hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

10-09-2024 00:42

240910-a2qfkszfpb 10

10-09-2024 00:35

10-09-2024 00:23

10-09-2024 00:18

10-09-2024 00:06

Analysis

max time kernel
249s
max time network
247s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-09-2024 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

aspackv2 defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000400000000f448-825.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
1344	YouAreAnIdiot.exe
1044	Avoid.exe
2052	CookieClickerHack.exe
3868	ChilledWindows.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
35	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3368	1344	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{1B066B36-78FA-4C42-83F2-0639357086F1}	ChilledWindows.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 793325.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 632443.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 694918.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534396.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
468	msedge.exe
468	msedge.exe
2072	msedge.exe
2072	msedge.exe
692	identity_helper.exe
692	identity_helper.exe
3684	msedge.exe
3684	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3504	msedge.exe
3504	msedge.exe
4880	msedge.exe
4880	msedge.exe
1184	msedge.exe
1184	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3868	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3868	ChilledWindows.exe
Token: 33	4504	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4504	AUDIODG.EXE
Token: SeShutdownPrivilege	3868	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3868	ChilledWindows.exe
Token: SeShutdownPrivilege	3868	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	3868	ChilledWindows.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe
468	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 2180	468	msedge.exe	78
PID 468 wrote to memory of 2180	468	msedge.exe	78
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 540	468	msedge.exe	79
PID 468 wrote to memory of 2768	468	msedge.exe	80
PID 468 wrote to memory of 2768	468	msedge.exe	80
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81
PID 468 wrote to memory of 5096	468	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe565b3cb8,0x7ffe565b3cc8,0x7ffe565b3cd8
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6984 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7152 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6692 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,15200819229376862168,9392344531227805188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Users\Admin\Downloads\YouAreAnIdiot.exe
  "C:\Users\Admin\Downloads\YouAreAnIdiot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1236
    3⤵
    - Program crash
    PID:3368
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1044
- C:\Users\Admin\Downloads\CookieClickerHack.exe
  "C:\Users\Admin\Downloads\CookieClickerHack.exe"
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Users\Admin\Downloads\ChilledWindows.exe
  "C:\Users\Admin\Downloads\ChilledWindows.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1344 -ip 1344
1⤵
PID:2752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
21KB

MD5
94a66764d0bd4c1d12019dcd9b7d2385

SHA1
922ba4ccf5e626923c1821d2df022a11a12183aa

SHA256
341c78787e5c199fa3d7c423854c597fd51a0fc495b9fd8fed010e15c0442548

SHA512
f27ba03356072970452307d81632c906e4b62c56c76b56dfe5c7f0ea898ac1af6be50f91c29f394a2644040929548d186e0fbcea0106e80d9a6a74035f533412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
306fca5a40310225aaeae1a7f6ec4ba5

SHA1
33c5ab9a579fbd264c8588500599d8f3fd21f950

SHA256
e091abb6ef48d6dd52e72d03c30658e3ccc22b498838e3bac0e1a4c91fe8e31a

SHA512
b6cdac942ed7e74baac93f7186267436bd98f1da88a8df78b52d179dc2853a33375a3d4d2d8f6e9eada0c34a8238ea27b06ad8414df5997b586506e897961cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
37KB

MD5
3973eef729615ffe9f12b0cad100e6b4

SHA1
ae897202c487c10de5c0e11e335ae2fd6d3b4640

SHA256
930521af373044db3aa04862d9f4068286096ed61b3da3dcf9a8a03c02daacff

SHA512
c5e33bcd9e4689bc7078f38e229d77e109d8419bbb2fad9c3f2ebafce688f55f8a636a23ca80fdd4714e19d0dcff23da01b9ed67ba1a9a52bcd0d500de1f9bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
6b885f6f7504cdcc2f64ede29af0e1c9

