hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

08-02-2025 11:41

250208-ntjjystngr 10

08-02-2025 11:24

250208-nhpltstkar 8

08-02-2025 10:52

250208-myteaasjcn 8

Analysis

max time kernel
135s
max time network
157s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-02-2025 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file 2 IoCs

flow	pid	Process
63	1148	Process not Found
101	4432	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
100	raw.githubusercontent.com
101	raw.githubusercontent.com

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2800-764-0x0000000000900000-0x0000000000A9C000-memory.dmp	autoit_exe
behavioral1/memory/3872-773-0x0000000000B00000-0x0000000000BF4000-memory.dmp	autoit_exe
behavioral1/memory/1880-778-0x0000000000D00000-0x0000000000E9C000-memory.dmp	autoit_exe
behavioral1/memory/5056-788-0x0000000000D00000-0x0000000000DF4000-memory.dmp	autoit_exe
behavioral1/memory/4772-800-0x0000000000900000-0x0000000000A0C000-memory.dmp	autoit_exe
behavioral1/memory/4988-804-0x00000000007A0000-0x0000000000DDD000-memory.dmp	autoit_exe
behavioral1/memory/4988-805-0x00000000007A0000-0x0000000000DDD000-memory.dmp	autoit_exe
behavioral1/memory/1548-808-0x0000000001200000-0x000000000130C000-memory.dmp	autoit_exe
behavioral1/memory/376-818-0x00000000007A0000-0x0000000000DDD000-memory.dmp	autoit_exe
behavioral1/memory/376-819-0x00000000007A0000-0x0000000000DDD000-memory.dmp	autoit_exe
behavioral1/memory/872-822-0x0000000000F90000-0x000000000109C000-memory.dmp	autoit_exe
behavioral1/memory/4300-837-0x00000000005C0000-0x00000000006CC000-memory.dmp	autoit_exe
behavioral1/memory/4448-849-0x0000000000500000-0x000000000060C000-memory.dmp	autoit_exe
behavioral1/memory/4988-859-0x00000000007A0000-0x0000000000DDD000-memory.dmp	autoit_exe
behavioral1/memory/4996-862-0x0000000000DC0000-0x0000000000ECC000-memory.dmp	autoit_exe
behavioral1/memory/376-863-0x00000000007A0000-0x0000000000DDD000-memory.dmp	autoit_exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000027fe4-707.dat	upx
behavioral1/memory/4988-761-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/2800-762-0x0000000000900000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/2800-763-0x0000000000900000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/2800-764-0x0000000000900000-0x0000000000A9C000-memory.dmp	upx
behavioral1/memory/3872-769-0x0000000000B00000-0x0000000000BF4000-memory.dmp	upx
behavioral1/memory/3872-773-0x0000000000B00000-0x0000000000BF4000-memory.dmp	upx
behavioral1/memory/3872-772-0x0000000000B00000-0x0000000000BF4000-memory.dmp	upx
behavioral1/memory/376-775-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/1880-776-0x0000000000D00000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1880-777-0x0000000000D00000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/1880-778-0x0000000000D00000-0x0000000000E9C000-memory.dmp	upx
behavioral1/memory/5056-783-0x0000000000D00000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/5056-788-0x0000000000D00000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/5056-784-0x0000000000D00000-0x0000000000DF4000-memory.dmp	upx
behavioral1/memory/4772-798-0x0000000000900000-0x0000000000A0C000-memory.dmp	upx
behavioral1/memory/4772-799-0x0000000000900000-0x0000000000A0C000-memory.dmp	upx
behavioral1/memory/4772-800-0x0000000000900000-0x0000000000A0C000-memory.dmp	upx
behavioral1/memory/4988-804-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/4988-805-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/1548-806-0x0000000001200000-0x000000000130C000-memory.dmp	upx
behavioral1/memory/1548-807-0x0000000001200000-0x000000000130C000-memory.dmp	upx
behavioral1/memory/1548-808-0x0000000001200000-0x000000000130C000-memory.dmp	upx
behavioral1/memory/376-818-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/376-819-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/872-820-0x0000000000F90000-0x000000000109C000-memory.dmp	upx
behavioral1/memory/872-821-0x0000000000F90000-0x000000000109C000-memory.dmp	upx
behavioral1/memory/872-822-0x0000000000F90000-0x000000000109C000-memory.dmp	upx
behavioral1/memory/4300-835-0x00000000005C0000-0x00000000006CC000-memory.dmp	upx
behavioral1/memory/4300-836-0x00000000005C0000-0x00000000006CC000-memory.dmp	upx
behavioral1/memory/4300-837-0x00000000005C0000-0x00000000006CC000-memory.dmp	upx
behavioral1/memory/4448-847-0x0000000000500000-0x000000000060C000-memory.dmp	upx
behavioral1/memory/4448-848-0x0000000000500000-0x000000000060C000-memory.dmp	upx
behavioral1/memory/4448-849-0x0000000000500000-0x000000000060C000-memory.dmp	upx
behavioral1/memory/4988-859-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx
behavioral1/memory/4996-860-0x0000000000DC0000-0x0000000000ECC000-memory.dmp	upx
behavioral1/memory/4996-861-0x0000000000DC0000-0x0000000000ECC000-memory.dmp	upx
behavioral1/memory/4996-862-0x0000000000DC0000-0x0000000000ECC000-memory.dmp	upx
behavioral1/memory/376-863-0x00000000007A0000-0x0000000000DDD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2772	2404	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3540	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
3120	msedge.exe
3120	msedge.exe
1340	identity_helper.exe
1340	identity_helper.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe
664	msedge.exe
664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 3696	3120	msedge.exe	86
PID 3120 wrote to memory of 3696	3120	msedge.exe	86
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 3644	3120	msedge.exe	87
PID 3120 wrote to memory of 4432	3120	msedge.exe	88
PID 3120 wrote to memory of 4432	3120	msedge.exe	88
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89
PID 3120 wrote to memory of 4048	3120	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd369346f8,0x7ffd36934708,0x7ffd36934718
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3496 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,2851562357461005063,14912686070914682549,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:3572
- C:\Users\Admin\Downloads\VeryFun.exe
  "C:\Users\Admin\Downloads\VeryFun.exe"
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4996
- C:\Users\Admin\Downloads\VeryFun.exe
  "C:\Users\Admin\Downloads\VeryFun.exe"
  2⤵
  PID:376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzE3MTkwODYtNUM1RS00M0MwLTg0MTYtMEYwNUYxQjRDQzI4fSIgdXNlcmlkPSJ7Q0Y0NUJBRUYtQjcxQi00MDdGLUE1N0UtMUJFNTU5ODYzM0VDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkIwRkFCM0EtM0M3Ni00Mjk2LUFFRDgtQTE4NTc5QzA5OTM0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDE3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTg5MzQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA4MDYyMzkyOSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x4fc
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2404 -ip 2404
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1724
1⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "324" "1036" "912" "1032" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2bc61c9dd37a26f03ccfdafcdde4c34c

