hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

max time kernel
635s
max time network
629s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-08-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\status = "present"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winlogon = "C:\\heap41a\\svchost.exe C:\\heap41a\\std.txt"	svchost.exe

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
2060	Mantas.exe
3004	Heap41A.exe
440	svchost.exe
1596	svchost.exe
3252	svchost.exe
3920	svchost.exe
2508	Netres.a.exe
2860	Nople.exe
932	AdwereCleaner.exe
5012	6AdwCleaner.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002ac83-702.dat	upx
behavioral1/memory/2060-798-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2060-2317-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x000100000002ad0c-2390.dat	upx
behavioral1/memory/440-2398-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/1596-2418-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/440-2420-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2423-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/1596-2426-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2447-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2448-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2449-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2450-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2451-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2458-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2459-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2491-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2492-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2518-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2519-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2538-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2539-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2553-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2554-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2561-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2562-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2574-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2575-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2585-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2586-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2587-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2588-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2589-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2590-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2591-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2592-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2593-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2594-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2595-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2596-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2597-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2598-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2599-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2600-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2601-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2602-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2603-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2604-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2605-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2606-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2607-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2608-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2609-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2610-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2611-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2612-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2616-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2617-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2648-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2649-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2694-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2695-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3252-2733-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3920-2734-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	svchost.exe
File opened (read-only)	\??\m:	svchost.exe
File opened (read-only)	\??\s:	svchost.exe
File opened (read-only)	\??\t:	svchost.exe
File opened (read-only)	\??\v:	svchost.exe
File opened (read-only)	\??\z:	svchost.exe
File opened (read-only)	\??\j:	svchost.exe
File opened (read-only)	\??\p:	svchost.exe
File opened (read-only)	\??\y:	svchost.exe
File opened (read-only)	\??\i:	svchost.exe
File opened (read-only)	\??\w:	svchost.exe
File opened (read-only)	\??\e:	svchost.exe
File opened (read-only)	\??\g:	svchost.exe
File opened (read-only)	\??\k:	svchost.exe
File opened (read-only)	\??\l:	svchost.exe
File opened (read-only)	\??\n:	svchost.exe
File opened (read-only)	\??\o:	svchost.exe
File opened (read-only)	\??\q:	svchost.exe
File opened (read-only)	\??\r:	svchost.exe
File opened (read-only)	\??\u:	svchost.exe
File opened (read-only)	\??\x:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
59	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\heap41a\offspring\autorun.inf	svchost.exe
File opened for modification	C:\heap41a\Offspring\autorun.inf	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winmants.exe:SmartScreen:$DATA	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\KazaaLite\My shared folders\Grokster.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\Visual Studio Net Serial.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\crack.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\cdcrack.exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\epsxe.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\Gamecube Emulator.exe	Mantas.exe
File opened for modification	C:\Program Files\gnucleus\downloads\cum.jpg	Mantas.exe
File created	C:\Program Files\gnucleus\downloads\patch.exe	Mantas.exe
File opened for modification	C:\Program Files\limewire\shared\bondage.jpg	Mantas.exe
File created	C:\Program Files\limewire\shared\1000 Games.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\secret.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\No CD Crack.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\StarCraft No CD Crack.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\password dumper.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Nero.Burning.Rom.Install-halo.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\Warcraft III NoCD Crack.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\Kazaa 2.05 beta .exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\ftp.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\Emulator.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Winamp3-Full.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\Doom-Install.exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\Spybot - Search & Destroy .exe	Mantas.exe
File opened for modification	C:\Program Files\KazaaLite\My shared folder\sweet.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\Wolfenstein.exe	Mantas.exe
File opened for modification	C:\Program Files\grokster\my grokster\blowjob.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\zsnes.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\kazaalite.exe	Mantas.exe
File created	C:\Program Files\gnucleus\downloads\WS_FTP LE (32-bit) .exe	Mantas.exe
File created	C:\Program Files\gnucleus\downloads\Microsoft Windows 2003 Serial.txt .exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Microsoft Windows 2003 Serial.txt .exe	Mantas.exe
File created	C:\Program Files\limewire\shared\ICQ Lite .exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\install.exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\Emulator.exe	Mantas.exe
File opened for modification	C:\Program Files\Kazaa\My shared folder\two teens fucking.jpg	Mantas.exe
File created	C:\Program Files\limewire\shared\setup.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\command.com	Mantas.exe
File opened for modification	C:\Program Files\edonkey2000\incoming\mantas.jpg	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\ZoneAlarm Full Version.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\Direct DVD Copier.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\Microsoft Patch.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\lesbian.scr	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\quake3.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\ICQ Lite .exe	Mantas.exe
File created	C:\Program Files\icq\shared files\command.com	Mantas.exe
File created	C:\Program Files\limewire\shared\PerAntivirus Crack.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\gba-renamer.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\mp3.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\PS2 emulator	Mantas.exe
File created	C:\Program Files\icq\shared files\Alcohol120-Install.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\mp3.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\cdkey.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\KazaaUpdate.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\command.com	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\zsnes.exe	Mantas.exe
File opened for modification	C:\Program Files\Kazaa\My shared folder\sweet.jpg	Mantas.exe
File created	C:\Program Files\limewire\shared\DVD Ripper.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\patch.exe	Mantas.exe
File opened for modification	C:\Program Files\icq\shared files\cumshot.jpg	Mantas.exe
File created	C:\Program Files\limewire\shared\Brittney Spears.scr	Mantas.exe
File created	C:\Program Files\grokster\my grokster\Norton Antivirus Crack.exe	Mantas.exe
File opened for modification	C:\Program Files\icq\shared files\sweet.jpg	Mantas.exe
File created	C:\Program Files\limewire\shared\SnagIt .exe	Mantas.exe
File opened for modification	C:\Program Files\morpheus\my shared folder\child porn.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\rap.exe	Mantas.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Netres.a.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Nople.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AdwereCleaner.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mantas.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Heap41A.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nople.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netres.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heap41A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000900000002ad24-2866.dat	nsis_installer_1
behavioral1/files/0x000900000002ad24-2866.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{0459D8E4-A1B6-4EEA-B05B-2C0819F58AFB}	msedge.exe

