a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit discovery persistence phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MEMZ.exenotepad.exeMEMZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2928	MEMZ.exe
2928	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
2928	MEMZ.exe
2928	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
3400	MEMZ.exe
3400	MEMZ.exe
2928	MEMZ.exe
2928	MEMZ.exe
4908	MEMZ.exe
4908	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
2464	MEMZ.exe
4908	MEMZ.exe
2464	MEMZ.exe
4908	MEMZ.exe
2928	MEMZ.exe
2928	MEMZ.exe
3400	MEMZ.exe
3400	MEMZ.exe
3400	MEMZ.exe
3400	MEMZ.exe
2928	MEMZ.exe
2928	MEMZ.exe
4908	MEMZ.exe
4908	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe
4908	MEMZ.exe
4908	MEMZ.exe
2928	MEMZ.exe
2928	MEMZ.exe
3400	MEMZ.exe
3400	MEMZ.exe
2928	MEMZ.exe
4908	MEMZ.exe
4908	MEMZ.exe
2928	MEMZ.exe
2464	MEMZ.exe
1916	MEMZ.exe
2464	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
1916	MEMZ.exe
2464	MEMZ.exe
2464	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	5944	taskmgr.exe
Token: SeSystemProfilePrivilege	5944	taskmgr.exe
Token: SeCreateGlobalPrivilege	5944	taskmgr.exe
Token: 33	1028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1028	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exenotepad.exetaskmgr.exe

pid	process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
4696	notepad.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
3856	msedge.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe
5944	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MEMZ.exe

pid process

3520 MEMZ.exe

pid	process
3520	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MEMZ.exeMEMZ.exemsedge.exe

description	pid	process	target process
PID 3196 wrote to memory of 2464	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 2464	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 2464	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 2928	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 2928	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 2928	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 1916	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 1916	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 1916	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 4908	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 4908	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 4908	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 3400	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 3400	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 3400	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 3520	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 3520	3196	MEMZ.exe	MEMZ.exe
PID 3196 wrote to memory of 3520	3196	MEMZ.exe	MEMZ.exe
PID 3520 wrote to memory of 4696	3520	MEMZ.exe	notepad.exe
PID 3520 wrote to memory of 4696	3520	MEMZ.exe	notepad.exe
PID 3520 wrote to memory of 4696	3520	MEMZ.exe	notepad.exe
PID 3520 wrote to memory of 3856	3520	MEMZ.exe	msedge.exe
PID 3520 wrote to memory of 3856	3520	MEMZ.exe	msedge.exe
PID 3856 wrote to memory of 1584	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1584	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe
PID 3856 wrote to memory of 1616	3856	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8729e46f8,0x7ff8729e4708,0x7ff8729e4718
      4⤵
      PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:1616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      PID:4708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
      4⤵
      PID:1308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:3556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:2892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
      4⤵
      PID:888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
      4⤵
      PID:3624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
      4⤵
      PID:1180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
      4⤵
      PID:2604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
      4⤵
      PID:5168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
      4⤵
      PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
      4⤵
      PID:5544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
      4⤵
      PID:5624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
      4⤵
      PID:5720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
      4⤵
      PID:5352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1320 /prefetch:1
      4⤵
      PID:2168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
      4⤵
      PID:1456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
      4⤵
      PID:2336
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1027605553163429313,453322317768183382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
      4⤵
      PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=montage+parody+making+program+2016
    3⤵
    PID:5464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8729e46f8,0x7ff8729e4708,0x7ff8729e4718
      4⤵
      PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:2508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8729e46f8,0x7ff8729e4708,0x7ff8729e4718
      4⤵
      PID:4116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
    3⤵
    PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8729e46f8,0x7ff8729e4708,0x7ff8729e4718
      4⤵
      PID:1984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus
    3⤵
    PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8729e46f8,0x7ff8729e4708,0x7ff8729e4718
      4⤵
      PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2748

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
69KB

MD5
f4b0dc032323f8687afb4ac988d9d827

SHA1
d4279c8f4da3f5ed7be03ee1da3bea251264b7ec

SHA256
b808ffb1fd1bef8b8aad559fad786980b4c46ed041733c7b873203bc0f78578a

SHA512
71bf5a8bc1bfadb2f81104367cc9a7eaf7298953f612bf658013a8ed12630dcdb344505fca1c4646d31bb158e593845704f5f93a6367cc233079fd6e60ad0396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
741b1f642846edea527a0fed65451844

SHA1
f72a0fc8586a9dc1e85c13c6a763d1483eeb68fc

SHA256
3eb2f173f40680e7765f8a1316ea4b012c858ee603ac0569d459a6c41b7ce14b

SHA512
ce40ac5e61e91711f0bff38f522c9beffe2ad5252dc7be621600d948f32deab3d8dceee314fa7bee82efbc0265ae17535546e5270b3154bbcb85b2073b032aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e901c42377e7b3f2534d1fd0c43d1d02

SHA1
4a7fc2894b6ad1b39abf38f99b484c7ae4c0ac73

SHA256
1abe846eb1ed0bead31dc657d67905ab8e5b735dc9f2594fda787ce2464b673c

SHA512
a294a08a17610291890a3978166c34235b08d5a69449ff5bd4f7d1a0c38743b3398d72e01dac39016ce4cdb155f1df21a8227aace47cb883da97f08f17d33a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
f92a0021bc254d42eb9423d8a5d25f57