SHA1
de6fcb1f9bbe50fc948ca011f1e976ccd760b6fd

SHA256
85bd40ee06663e203c447aeb642386190391d25cd763501709b36197cc40d328

SHA512
047fb35111f99fcde0590a0481bdbafdd134b5c14c29a5fdffa398138057523ef42caeb17ccbcecd0829dd1a6fe6422d34972caebffa40715725f9cc7556aed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
21KB

MD5
38a759878edd6734647e9cd996017d90

SHA1
196bc2d58c375a19cd5bb30afed86775d5c88842

SHA256
405513788623c259826d8340da7c0dfe462a4907df13fb9e68ff6144bff4c938

SHA512
8439ca471004ad93669750d59d029675b10c112e15a2666cd5995843c36a3b3475f9dfb36e06ee47e7befcde5fe66cd58f35fd8a6bbdd0a02d5c5cb0ff6eafc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b8e1f0714cde0c165a0faf2d6082957c

SHA1
ad861f2ce636fe4fb77d3c52a53787c2e843006a

SHA256
64df9b85a3a95dfe9cd6c48fd27cde3a80da1274d6cd05bd1ab4c638136e6a13

SHA512
720570d86fd6218fa0126643d1cf01eefcbffceb55f477d1c1eec562d47422f5ee8d3da8370b20d4f2e5dc854ee9a42d57c3fad975e914e7b374d49e5d2287ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
66951b89c09f708e413ced54d6504620