NTFS ADS 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Heap41A.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Documents\quake3.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\roms\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Gamecube.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\keygen.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\password.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\iMesh .exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Direct DVD Copier.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\secret.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Xeon XBOX Emulator.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\StarCraft No CD Crack.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Winamp3-Full.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\cdkey.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Winamp3-Full.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\ICQ Lite .exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Nero.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\winamp.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\ftp.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\XBOX.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Morpheus .exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\iMesh .exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\setup.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\DivX.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\ZoneAlarm Full Version.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\command.com\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Doom-Install.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\GTA3 nocd crack.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\XBOX.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Gamecube Emulator.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Legend of Zelda.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Doom-Install.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Ad-aware .exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Alcohol120-Install.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\winamp.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\PS2 emulator\:SmartScreen:$DATA	Mantas.exe
File opened for modification	C:\Users\Admin\Downloads\README.md:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Documents\rap.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Microsoft Patch.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Ad-aware .exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\ZoneAlarm Full Version.exe\:SmartScreen:$DATA	Mantas.exe
File opened for modification	C:\Users\Admin\Downloads\Mantas.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Documents\rap.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Kazaa Media Desktop .exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Registry Mechanic.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Spybot - Search & Destroy .exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\patch.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\nocd crack.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Winrar.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\PerAntivirus Crack.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Windows XP Service Pack Cracked.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\serial.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Emulator.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\rom.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\patch.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Nero.Burning.Rom.Install-halo.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Trillian .exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Spybot - Search & Destroy .exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\serial.exe\:SmartScreen:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\roms\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\mp3.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\Brittney Spears.scr\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\kazaalite.exe\:Zone.Identifier:$DATA	Mantas.exe
File created	C:\Users\Admin\Documents\ftp.exe\:SmartScreen:$DATA	Mantas.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4024	msedge.exe
4024	msedge.exe
3052	msedge.exe
3052	msedge.exe
3512	identity_helper.exe
3512	identity_helper.exe
1536	msedge.exe
1536	msedge.exe
3328	msedge.exe
3328	msedge.exe
3328	msedge.exe
3328	msedge.exe
1600	msedge.exe
1600	msedge.exe
1012	msedge.exe
1012	msedge.exe
5116	msedge.exe
5116	msedge.exe
1972	msedge.exe
1972	msedge.exe
4404	msedge.exe
4404	msedge.exe
3240	msedge.exe
3240	msedge.exe
3076	msedge.exe
3076	msedge.exe
964	msedge.exe
964	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3252	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	6AdwCleaner.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4500	MiniSearchHost.exe
5012	6AdwCleaner.exe
5012	6AdwCleaner.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4204	4024	msedge.exe	81
PID 4024 wrote to memory of 4204	4024	msedge.exe	81
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 1312	4024	msedge.exe	83
PID 4024 wrote to memory of 4704	4024	msedge.exe	84
PID 4024 wrote to memory of 4704	4024	msedge.exe	84
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85
PID 4024 wrote to memory of 3908	4024	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3e4f3cb8,0x7fff3e4f3cc8,0x7fff3e4f3cd8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1052 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Users\Admin\Downloads\Mantas.exe
  "C:\Users\Admin\Downloads\Mantas.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Users\Admin\Downloads\Heap41A.exe
  "C:\Users\Admin\Downloads\Heap41A.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    PID:440
  - - C:\heap41a\svchost.exe
      C:\heap41a\svchost.exe C:\heap41a\std.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1596
    - - C:\heap41a\svchost.exe
        