SHA1
b445ed9c1e99dac6519fcf291cf0f17caf2154fe

SHA256
ce25ad2a68b5a376de382df730463d91ab6fb910ca8121e20aef4fb5edf5699b

SHA512
64f20867d4f4add9bc781ace32c1475b8e872f0d4c80833b4c247164da94d9ce5c9b0ae5dcb7a09c6d38c8cd7bfb9717a46ff05dbcdb26daa94a114260863ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
57KB

MD5
2d7b354bc7c65250f780cf08bb193e4b

SHA1
5e14f298aeacf2b0b4a046e5d760e85760f4a55c

SHA256
0ee060dd2b3c0969e1761fa59cce2861be9eb0dc6321fefe5a6ca1a381a2cf71

SHA512
0647a7a8274640ebd3cbe7aad11c81616f9ff6f42dfe1b8100fb53e909a2f73467bc7a514ce0a7badce330730332cdee68de0577b46c19b1a1740759af63441e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
53KB

MD5
cfff8fc00d16fc868cf319409948c243

SHA1
b7e2e2a6656c77a19d9819a7d782a981d9e16d44

SHA256
51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a

SHA512
9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
137KB

MD5
531b54313c7e37aa9373ae02902938fc

SHA1
2f4216dba4074d48eda6f2ec432c6b36d53d131f

SHA256
ffa166b04c3e8ce908968d4029f32f26cf1d5adc49ae843d6992b8d3049af94b

SHA512
8fe11e78c01959370174c384d5cfad2a22ba1abf981deb74b8bcf5fc070250c80d75f6740e2455aada3037bfdef0ec4cd8558d4de5c5bf55a330e642f53956d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
22KB

MD5
0aaa39fd3c9635b53f77faed2103cc71

SHA1
2ecc7cf9fbb735b529935756e2477747c55599e9

SHA256
9aa0d9ede9a8e05cc7e8df36b58c766d9e4f58fd0dd525d1b6655f06d0a86d77

SHA512
54ad2e9990d75ee71c4e55b42701c34df9aa3883012cb39804f29cea5c7a4a9f200418b1b5a7eb5d3c6b5d6498240a5daeb096c4997eade168286a0042bdcbf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
20KB

MD5
956cc5e50c0d4d49ebf655a8ec2d9c8c

SHA1
6da68a690ee7a6564a5eccb1e1166ed6cc2b1b81

SHA256
09d217f8d59e24d4071628ad28d3e27d130612ee64ffdc8593a20eb410e7701d

SHA512
81b15982d5388472eb98475f1a98033f6fc5610ffd45fc9da67469b298ba339aa4cf166a143cad33695d515d3a5aedc8fa9f90abbde162bdd600d63ea8d60bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
67KB

MD5
63f2424178cc58cd35ad0fe0dfd3fed3

SHA1
cd1b603c66fc7867d5489f0934ed206e4e3df44c

SHA256
1d49b0c04b270607c4d11a3ea937c14d3b64c9b2381950eac644bc1fd9073aaa

SHA512
dd9b40b2f4423f3065c71124504a5aa1b7f5fd9b4cd4191892e5fbcf6a1a461cc359bc544b8b358f86c8a1b9ef8dd3d47f2e3404a98c69cf5045fd13ac00b064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
97196b8cbc8f98562105de5343a839a5

SHA1
7e0d5180bedae5debf5b5c71a97c7f0ddd4abf07

SHA256
aa4b9b02b28f75fe88ca55ec3e38c7062f415f70a1128cebdbb8a4ff5ff04e96

SHA512
bbed642dfec42ac59705f2d40d80b78077d8180f657d7483669ef4653a4daeb941d6b600d323e914d6c17fa39361a4aa507c93b5ca686982e884e43678d57f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
73484c67a47331eb4347ee5eaa1ed044

SHA1
c8d5753c2eafd5debedb5b17bcf20d0e7954288a

SHA256
4abdad20c25dd6a856613e3e2a3c930b28218a240dc124e5118222398f0bba84

SHA512
a06d16bb73ef712bd732b762c463316a955efc82f8eda1231524cc9c9bfececd6cc8eb0279fda4ba227fb17eff352bd4408311e765af9d964b232ffee9023e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
75aa771ef3c7da97aa4823b929cde210