SHA1
39d15d2c1ec261a7ee6d726a843a28d68fbea8e1

SHA256
8dc2e4c2927b9fa7a78de2e6c825bf64f012a060d63f1bec2d1ad43fbd157015

SHA512
11b9fac0eaad8487ed57d763b72ec88416a89d51788141a603e7878ac922f2fb8467e746634ab05918fd37131493c4db21bd7ce21af6c55265207658fdde5234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
595B

MD5
85acfb2aa5555d4a2bcf3b931970f1ac

SHA1
b9ce2a134ef93a1cbdcbc65f4d76cd3fddc625f8

SHA256
fa1aad0fa60fd4786fc656ca1aea7a37acfc29777e164044a060bec033e1077f

SHA512
f63daad4115d8a7df3006352983aea15d5a9e376d09d1423178bff5ce51d5cb6ec69cebfcd62726778fa361cc497f4480f8be276a0ed55c6419fe8cd1e29acde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
970B

MD5
f1ddd57a4993585f58358f52df8bc8a0

SHA1
2e5e7484de671ede6a17611029fc843e61029f8b

SHA256
0bca98fb9ec87ffe584fddc56ba3dcb8866643db02af9c2d6a58f2dbbe0eb9c1

SHA512
852f2b2e2137a02a05bac773ef191ee40c0d2272b7a466509d49416fc6f57a5e5f657442a63a652284fbfffd6dc8c320fae86bdfa2b461defd284462f809d674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37e9ea0fb80027dac67f5596907c84b0

SHA1
a40ad5f2464651171829e54f9e531645bec994ed

SHA256
894df8402ef290c6d719517b431f6883461742fa7ba17f7f8619b699eed0f49e

SHA512
786e46855a7eeab1c624ee8a7c1bdc522c78b4324fe8d83c8679cb6bb8bbac360b298bd4f094da0503e5b9448523c3bb8609dce98e1d26917355fa8846f10966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d482a1d4c11039339cec5e84b4872cc1

SHA1
7c01a27704a311c056df1bcd4065c90e16942261

SHA256
aadf846a3c0b1817eedd20e1b099de1114ae22f883ffeb3a74767c8f89c2a856

SHA512
443a88ce4ee7e5e70be27acd7fccbd8c6cf77bb5dd8fe690ee3cbd3d51cf2bb0b22352f5272a5184bdd7fd8e9b827c060fac3958d1630578560739c694c17306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0296b3a12c2d0da5fdf876347a30d9f

SHA1
5368675f4564570f25f7f4a02618438719792dce

SHA256
14daf831bbdf79927fa60b825e2194c4a439f4d4f950a790d6e1fe95e5ba49f5

SHA512
c6e9a439dcb40c18fa3d559a6c7a6575c883b66213351ebaf369361027e21984901870fd1a02b3156ccb86e5d787774bee0cd0436d5b8faa6470bc6feb708645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4671c7d05b18ca4462b865e5fb44244c

SHA1
2caf3091dd342ba90c3415ab9bf02b143207effd

SHA256
d3dbca3649db76619fd49aaef4f5668dbc77d7a978e7f1ec796017e0be71d7aa

SHA512
60bf8fd57b115f2e3fd782313bf262c077e2ac870fa4a8d5eeef8b6e72aceb97641cf4f771fbdacf291896f849f153f0aaeb38a7ad8772625a351addccb7431d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f66eab2c34d63d28e67f1cfc8348bcd7

SHA1
d003fc232c6a8787f53915ba55f8eff0564dee43

SHA256
20ec55b42c07e6e1314b4fc53815ea65933f7d6bc3bedda32fe5a046887849e2

SHA512
7335c84023f25809a51bafa7d6ae6dbad2da2c62c3c73d996a1441dafdf3faadf3afcf032930e9ffd0c683fbe27679ed3531f26d99f1329cf9f958a3f4529e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8d70a7588bd94dd6ecd635ae4011419

SHA1
45345a970c7a38b7be6e32076f2eadb9b08cf6be

SHA256
f319f8dbb77b11d14ac09439080c85d35712a07613d256e358aab3f9b592389e

SHA512
f4f04ec96d762b15f5df7a9b8c337812d85f8c969255d62e94658ff6ebd9ea43a9bb7bbc943b1c8433e3b5761c183048b3ab68f558700f837b09746c34f3406c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a6adf56f3cc439a06c081e5590a4b44