        C:\heap41a\svchost.exe C:\heap41a\script1.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3252
    - - C:\heap41a\svchost.exe
        
        C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Users\Admin\Downloads\Netres.a.exe
  "C:\Users\Admin\Downloads\Netres.a.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Users\Admin\Downloads\Nople.exe
  "C:\Users\Admin\Downloads\Nople.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Users\Admin\Downloads\AdwereCleaner.exe
  "C:\Users\Admin\Downloads\AdwereCleaner.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:932
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,1459227010795092172,1689869651078322607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:1292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\6AdwCleaner.exe

Filesize
168KB

MD5
87e4959fefec297ebbf42de79b5c88f6

SHA1
eba50d6b266b527025cd624003799bdda9a6bc86

SHA256
4f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61

SHA512
232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\57540091-2b76-40d1-a72f-bdf22f949f56.tmp

Filesize
1KB

MD5
1c8a8c4729e43ee46850e47f8473cfcf

SHA1
6908602e355b0632a5a458c6bde5500a15ec6904

SHA256
5da767d82435cb979ba47a56439b27c7dd24442c89fc15429a7e07543f8bb7b0

SHA512
cb00cab009e280bac59c0668b024d142a1eb04794c1cd82362b59d2dbd061b611fb28c68cefca565d846dab48e4b1e4a28b55faafde1533ceca4b255507828ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
41KB

MD5
a7ee007fb008c17e73216d0d69e254e8

SHA1
160d970e6a8271b0907c50268146a28b5918c05e

SHA256
414024b478738b35312a098bc7f911300b14396d34718f78886b5942d9afe346

SHA512
669bec67d3fc1932a921dd683e6acfdf462b9063e1726770bae8740d83503a799c2e30030f2aca7ec96df0bfd6d8b7f999f8296ee156533302161eb7c9747602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
1.2MB

MD5
9f8f80ca4d9435d66dd761fbb0753642

SHA1
5f187d02303fd9044b9e7c74e0c02fe8e6a646b7

SHA256
ab481b8b19b3336deda1b9ad4680cce4958152c9f9daa60c7bd8eb6786887359

SHA512
9c0de8e5bf16f096bf781189d813eeb52c3c8ec73fc791de10a8781e9942de06ed30ff5021ab7385c98686330049e3e610adc3e484e12ef807eec58607cfae63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a2a21daf23aaae3fd6262c89837fe596

SHA1
1cbc47287b1cd99f69724d84c8eb6ee95e03d794

SHA256
3a0ec3abc64814b12f2c235a8f82f74dadef67e3e091e8ebed5c94034d0790a2

SHA512
7e074bbe7dad32fb61868d25dabfac9cf06eaa69674a8dffa0a9870eb41f30855178ff1657aaa4a608a1d6d8f5534854622bf3600307ac26ac5761e50d777d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0e9e08aab18d3d56ff99c8bb7ac5cba0

SHA1
56b6031859d222b4bdc1a3344f30a1de28e105bb

SHA256
8a79af9b18123601b9c2aed88b9a2729652c24d9ba864b5741c20e31d10a2589

SHA512
953086bc8b7612c98f3f2cfc8d2d85a99843dd4ac5ddb075ea838d8f8ab63019a349c2872008e1687ce63c61adf513acfdf8e4f5a13eeadf3597e3319baec94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a3a8466b229e494fd5fa914a1b3be378

SHA1
d127dc31eb8a3f51758e9f5839e3f9392888a536

SHA256
5f6a5a8b65d4610178e53fb44cb28d50a378c366dc515783fd160bc2a45ee3f5

SHA512
33d62f64cbcf34efd1f1afe12ff9be40083f1041f89f2135921ed98481581ac4e8adf298e55dd877917ca71dadf66943be78dd0776715d3aae9987351b28ccdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
5e656d4ad5fcef09cd5e907c26a7979f

SHA1
5caa625be77d7fbb95a8fc91375f540e87c2ec1e

SHA256
e7c8b2b8cdc32308df3cf387536e64b89be1699663d28e367cb9aa2db956f75b

SHA512
918aa7332c18795aef8fbba4f6920d51f1edb7393018bd9225423a2705ab563663e2862747e2eafc49c8f91144aeeb1f3f87eaee7240c54e1e4c89d32214326c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c1ef9812689db5168bcfc280a811b34f

