29ebe6e760cbad74d27aa6fa006c9296607d3c37

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\Modules\mmfs2.dll

Filesize
509KB

MD5
39bcad44f5c4f47c379997e04d157a0e

SHA1
1d415a2f42573a602e55a2b17e69fcba14f8e03a

SHA256
ea16323475542091c59a4c18b1719c33c5995ec31404feab9570d49c5b244a87

SHA512
86743cd0ecb82d2796b6e6f9a5cdc2181df06b8823cfc1216ad747d9346cc30775934da74a7342f49149b53608ae9d1b5097036cf90c82f39fe642fa2ad70813

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\WorkshopDL.dat

Filesize
68KB

MD5
a2dc21f0289c96cd66cd403943d7d1c5

SHA1
1041338ab5de960c734a69f4d28e43a2c175f324

SHA256
cd3bb7e29bb591332ff46c1fa422b2fb6ba4d65beb5c1003c3e6bcad3e7744ac

SHA512
a8c2279c6101d48949b99a89e497a0ecdd598fa4985063a85d536e8b2f43374c8029b6b6f49369346c11bf20232aea9bb0930d0831b94e17052c94ea44775d12

Download Submit
C:\Users\Admin\Downloads\WorkshopDL\WorkshopDL.exe

Filesize
936KB

MD5
7b3f1ee86a278c5f40fc0a60269187cc

SHA1
18887546e56c3ef156b2be69c10acf6a1674a63c

SHA256
4205608f54a9dd0139d18e8c0403ff42a0947d347ad56ddeff5ee4d7a948c6e2

SHA512
3c8017db205bf4b7b99a90d356c0543b18b7c1778e18cb1ce230aa5bd95df8bad29800e3e7f19bc9bd7eecea223b9d2787d580e3dcf482980b342326168e215f

Download Submit
memory/5152-1450-0x0000000003190000-0x00000000031AD000-memory.dmp

Filesize
116KB

Download
memory/5152-1452-0x0000000003200000-0x000000000321D000-memory.dmp

Filesize
116KB

Download
memory/5152-1446-0x0000000003110000-0x0000000003169000-memory.dmp

Filesize
356KB

Download