SHA1
d6138bf1a9672fd046e75eca3b8f1aa9ee20050c

SHA256
7e14a77ef37ef186bcf4bda8b5384cd8d2ce61ac04b523b228a42c49bfd9776e

SHA512
d147483a37e6002009b2d26ba8331ac0d629af7780dc8025d388e3006a22d2d729653eeeae55e057b13322e50bc5f71121f2864d661e5a50e69c94c4ed92c9b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
286ca239417c79ce77822fcd354700c0

SHA1
f3553e923fb9c28ff40be14deb5f05ac96afd9b5

SHA256
63c5b37cfc97ef32b9a6123708c40c59ed5ce2c94b8b22b2b9f4c1064e3108fc

SHA512
d27483d6910a92c977f33c6833b2bbe131a1c3a097a2891fc3b709c8e42250207851c20f395e775d4451a18d8d90f3f55e90b0a85f2c9500f9e4d8d585af7113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aeb9ac31ef2d5de0b13b9d6ebff6ecef

SHA1
1f359841ad17a115c9e2bf7d9ddb93de39a46553

SHA256
8158762d336b5640df01993889feb7c22db1cb3d03a23d90aca08a275adcb402

SHA512
1ca3ecaecaf2132156a204b00b0f1f740fd238911e2e5deb7e73fb395c5b763343593eaf4cd128b8ad913d0c1757c8ce0bd93f56d0df6096d997e7db4fba8e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c4b8e6b536c9598f89ab68ec16a71da0

SHA1
eb02cd209ed99c3c2ae3e029f10ebed092e66419

SHA256
2fd7db891fb666ca8e3ad82d024f95fa50941b9391bad432112650c64ac1fb2f

SHA512
972c3b1b53c2b22a6599aad1441ac6980f4d607d18ffaa6fc69c2d3b226c823531299ed9171438d12b16d8c48d6920164978bdc39eac88b58ee5a43a5acd8b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
001cacc30e01976439dfaf70e28239f5

SHA1
0a362f6a57e87d1ba9f4f6e861d2de327204b913

SHA256
61d585a53bb74e40b4dfddd10bf8f563d62aacc95f625ea03d9bdfc2b469bd05

SHA512
4802307680522414664678718b7cf69565dd1a1d74ce2c2449c01ea735eff179ac0555d784f33bab22b283d6fde9119922f36736a952fc3a0de3ad97fee78be0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1fa6d2474a2acacf92d47565d66d0a7b

SHA1
fc07202e75cb8abc78ca00a3c6b1e5d166fd2e4b

SHA256
71db80959e437e87d4ab5456406f28588edc7ab6e9c443fb48f28c6077838584

SHA512
b3e7713dd6c92ae0ac47b310bf9f58350a423acab7a68b7a36bd46644daa9b662b9db183b7bbf3b2b6a2e5b1b0e33736577d7ff1119d35a320fffe99cafbb52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b494da7b637f5096b313492bbde74498

SHA1
6b823c226fd4e3312865c5b41bcd53f665823c74

SHA256
d7b6d67aa0e85604277aa5037d1b8a2b537b2a2a5e2f3de359b7c077e52c218f

SHA512
938baef31b7f08413cc552886a93c7876d674b287daf10930f103b90e4f5d0550ee822313813cfd843e9e3ac04dd47b249059aba2c000437a064dd53d9dd30c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06cef995073cc86dbded101403890ff9

SHA1
7b2bc401577b65b8f82fdc14f0c3219f275fab6e

SHA256
6fc87143f256e82be57b8dd2b203eb32544eff24b390458fa0552c10a8dd91a6

SHA512
3986871095ea686577e5341fac4af4191ca61c9b3b5761324ba261655bc8aa1e561de8cd00fd6bd1b6ce8725788ccf61bedc51a9d87b6f71dc578105d1e57e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
734aec04a32d389a943c24802dba0c7d

SHA1
3404be4232cde0ad8fdb6c0eeac41800023db8f0

SHA256
7467a1cdb53a1d7c0cc3caf5e8683b91bf00d9b71974fee5773f82a1709c3b97

SHA512
80915e1b9ded19fb07bb10af5a2d8215fb59e415b063c184f3cbb72bc1d0439226886d8f445c0e0bd8916932a71230de71eb4d78f9aa7f611e7104ec23fae44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4610df0fba53581d94d51f80418c9c96