SHA1
5b6c2a3b32ed257675fcf24cc828410af334f04d

SHA256
8f3c81491ed1218fe10571a7b1008d0bb070ef35baabf124d21034460ca24e95

SHA512
217281025719a140038588d161d3a9a1aedd24e52b207853dcd2a6bffb868567340835dbd218cca6c856229678281ce855312755daeda03daae858f77ceba938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8414bed54c09dec190056c97d0de8e00

SHA1
64084f7a41182b97d11c59ddcc5e1330f07dc82a

SHA256
dafc841f042e58a853992730cc39bf1216f15826d4e6ff3c103b0af105726e8a

SHA512
fe00277c774a1831885a464546b4238c83c45f06ee31a90ee3638b23018f4f972266f0353725f7b01c7452adfc0090a1e8f06de492b13a3f3c95f72b42ce3dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f861649bf2f2459ddc82d7345fc8fbc6

SHA1
057c9a0a0b9f6cda0900e246a14827d987a54db2

SHA256
e77a5c128f0b023e588d0a0e364f75d01080b5a7f58b536107c76f26e15887d3

SHA512
453183d83fd806d52af948ac0ac110d278c5e79bfc81749ad2cc41cccb693b69a68c17f86a5a7a711b0131f16a504158bb0abee641c52e35356d08a44b18c971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
23794cdccb50cd6f7bac7d0bf67aee1b

SHA1
cb86e838633e297aa225e60dafc8bd087471b129

SHA256
c6ff2acafc1bcaa8a5fd0a93d9b363fb2a5cd86256eedaa96d5e35ab7dc4fe3c

SHA512
4b6c43d90091f4937a603d99529d6ccfc86b6ba29d6dab5827f4029ce3bf659f01a68ae288af121dde64e959a1186a450318517fea147f25f0bb9d16ae2c3820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e21cd753749d248e0b455a431920f092

SHA1
f7770fa90e3c72c1507c4acbcb0db45c53f9d70b

SHA256
024ea8f7f176a5326f02e1d5c700d5833e95a140c9805c331a02d3e1aaa4e683

SHA512
672d5eb58f1893fcd48daae1c1abf7a36d14d1803fe094a160d6dafaaf9a547a32b7c2250e13566b4018871b20aa59bb2f2025cb913d514f14da56febf2f9f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de3e136d21df36d938cd5df24f9c3e3b

SHA1
07735a52a70d7a8ff35a79379828748d99a21509

SHA256
6aa552f7fae6de230ddcab9b28609454e2aede7f610f3c06be3c1fbe40d9791f

SHA512
675b6fdbab85815ff67c5abc705abf37c695a3a9f76ad75dc452675caa405b405fdde609010a404330c36413dc42ef56312e0c8dfa76f7efa08ba66552dd4bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d37beee7deb86ecb4264a3350e5a30e

SHA1
29aed8d5e6a25826c98ba0b85a10fd5fe5df4dc7

SHA256
aa5cb9fa80896d37817aae1e41fdaf3207bd0f6d08a1cabc7e0ce60ada7ea677

SHA512
4c3ca1f14522d996a8510b5fd1c6f5d4443bc9d57ae7464aedb1a4dc965db827e20b67340193ad8e46c9542353ab18c89692cfdfd9ac2c4fd3513181a2dd81a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17791cff77c13b4c86a6fdab6f8b366b

SHA1
8fd358fdff3708343f6bc342818cc1d0709d784f

SHA256
fc4074e8cdb6ed5bc78ebbc733f02ae3e9cc1fa72a880c48545c9f22506b1b26

SHA512
30a8bf5142568f61cf3dbab19575d061d8d09c093d80205ccad4db332244aab5535093c8c65cbf24f2b56e2e84f36609c8e92f5b59dff60ebdaaae706beb6f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa8a0ca2b0e20e60ba325ad6df220a04

SHA1
70189e60d4918dfa499e8d0df89cde10749c0a4c

SHA256
2b785a2a5509386ba1a19ec316b15aaa6ead5dd5220be125267aa6f40446be2d

SHA512
9014e5e10134e5e4510724215e8b64f82f0eb089022bf04f43baad2a7727ecf424964d33575c4c9e79b4bcb994cbe27dbf61df9284456a15401282700af7bb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
407cff52db4840a27e8f1ef8aa1acc82

SHA1
d28bc57414333375e4e7b040d519dec10adea49f

SHA256
b5e0f3f3805e57b0218978ea016388ac8171e710b8960d180a969e4c2a6da906

SHA512
7bd6c57666ba4c178cb88ab9000f07327e1e4849e0afa6491f2ff66499ebc1b6b63546778436309e52cf1bd6991d6d19b48e92bc9b73f6a83f6e5d79fc9a99db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
8070adcaf9632028662187fdc389bf1f