SHA1
b67fd827e3dbb62f7d837e85a0f6f01f578e9f17

SHA256
a03c813dac6630a98297b113848769e0079562b3ff2ab1e557da9a01bd926508

SHA512
927afa341b3bce4038f51f29e1f8ca6ffcdc48b6ce2a28024fdef14c8360b42489f7a4d8764ef2766f2f7d5123abf0e471c0c147313c793a63c6859626f7fe0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cd41eb5e9f7e245a2e0ad2ab79325ba

SHA1
059416957bf112c6289e129fb637054c544b71f9

SHA256
cb3b2ca403ac91485ef4a7448650bfc9aae03b1d46c69cbf4169aa6ebc6f79f3

SHA512
04b0dbf153e1a343a1f452f91815fbe79fb73ec0163d68d1c810cf87197677944c77afa0838e997702349aded061b9cf2e85352948a9a14e8ada18892bb8bb0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d34cbf1fd3c9ed045ffff69010677104

SHA1
a220c235f6adab8337e063257d5354b9183a5b3c

SHA256
9be37be68d3ed55bfe36c7ae679544da58cc0406f84c5602b7026dec84c8e79b

SHA512
15d4e779cb8ecef94c1c10d8ff82cb329b0cb0bacfc5b5ec3a1bb3a098cac48a11db84d37dbf5257aa238670684ceb2c6baeea1660c7fe506e0c68343b34e4b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b178b0a6347bb71d0965173e947f4ec

SHA1
0628dc564665616547655203d48e613379cfb187

SHA256
dbea3308628126bf334f193dbd4ffaca0c9dc479343af6eb350a009f3b85a64c

SHA512
f14b9a6351bc9d07eabebc7f96db93f8b9fdac65ef17b16a9568d18892640b79a67e65e55046841498a1594c1950eb47899865992df0d8632f4087e89f494538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12b002850046af85abb5631982b2e837

SHA1
6a1a89b113feda597c7a64a5a6c59c5589243d1f

SHA256
352bba562c60021a32df2aaf6563eb1172e281c2534413a16fbb442e4710b98d

SHA512
d4b3ab99178579fdc638ead2cb28adc131f57b5556a7bb8518bb238d114e7fa7b84dbca79e57dc43cfd3c505906f29cc1332b4fd79defadaecdfa6b21cf9f4fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0fea6a7f2ba5bcf49361cd4bdc57926

SHA1
8a9a58f00d7136ff38e600c493712ddf1dae9e79

SHA256
8445708270d2b4f1b0c0ee8da5496188fed0ef9bae56caf3ed06f9eb7b307eb2

SHA512
80b3fa10fc50eaacbcf4657aba0df37dcd85298d0a2dfbe8ce3bade9c89e7921a021e2ba2d0414964a40e573c1796a38e8fbfecd5d61da67e3a0620fd54ba6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d9b9a8a67337054c827412e1792ca48

SHA1
e615525a9b139648840e361909a8aaa534123467

SHA256
b889d9d1aae619881bc205a8ab99888817eec5bdab755a1b97963e83d14b5661

SHA512
d0fc6a8a95ae3f1dce0176eda463bc96f3f1b98f2b56d823969a41d8d56329a0b85a1bab980cda187d18f0c314ae6ad9a3e6fa617e19bb71a839debfd84b2330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
0b9109e6156fa90272f1428609a900ef

SHA1
27031d1f3d374ef114d615a09b7f51693beef4a8

SHA256
c3aee5ba1173352f1c4dce64781ea2823f9866c51bde1e19d578a153394c02d9

SHA512
6df26712dcb8f3e9114752239320ebae132fc703cf4cf786afa99b43d9e2a1b40abb2cff1310adbd05776e9a454363312526d9c791712a18590bb90dbdabc6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
60bb4a3e2b83e5b48d788482fd6a787f