SHA1
4eb09195ecb2d5f818693aa519932120fb92eadf

SHA256
cffa2c5784f2fb8e341e22f3c47b8b9d7030b12d579250e4b5abd0d08d2d907b

SHA512
277e0f3fb35462b4e412384412384739040b857420cb6d8183e510c4b7c772ee71611104fecb17805ca36b72a3aea74f7e11311669b4d76c3a6299e3f3eef77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ef3358145dd39de20ad55631c774b2da

SHA1
8cde64ac5286ac518fb5243dd90195587cef6645

SHA256
8ab6baf01d53f5781e94ada462429f640973be6762d1b88842e4f51dacd65188

SHA512
c9aa6a4c9bdd585677d8c5ed400958772c11e86a3b3cc8a4f7b0945bb60022948a0f86f979a12fd499fae8f1481a8bd163762708a7e0552a6a00bc334fe7711a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ceb5bea7ded0116e968c17a0f0b9bc84

SHA1
e3a12b99030161cc9edddbd7384934437a8a8d49

SHA256
ecac81fb9405eb2bcbe4515b81723058ed4f71f467d2fb6d3995f9380101a996

SHA512
b08bf772476e7cd26f2557ac75f44ddf5a9bb4aa6c1dc45a6bc188957f1230d632a56e23c09b47909c00250d4d5ba107f6280c2f8a4fd039a70f1bb69e9b061c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f3dd9116a512b2809bee29c83ddf48c

SHA1
33e290c3c8dd271fa2f41ba93bb74174887e63af

SHA256
c2f2dfeed8cf156773209aac29db9bc5183cbfa2508b80c1ececdfe4d45a8c43

SHA512
eeb050b6127569cf5a971964f2189405e299f93e4fd49750e91fa4529212c3df5522d262f65881630460af1266d1d78938d203d12bc262d9e0d23db47fcb3629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
431b367d6b7928fa7fb4c1df969f1552

SHA1
d6623a0108c32804e3d2dd67a449cc3287c41f01

SHA256
e5e0a0964492e02ee88bf38adf6430a3269af6848f0a6b607262f2beb23ef7ac

SHA512
b693a31a913458a29f5f7724289e124b313e0c40f7b4affa421e851321229e25369a29a8e590b30ea3d14af91540799a47b413b784948947fb4f4de5ca980439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
440b4e80efd197e39282825960eae3b3

SHA1
5ccc781e4727080ce84953b431183140cbdf1db6

SHA256
cd768a2c66c624ef6ab095387e5216a606466705a9002f3928722e93f09947b7

SHA512
3c94b7fa7928d1a6ba9c67c00323e392eb126cdf4def400d220a0fec6845877ad5540ff552e26ce98ae61bfdd2150dc11273ca848cced156e62e236b159eca2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bc5c024d75aaf0640edfe01eece8f8c1

SHA1
34cb28ee179e31bc44a92024a2cbdcd499967e57

SHA256
75484f68703f168cb8df7f0bba67317010c66f4180203440bcb60d76f5a46edc

SHA512
0d05c789fbe61f38e52d06a1c07c9ddfc1fb8cf68bbe80637d362d7e432aa83a5f0ea3e5ccad5c858225607e2556fb40891be106973550dce4a57fff015fb8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59cae7.TMP

Filesize
1KB

MD5
21ec676df3161c34e7ed2a34dfce3d69

SHA1
5d271fd23d915db4d01dff071f08575fc98d379b

SHA256
0705517af4def586185c1e3304cfa439f9c85c9f3e7fb259ae5fb06f65ade8da

SHA512
d80607fc56515af6533c31a94e2d9680631f402a35b06cf1de3841bb1b118d880fdcccc3586a696c50701df24cb31156e0d4f591043be0dd018b5e75b52cea45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6943af9b352a7f34d58d50c8652e4ed7

SHA1
a0ec380288c1bba5fbe6f28922148a88eeb03825

SHA256
20d98cf58149b6fc8544b86b46cb3f7a553120fe2c753696b59bf61de6fe61fe

SHA512
04dee1f142602c7174ed624a49d181630f3cd02bc4d0c1bb1ebee7d8e5c5eea3b0514568ab5ade3aaad8449c82248069d22071f071fc281fcb981008ecd98771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
32c50677f14a3a8ba93d35713f2d5c93

SHA1
2eeb2ca446ce4b55b7709bf528cbcced799edfad

SHA256
6b2a64b7d9ff3718c4db107f370216fbccf50c5a93ef75a483e6db352e1e194e

SHA512
29d2d8d8ed588ffac1c644f2fe975356358470d47ff63aa47f9d0c2db565470ffd734cfea885e92b6f56d9489e1de1d002e159a831b14f7967f3068fdfb29aa2

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_3856_JOCUPBFDLLTVERUF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5944-335-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-334-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-346-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-345-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-344-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-343-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-342-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-341-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-340-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download
memory/5944-336-0x000001D5F6E60000-0x000001D5F6E61000-memory.dmp

Filesize
4KB

Download