SHA1
3e79300f3d2adbb6cfd009dee163072309b36109

SHA256
977096cb01924e976da25bbcefa5617b7fc23544480c6085c946bffcf905e8b6

SHA512
65e0f86c82783bf5df5018acb9b70179f7754f598443537d887b5b55c540d1b09dffe09d61163240c29c6d63541338903bb82d5069d5cf57b5de713a478893fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
94736297bbdf1f931b781975c4102dbf

SHA1
7944d29cb8fd48e4ca65ec14ed6c5b6ac42f1ecb

SHA256
b5753f78cd4c478f33bbca3e4f370ffbf5695919a938f0d1a5df23356ce8e002

SHA512
52e45c6643788552c0e95537dd49a7a4fbc97a8e3870fcc10a3a968378629cfa6fd410b86d3cac0c035774d4c738166a20dd60d0a9951a8869cb32ff74ac4f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea9a69f64492c528408dbb630585ae31

SHA1
824d7bd85d1397dbb7e0cde4dafec52c154462f1

SHA256
b04ce84e258aa8e91b1dd4c1cd0326efd80175beec8dba5d0ffcbcb38182d45d

SHA512
204c587770999c10485b2e527a298bc98fc2cfb502cc60bb989c4c6dcab1af65ebf2f5175d21fb50774b8acccc728c420df14c332f287cb5000c6403268bfe11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea6d95658b6e75aa5eb67d75a5db2065

SHA1
9c9f23ff0b76ce5d9fb4fbb18ac09401c6c784b6

SHA256
d97d42e4f8c1b137d7b4936a44665efab234dfe133568c6743eab4badf91f6e4

SHA512
e943d73fa35e5d9d90856af6d08bbd5257f67faace884c58809f7d9ba51d979969d6ec428d0b77f2e26208dba398eb359ea9dc1cf90837902d669ed302eda747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
047ef8ba978fbf96382c35a1ccaf56ea

SHA1
edb658e1130fe26641e99f343ce64c6c29e6170e

SHA256
79c3aef19c743b929affce224500d6394c7b71fbf9e632edf1cdf85ab7155314

SHA512
d7d46882ac2d3a9abd838b202faef493c645c6b228af84ab2cb201dda119525fcaeb7a8d5be5e99d8bada16f99bf2c9f8461471e6dbea2f755188ae599105ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98a0a1aa0c580430ebdf7a8f1c8cced8

SHA1
2130ca3be1c5f7a593f8eb45a9f80bad29238061

SHA256
ce7478be664db9ad6f8f66b33dd0a502e5105a3457a20ba35ee8d3a4e733a8f7

SHA512
a327e41945e90dbd9d456c98e0d9a2c3f3ad783e50d91194d6879e938fa408e9d144849d2c46d902516fdd899939dafc31b7c700b3dbff9e07284904a57cbfdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
32639dc59010381c22f81623e6fab05b

SHA1
2ab902a54d480dfa0106d5bd4e67602bde51fa0a

SHA256
2f810ba8b4f4d186fa7d4ae50597ebe4f807ae9f3da85d86e02069097c6d424f

SHA512
9cf757824e880fb79c838e4ef807835535e19f42114013be1ca74d0d874e9112d6fe93f43f0aea409a24a7b673f0278fecea966d8c3e006a7c117e6fc171a1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a09495256726864eb4d7e14232d02f7b

SHA1
7a1a0896efafa5e0818f3c438ae39ed9368695b8

SHA256
c326b0b6cee8e4740b4a9bcaedbc1b73ed03838e03c2810c15ce3a66e48d770a

SHA512
373f9c3dd6c1f5989677f5b82b463c2974384aea1f898b80db208be287a59003c4de24d300755686d187ac77aa0b9c59d1f0c0b60285457acfd81c0d262402ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c1edda4b70965d5c015f32f4307bdfd

SHA1
82a5333c03020a958316955809f5c2e269d02d47

SHA256
74982bacc31818d4d19d5d719c0a7ed8b17422c7bd3ca47dc8d2e44358486dce

SHA512
d261c7cb9810fa25e95c838c10e2f52cd23e3a84e10eb5d92a061aaebae81a413237cf848c8bcf0cf2261af118ca2519ef29b64c49912d5028080ea70e4e48eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f6d583670327a4cd6422f24333c564f

SHA1
c41b6f47eb779f223cefb628a78fc72868291e5f

SHA256
1393c22c0717b26b8c06ddaa8ed4f9bf56f8e8f12e605184f186e4f761664594

SHA512
2a2b46b49012ea1d3684dc8ccc90e7846eee6cda96c3653bd71d74b05f8b3b12d7703046f260251f2f9dad852d0ab8139bd4bd9f3ab97e6d8b3f6723aac4ac07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3fff6dc0462abee42fc58779822e7e9