SHA1
6fa39a46eb56462a63dc663b340f22a3905305c4

SHA256
865fda648e6fde6d5bd52cd4ae7546ff794876bb31cf06ace879f42ab8d2d5d1

SHA512
2d01a0aa750d0f63ad6001642a1aff29a46271e1324562188637f37720913c1f1eec2a8bb32f2c162156c99df7747f2084d85ca670aba6b90fcda349909a57b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
76431e8a90b3756efbf5864598f8dd95

SHA1
c6515cfeaf578eccb769935bc68f4f2d5cae8247

SHA256
af9e66bb44e5211eed724948572abbea573dbd8d5664bfa3f538c7ea65781e41

SHA512
4a9320da3b186fcfe9dd24ac97a07389930a81573dea04b57e51d9d115c4b13b968d224ea9a52a70ef5bf8b3a1987b2066e561a7911c6a5f17b40c83b1537f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e3c415bc2ce4f920f3fe2c33c0c5a26

SHA1
895de6937a4d2d003f6963184b1ef4c360006ed6

SHA256
f7b2f4ce95747124e172993c18f7891ac1cfe6a6fe70d9063e6814fd8f0534ca

SHA512
ba906694091a6ea758dd0fca96cf05e049909b27951a3d0097dca6bc3e2aee219ced6393302fbedf593704c5f4d8977ac40ba2eb347c9797c28817b5e43d2d83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea31.TMP

Filesize
1KB

MD5
2ca7fb0e89ac44782a42a6482278753b

SHA1
5d79b9d8b5786f7e38d2848554289f8189ecb650

SHA256
44d9017ed435ab7773cfb71c590cc9b2921bb0063a2ae4e8bfc5a4a0c44c1667

SHA512
33d52f0a55a653ebf2c28b7147fbdc3df08d6a6261a5a35a52026279560b1337e5ac3cc86e75e0eb29e20cde8ad3342e6cc733ecf5ee9b14ed0e9ce2e12d0ef9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3827fb92639ebde6f29d0cf9ae48b83d

SHA1
9fe35c79075449017f3c1657d62a6378b1e42e65

SHA256
4bc566508276e1d7f8376b04dd6f7010aea632ff654b09806bdc3962b1fdb3bb

SHA512
291cf4ba7415d6bd7f2c90cea8c5fbeab816d8679432bd3ffe16aba022e54ce680f250eef78ccf884511e1b3201a63d48579284b5f91737d6d6ea25432aec0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1db2c78b657b15409b30dd558df2b800

SHA1
9c7105e6823722da56cf4e66a1b3ebc5a0273741

SHA256
526e8651450df286862f4be0f9f1f5c156cddc86358031068ed48f9148fcbe75

SHA512
0639f0c3a4771e142f55ce5e3a19e8584d7fbcd3628abf1438d53c23b311f71914a1588ed15d927ead7b7ea1d5f1b6be2dd3f27a59486cdc9d838c4e543bc055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97bf85c09e03b83bd4a048e42d49f249

SHA1
9da2ad4575f1181a7354c8d5e7abbd7838d46032

SHA256
05300e665a3c4d24a423fd58019c710bcabab7d1fc81cb1af434369252655c42

SHA512
2380fb39e75068f4415600275b80a5be3b41c757c12a5eb5718aff9e06b4d554fe316a55f85af05aac6f4cd69431a4e5221f3fbbc21bdac57309fb871ce85b04

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 140378.crdownload

Filesize
3.0MB

MD5
ef7b3c31bc127e64627edd8b89b2ae54

SHA1
310d606ec2f130013cc9d2f38a9cc13a2a34794a

SHA256
8b04fda4bee1806587657da6c6147d3e949aa7d11be1eefb8cd6ef0dba76d387

SHA512
a11eadf40024faeb2cc111b8feee1b855701b3b3f3c828d2da0ae93880897c70c15a0ee3aeb91874e5829b1100e0abafec020e0bf1e82f2b8235e9cc3d289be5