SHA1
3f04891a5ad041e8972f81cd17ec0864edfc8890

SHA256
290217e13cb46b3ff46add10e8856e6e5d8be4c2591dbc5f7d83cd8bddd961a3

SHA512
4d0438717f5bba8d8c1df39e9cd9482518be7459252d74ffbf954c04ea2d501c8fe066c795d693bd03a88855d501b854f4f7b31bd291666b203f11eccbab442c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
84f2a5bfdac6145c6ddbabfc5a40b66e

SHA1
9ec44379ebcbc7815ee30a0b970ad9c9a1461962

SHA256
b82f926d684f74a5c804f5bc5bf71f4adde348bd0eec2efedf1ecda1996e01ef

SHA512
7ff5cda744e6b054f18ba39e4c7d0672a8ecf40c5e42453de41d9bbf272aa98028b318123d643add1bea0d19141e58057b0befe7de4f7269430ec7365c4a24ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
1910e4a2d83563b7bf7e95c6036e1bef

SHA1
30df8fe9364a677c65a0a13b799e22b5c9a832ea

SHA256
ff3268e30128b1f8e29392da21de032a8470219ac8328fac7699fe2b09c0dd7c

SHA512
b19d112d784aa5b837a3b8987862edccdcb53923b2972597dc838cfe37819c44d87f7d73dd742da73729b09f2e1670de53ccdd0b5e9d8f2f3f158ecff31f3999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
c1b4e83cce75e47ca4342136cb1730d7

SHA1
4dfe25665ab0ce729340f8a51a52c027024ddf58

SHA256
e063bfe64d39052bf479d15afc0050711893760c31bfd737ef87e513e8a0b4a5

SHA512
aa6fd613abc9d1fdbc9193426072578b469410a81cab3747c5b6a3ee7fc3b1b837ce1e8088047b52d05f5deccd6f841f996b735f14a8851aa69d6dadca08d8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08afa43857a31dc110176481793b5622

SHA1
c8f44b73798d5b61cf7a00aa0e3adca782f09a14

SHA256
7084f4a2521dd482e6c35a11f5d3619317dae4b00e8f59695684ca0757ce9f5b

SHA512
3db2687ab47f44ef7c6d639e6bedce679626647eff509829869b597051b1e9d9994260e521d49e84f5f59ea883cd6a61d1c542a4c73b8831316cbb191ae9602c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f67ab8ea78ee5527c3499acdb93b86f1

SHA1
5fda7ba4a8b400f11d2b6515053caa5a40cfb47f

SHA256
f6ae3d3d7266dc8b51c0e36d0393c48cc39d96d0f068f4c176b876f5aa0bab99

SHA512
14a3124fd472fbb31e9b9442ba31b2e6b8284f6d840da4079ea4ac812e59cb6f3a258b93af419403cdb2974776e43b65edd63984356e4c6a8f1d106f06da1386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
10679dd06ab17e525ccdb590dc4ef628

SHA1
9610f184620aa1b52037b99de991bf777d5f7301

SHA256
a24842e7cb4ea06362d99c09f43c5ec06dfa1f73e00103136bde8c008636a2af

SHA512
febae7018f218543bb4dfa2f5203b5147c5f7d32f4d1192d9292f92ee7782a53d01e823607b0509f17d26be594280a9b67e650bea1fc34e1a4185dfa7f575129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dd21.TMP

Filesize
533B

MD5
e372810edd22e747dfedac541251365f

SHA1
88d923b879ce9ad3fc33441efa62814d15cce8e8

SHA256
10d57ef934a265f76990ff829aa53b64d723afdd040c63a9010e63edcc916bf6

SHA512
e6777e346303ebb8b2f90b84d08796ac150e8a83b0cd852119431713b96d28a9e65aaa01c9562ccb251ae1be529d2a2c3fdc95c165c40334ea45522608a9d80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
da56a62fe0a39164cff1aa9fb320809e