SHA1
0d5e7c2fac73cfd7b31e6a9d8cfe4b0af3359be4

SHA256
f6f718452d5caa06ffd2ca0420e53fa8e2197f49ab750cf037abd022eca857ef

SHA512
92e925e469ae41b440bbc5759ac135c98deda772920fc89986ddf50bec99d26afec2a03c5340543f2f15a6426239b27751fb0485dec15a1a080355f9db82443f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dbd02023f9686c4ac7ec2f3c8c8b34f2

SHA1
198ddf414e11416f51c1294c2271af91a6485b86

SHA256
c03abb7c561dfd1012366a494168d50b8a1b94bccb319a0698e3868b58ff6d25

SHA512
29709f05c88345e92a0e9a816dd1b145ba57e7792f00eb0bedac2dc6f49365cad36c88bdb720199dab8f7db78b22f4bef7a26ac56fc786f71566c4e8daa5b8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68823c2ad5b902a6bd597e3891c841ae

SHA1
6d2e1092f3ec7b383cab4562f73f092357222bc3

SHA256
bae37ede5545bc3deefb9bc256bf2976ed2617dcbdb2cd401aede93232ae7926

SHA512
9378703ab3d54d7ff07412015472be5c1970fca757b02e5a22baacd75afc6d07b8d0568aee2859d0004240536a0e0bb3276e2d27f8e3c942d5a53f12d2bcd649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f126.TMP

Filesize
874B

MD5
8e00acd5f5c18d793003febc7db39322

SHA1
be774695948d1db9b374cb262ab93b095de38647

SHA256
9b6c78c52c46e892b0eb3d1fd933ab3d4758c2c8b0784135a845a9bed760c998

SHA512
7b84ba57c029439fa6c84c4380aaf3195b01937bfebabcffd941465c8e315139e9363c74c8b1dc1db100df7cf491508b82fd0f194a25cd5d78ec08a3188c8eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b874c78ff1cd19ac192b544584e5b9e7

SHA1
465229df2257535f87cb083175ae08af2b7ec046

SHA256
59334f8aad878c6a61f3ba8f57f39ac1cf8c6754be204988d7ed96d416cfcb4e

SHA512
ac8504f171d9984af0daec672aefd709eb18892e176499e02156636aa5a597604413effa54c19d6f78b8d757e623985e9eb6ec3e8c4204d5914333ed8f899898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5adf1607640bbe90014846d76f20e92e

SHA1
44da9362e5efb3c62747f7c2522c1fdf72e45116

SHA256
c30776d7a1d25b68054e4ffee7ca110b784584b7e77accb59134919ecadda257

SHA512
95a03b509ebcd0ef529ca1d387ae80f1d05755cea825072667ffda2210897f57026761fe81a8c5f85153051901621d9bb0693ce8d396ab7484148cd88396c8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ceddf265798347d54f40b03c88dd65af

SHA1
3438925163a1218bc28133c9d477983cc035b0dc

SHA256
e3a85881e0a3ddbd2e6dc801ea270a9f41a3dab654a88b08ff39973067fdaf42

SHA512
65775781b35c6997025b3ae79c6079579a5ced27afebcceb7df5a730a96ac0721bc1fc7c1343d426f7d6d8467f21fd9b338dfbb08b04959d31ace083d60f0523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6260fbc16355e710e567835b3bcf7653

SHA1
d43dcb5a1ecfa8951e48080f9531ac043e412f9e

SHA256
2cf8865b3c35b7893f8c2ff26f9a68843465b23fea7a57a2a211aed92d558fa5

SHA512
f1ca89d82dd98a74c123956bcfc4a4ff0e5d7a80b1c4825f3b118a83bb26a5f0c10ee07e251e79b0c6fc37a45a98e062fa7f81e66fe1e8bbd569a2f3a70bb377

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
cd6829f53a60318a54648f4ff9d694c2

SHA1
eda672c23f219a9cdbe740079412f5fbe04a157d

SHA256
5410184dfd5ef071de14c78cc7e9488049a85e313a3454250d53e974251ac906

SHA512
25a54ac013419868211b704a9b1f4cbc7c0a5b1a0e10cec09cd8eee3fbde7497e36c8e35f0506622eb9a47939c2c6b9590bf9bbf8d43508be13d7f85f7838ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\2.mp3