Download Submit
C:\Windows\System.ini

Filesize
259B

MD5
59cc8aeef7fb236dcad279a929dd5d13

SHA1
6ea1347c9e6aa3e41174d0b5c65a625712e9a7c7

SHA256
911750421f096162237520a96a679b8b28c04757b98968f1d22f3ebbe89df1b8

SHA512
5e2071480ca7107d2d637ef5089232e2b3df182f0e89e392daabb7f8f32572fd30f850645d0625d4374fb0367e463c16b647d4b479bba1b219d404bc8a7b7712

Download Submit
memory/376-818-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/376-775-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/376-819-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/376-863-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/872-822-0x0000000000F90000-0x000000000109C000-memory.dmp

Filesize
1.0MB

Download
memory/872-821-0x0000000000F90000-0x000000000109C000-memory.dmp

Filesize
1.0MB

Download
memory/872-820-0x0000000000F90000-0x000000000109C000-memory.dmp

Filesize
1.0MB

Download
memory/1548-808-0x0000000001200000-0x000000000130C000-memory.dmp

Filesize
1.0MB

Download
memory/1548-807-0x0000000001200000-0x000000000130C000-memory.dmp

Filesize
1.0MB

Download
memory/1548-806-0x0000000001200000-0x000000000130C000-memory.dmp

Filesize
1.0MB

Download
memory/1880-782-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1880-778-0x0000000000D00000-0x0000000000E9C000-memory.dmp

Filesize
1.6MB

Download
memory/1880-776-0x0000000000D00000-0x0000000000E9C000-memory.dmp

Filesize
1.6MB

Download
memory/1880-777-0x0000000000D00000-0x0000000000E9C000-memory.dmp

Filesize
1.6MB

Download
memory/1880-781-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2800-763-0x0000000000900000-0x0000000000A9C000-memory.dmp

Filesize
1.6MB

Download
memory/2800-764-0x0000000000900000-0x0000000000A9C000-memory.dmp

Filesize
1.6MB

Download
memory/2800-767-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2800-762-0x0000000000900000-0x0000000000A9C000-memory.dmp

Filesize
1.6MB

Download
memory/2800-768-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2800-765-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/3872-769-0x0000000000B00000-0x0000000000BF4000-memory.dmp

Filesize
976KB

Download
memory/3872-772-0x0000000000B00000-0x0000000000BF4000-memory.dmp

Filesize
976KB

Download
memory/3872-773-0x0000000000B00000-0x0000000000BF4000-memory.dmp

Filesize
976KB

Download
memory/4300-836-0x00000000005C0000-0x00000000006CC000-memory.dmp

Filesize
1.0MB

Download
memory/4300-835-0x00000000005C0000-0x00000000006CC000-memory.dmp

Filesize
1.0MB

Download
memory/4300-837-0x00000000005C0000-0x00000000006CC000-memory.dmp

Filesize
1.0MB

Download
memory/4448-847-0x0000000000500000-0x000000000060C000-memory.dmp

Filesize
1.0MB

Download
memory/4448-849-0x0000000000500000-0x000000000060C000-memory.dmp

Filesize
1.0MB

Download
memory/4448-848-0x0000000000500000-0x000000000060C000-memory.dmp

Filesize
1.0MB

Download
memory/4772-800-0x0000000000900000-0x0000000000A0C000-memory.dmp

Filesize
1.0MB

Download
memory/4772-799-0x0000000000900000-0x0000000000A0C000-memory.dmp

Filesize
1.0MB

Download
memory/4772-798-0x0000000000900000-0x0000000000A0C000-memory.dmp

Filesize
1.0MB

Download
memory/4988-761-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/4988-804-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/4988-805-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/4988-859-0x00000000007A0000-0x0000000000DDD000-memory.dmp

Filesize
6.2MB

Download
memory/4996-860-0x0000000000DC0000-0x0000000000ECC000-memory.dmp

Filesize
1.0MB

Download
memory/4996-861-0x0000000000DC0000-0x0000000000ECC000-memory.dmp

Filesize
1.0MB

Download
memory/4996-862-0x0000000000DC0000-0x0000000000ECC000-memory.dmp

Filesize
1.0MB

Download
memory/5056-788-0x0000000000D00000-0x0000000000DF4000-memory.dmp

Filesize
976KB

Download
memory/5056-784-0x0000000000D00000-0x0000000000DF4000-memory.dmp

Filesize
976KB

Download
memory/5056-783-0x0000000000D00000-0x0000000000DF4000-memory.dmp

Filesize
976KB

Download