SHA1
2c6f09ad194c7a233752c074faefe2f0cfd9ed9f

SHA256
eded598b9136b6bade7c533b0f21af5e7d953105478ddd1988aec4fa8670edf7

SHA512
dcf15eafae998f73914274a33ab649500b3753acb6a1774c947c594bd7e9b374eea33eafb9a00c851359d8bd2e6836169eb9fc8962d42e8234e769c626f8fe95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3cdc9c7e5ce29d3974fb5efa5c3abed

SHA1
bbfb00d2ec1d461529c898e1f5ee3ba6cfc4fe5d

SHA256
fb8f2a36fa2d80939adf0bdfc4e13ff163736cefab2d4d91f41d05f3bd915e2e

SHA512
dbc4214c995471c50ea7b5ecb926f069e3b573c08bbfc0327f4b582d9605a5ba10d9197b38001341cc3fd8a0ac26e54e4a20a804678f059f1628b2da56fcc232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d8df0058deb37632102d39b888005c3

SHA1
4789e9bb891dadb4ebe93efb82cb357bf402cf4a

SHA256
a0755939586d04787c62fa521001eaefc97a47ac66ae32dec3ddeddecaad2cb9

SHA512
8489608723f30503b5e6dc11d3f7287caf16abdd93794a6ba814ffc818e8887269152b789b77c2b53688dd9f1d4d7183442f141c4eaa75164ba18b4137dd7d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db40c55394b0a4f5a74df74ed3588baa

SHA1
1b8f6640a168744d03c3fd6226303f73e3a39f75

SHA256
3e591a5d77e98f56c17b5caf3c3aeb87034d02832046f9dadab9ed348b2b0243

SHA512
04b945e3b2e4b449e7908567efb3b8ff1c5f351d29f6dda43362629e2dc5033817de18f6db15fa02600c3f4d43cf41bed6ec44d8c032e23436d8b03a2e025cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
917dd438082d50df89d4696457e7d720

SHA1
d9ba57199d5ecfc87c299e5203fcd0ce7a0470c7

SHA256
e7bfc1e091315b3599a06adf9a836b287e8790a65d491a792090bf19ca4643d0

SHA512
258f1573c42f4f3d6573ddc0f0ee4155eca22aabcb5bb11f17126cf1e511700083e48397fba3e322d65668345d1b4777edc122493430d25cf42cb735f03c771a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 534396.crdownload

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 632443.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 694918.crdownload

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 793325.crdownload

Filesize
424KB

MD5
e263c5b306480143855655233f76dc5a

SHA1
e7dcd6c23c72209ee5aa0890372de1ce52045815

SHA256
1f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69

SHA512
e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
memory/1044-951-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1344-934-0x0000000005300000-0x000000000539C000-memory.dmp

Filesize
624KB

Download
memory/1344-938-0x00000000055A0000-0x00000000055F6000-memory.dmp

Filesize
344KB

Download
memory/1344-933-0x00000000007A0000-0x0000000000812000-memory.dmp

Filesize
456KB

Download
memory/1344-935-0x0000000005950000-0x0000000005EF6000-memory.dmp

Filesize
5.6MB

Download
memory/1344-936-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/1344-937-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/2052-944-0x000000001BB20000-0x000000001BFEE000-memory.dmp

Filesize
4.8MB

Download
memory/2052-943-0x000000001B5A0000-0x000000001B646000-memory.dmp

Filesize
664KB

Download
memory/2052-945-0x000000001C0F0000-0x000000001C18C000-memory.dmp

Filesize
624KB

Download
memory/2052-947-0x000000001C350000-0x000000001C39C000-memory.dmp

Filesize
304KB

Download
memory/2052-946-0x000000001B530000-0x000000001B538000-memory.dmp

Filesize
32KB

Download
memory/3868-974-0x000000001C330000-0x000000001C338000-memory.dmp

Filesize
32KB

Download
memory/3868-975-0x0000000021FB0000-0x0000000021FE8000-memory.dmp

Filesize
224KB

Download
memory/3868-976-0x000000001C9B0000-0x000000001C9BE000-memory.dmp

Filesize
56KB

Download
memory/3868-953-0x00000000009E0000-0x0000000000E44000-memory.dmp

Filesize
4.4MB

Download