Filesize
55KB

MD5
996867ee0cfd71ede0cda93e57789c75

SHA1
15abbe1362ca9ae1889ea56d3ea07f793ee76665

SHA256
c3d83fa6b168c9c53b7f9f4324be6f8053e47047e63199c05665a6bad5a587ed

SHA512
e4c3505e9f3c3f4469c858f08e612982e0a24b05b0c3e5aee5c63cd028b48f232c4e7470be50f3443f80b09aa74f2f9e59fc78fd8aba52777a1811033fb6cf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\Icon.ico

Filesize
318B

MD5
e4231534c2813fda3a98d6d6b5b8b3b5

SHA1
c22ac56a296756120228cfe77fcc17b9000934c9

SHA256
143c93447046030853857088e31ee6c121d63fdfd03f10d36dfdcf6f0634ba43

SHA512
59aa526796c7e1de9bf2074fecae7b7520f34fd0f523bbb4c1f111b1b289f0a5bb7b94dc73fd8fec6187076c10d87a56273a09c79c718e388fcbaf5f0dd676cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\Install.txt

Filesize
8KB

MD5
c0f4dbba918d1c7507f21463c422f29e

SHA1
daf5a4e8b449dddd98cfa54c75098c150576a8f6

SHA256
4fb1eb0cab27dba73bb042ddfbe470e7c75da6a126d934c3a5650959a7afc849

SHA512
fd50f5a631f394fb3d8220c1af4dcc79f66814c56727e3d845fe02ff8dc320927d430177b826f29cff49b55446a52e11be208de76a3f78d02e6b217906c7464a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\drivelist.txt

Filesize
72B

MD5
343c6f5dcbc9f70509a2659b6dcca34e

SHA1
573ce994df7f433ba8d897a03b8beebc1a1e80b7

SHA256
375c1af6f2d1fec8595df303bced33d9f80da01fea7d4968e24ef64dfccf78bd

SHA512
4b92a1a45c2f1d00eaa58feda3a0de94d91727824c5ec5472f0eb4ba0ee8edfcae8f05b01bacba5263e870f79e5737137f75434e009260d53853b7f86f94ba4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\pathList.txt

Filesize
52B

MD5
0508bce1cc472b6b9e899a51e6d16a67

SHA1
bfeecf6312f868157503c5a9acf31ccc656e9229

SHA256
7786563108861b5f45b09745fca9d139f1a8d2db29d63f4a2db67e90096baed5

SHA512
6c5bceada4ce2f612d6b887a6ecb082ba6ac3b2e0f42fab77a7c23e297f2d1fe9fbed1b5da6d974229dcce8091be720ce8345b9ee737149ab41dae196d626634

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe

Filesize
233KB

MD5
155e389a330dd7d7e1b274b8e46cdda7

SHA1
6445697a6db02e1a0e76efe69a3c87959ce2a0d8

SHA256
6390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05

SHA512
df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091

Download Submit
C:\Users\Admin\Documents\setup.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Documents\sweet.jpg

Filesize
23KB

MD5
58b1840b979ae31f23aa8eb3594d5c17

SHA1
6b28b8e047cee70c7fa42715c552ea13a5671bbb

SHA256
b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47

SHA512
13548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a

Download Submit
C:\Users\Admin\Downloads\Mantas.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 177631.crdownload

Filesize
50KB

MD5
7d595027f9fdd0451b069c0c65f2a6e4

SHA1
a4556275c6c45e19d5b784612c68b3ad90892537

SHA256
d2518df72d5cce230d98a435977d9283b606a5a4cafe8cd596641f96d8555254

SHA512
b8f37ecc78affa30a0c7c00409f2db1e2fd031f16c530a8c1d4b4bffaa5d55ac235b11540c8a611ae1a90b748b04498e3954cfb1529236937ef693c6b20e893b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 316224.crdownload

Filesize
451KB

MD5
4f30003916cc70fca3ce6ec3f0ff1429

SHA1
7a12afdc041a03da58971a0f7637252ace834353

SHA256
746153871f816ece357589b2351818e449b1beecfb21eb75a3305899ce9ae37c

SHA512
e679a0f4b7292aedc9cd3a33cf150312ea0b1d712dd8ae8b719dedf92cc230330862f395e4f8da21c37d55a613d82a07d28b7fe6b5db6009ba8a30396caa5029

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 413925.crdownload

Filesize
40KB

MD5
53f25f98742c5114eec23c6487af624c

SHA1
671af46401450d6ed9c0904402391640a1bddcc2

SHA256
7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

SHA512
f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 516512.crdownload

Filesize
372KB

MD5
d543f8d2644b09445d9bc4a8a4b1a8c0

SHA1
72a7b4fb767c47f15280c053fba80de1e44d7173

SHA256
1c0e2b7981ffa9e86185b7a7aac93f13629d92d8f58769569483202b3a926ce5

SHA512
9cd77db4a1fe1f0ec7779151714371c21ed798091d9022cec6643c79b2f3c87554a0b7f01c4014e59d0d1a131922a801413d37236ef1c49506f8e1aa5b96e167

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 607970.crdownload

Filesize
190KB

MD5
248aadd395ffa7ffb1670392a9398454

SHA1
c53c140bbdeb556fca33bc7f9b2e44e9061ea3e5

SHA256
51290129cccca38c6e3b4444d0dfb8d848c8f3fc2e5291fc0d219fd642530adc

SHA512
582b917864903252731c3d0dff536d7b1e44541ee866dc20e0341cbee5450f2f0ff4d82e1eee75f770e4dad9d8b9270ab5664ffedfe21d1ad2bd7fe6bc42cf0e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 934181.crdownload

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\heap41a\reproduce.txt

Filesize
834B

MD5
4caff3a1fff3c9a4184dc586cf232265

SHA1
95603f1d5febc408dd421b96f8cc7d65b617d073

SHA256
dbc040d5f5261175089971582de1761569f6e1bd1f5dfc14cb4d7810cf192d6b

SHA512
dab3dbf898e8acb3e55c4411363f807be9ff67c20ef44c8d1505de689f8ba66e4beb7c57ee2fb0e04db1fb89b810beda6e854cd6063c84821f7ca827266ee95b

Download Submit
C:\heap41a\script1.txt

Filesize
3KB

MD5
83dcab5f77dbe3c6309957368da10d79

SHA1
44f588cbe597aae47aea2a4c14389d363269f418

SHA256
82ee86007227f285a1a1827d076c0abfeceb6fcc29960a9972114744fb37e0cd

SHA512
16fc76355027d45e416856bbc2d510acec15a7043f071d97f0c4cbf5752c01360962c31d28a3baff94adc81b4dbce71c15d33ccfa9f987a1df5c7b2e3ef1e034

Download Submit
C:\heap41a\std.txt

Filesize
439B

MD5
ae294ea720e7714ba05305b1eb2c371c

SHA1
f491b0abd1e180438a63890fdfbfc22f24e7be39

SHA256
ccc6e118a00a915962f2944dbc24dd9dd190e1a05923569f8b7c270d0195c9dd

SHA512
dca8c2564c8ee7e08755043a267492ca9a09e0c276bea4b2849905156c449edd31913b9b1ebd5005bda504d96afd873a59aafbef25d2b2e99cf295d7cc2f879d

Download Submit
C:\v1.log

Filesize
458B

MD5
fedfe61d4f2051538cd6630477ce1eea

SHA1
2c579e3ba01c72aa9ebc561b507341b6c8841e22

SHA256
0bdc42aec01699fb0e94a4db4578adfd6710645e48514708ba6d72b0edbddb9a

SHA512
e59a43daec0b73bd0971faf95a5bb03498316f849a083687dfa1b9f5bc6827d8832b6ed4567e6eaa534a82cd010716624827705f28c80b02a9a64af5b803ac50

Download Submit
C:\v1.log

Filesize
702B

MD5
829cb06cf5c2139351f642f116cf0a36

SHA1
003b739523b264b6d05beddcb041be814b3499d9

SHA256
4dc6fd60f197a94708497c2761dad7da6a4bee67dbc68f215d606f7fc4132413

SHA512
6db0f72f7b85033b56bda148e0cc0060df1074e324f278f4ebc85dbc9ba57ea0c9f241948544503ac0e6dd00fcb05239623101cac36575dd1c4bae8798bab302

Download Submit
memory/440-2398-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/440-2420-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1596-2418-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1596-2426-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2060-2317-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2060-798-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2508-2713-0x0000000051000000-0x0000000051064000-memory.dmp

Filesize
400KB

Download
memory/2508-2704-0x0000000051000000-0x0000000051064000-memory.dmp

Filesize
400KB

Download
memory/3004-2399-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3252-2538-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2745-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2423-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2587-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2447-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2589-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2449-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2591-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2451-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2593-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2458-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2595-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2491-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2597-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2518-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2599-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2585-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2601-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2735-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2603-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2733-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2605-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2553-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2607-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2694-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2609-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2561-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2611-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2648-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2616-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3252-2574-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2602-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2612-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2736-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2649-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2562-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2610-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2608-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2695-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2554-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2606-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2539-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2519-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2604-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2734-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2586-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2617-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2600-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2746-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2598-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2492-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2596-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2459-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2594-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2592-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2575-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2450-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2590-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2448-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3920-2588-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5012-2897-0x0000000000CC0000-0x0000000000CEE000-memory.dmp

Filesize
184KB

Download