e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 07:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
Size

36KB
MD5

afc596158fd44dbdf5153f3c9c4bb427
SHA1

51f3438925529eef80972b1263624470ec484804
SHA256

e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb
SHA512

2cd9c96b56e5ed905d59a4f01d31eec623f681dd14d0e8fb5729650d5ba66ad6d9a8ac8ab1bb8b46f67a0537bf951e3699cb763f4218c52665f865dd3e377d88
SSDEEP

768:ae2mxDMm+STZ5UW0Z080t0M0HX0+m0nkgygW+KuZNZq2:txft5RC

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\afunix.sys	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-132-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\tasklist.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\credui.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\eventcreate.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\gptext.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\msrepl40.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\PCShellCommonProxyStub.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\dbgeng.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\DbgModel.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\dhcpcore6.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\mfperfhelper.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\ntasn1.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\sdbinst.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\useractivitybroker.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\dmcommandlineutils.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\scrptadm.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\TtlsExt.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\wlanhlp.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\batmeter.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\drvsetup.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\MsraLegacy.tlb	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\NlsData0000.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\KBDJPN.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\KBDUR.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\rdpserverbase.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\DscCoreConfProv.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\IDStore.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\RegCtrl.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\SpatializerApo.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\dnscmmc.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\KBDJAV.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\ssdm.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\usbceip.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\wlanutil.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\wowreg32.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\autoplay.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\clusapi.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\diagnosticdataquery.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\Windows.ApplicationModel.Store.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\appmgr.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\AudioEng.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\cryptui.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\networkitemfactory.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\SettingSyncCore.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\WsmAgent.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\DDORes.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\IconCodecService.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\KBDINTAM.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\KBDMONST.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\RMActivate_ssp_isv.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\webservices.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\crypt32.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\FirewallAPI.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\IdCtrls.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\mrt_map.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\netiohlp.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\WINSRPC.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\wshext.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\KBDCHER.DLL	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm100u.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\mimefilt.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\unregmp2.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\dpapi.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\SysWOW64\mstask.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\WINDOWS\notepad.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\winhlp32.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\WMSysPr9.prx	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\explorer.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\HelpPane.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\Professional.xml	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\lsasetup.log	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\system.ini	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\twain_32.dll	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\win.ini	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\bfsvc.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\hh.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\write.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\mib.bin	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File opened for modification	C:\WINDOWS\PFRO.log	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
File created	C:\WINDOWS\splwow64.exe	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
4720	msedge.exe
4720	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
3692	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3692	636	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe	82
PID 636 wrote to memory of 3692	636	e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe	82
PID 3692 wrote to memory of 2544	3692	msedge.exe	83
PID 3692 wrote to memory of 2544	3692	msedge.exe	83
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 4844	3692	msedge.exe	86
PID 3692 wrote to memory of 444	3692	msedge.exe	87
PID 3692 wrote to memory of 444	3692	msedge.exe	87
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89
PID 3692 wrote to memory of 1512	3692	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e6f18b667446a3b144d5d77e622fa88df11b97332d90656dc02abb4700437dcb.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f45a46f8,0x7ff8f45a4708,0x7ff8f45a4718
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11261576428192737583,532343901389571112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:4844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11261576428192737583,532343901389571112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11261576428192737583,532343901389571112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:1512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11261576428192737583,532343901389571112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
    3⤵
    PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11261576428192737583,532343901389571112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
    3⤵
    PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f45a46f8,0x7ff8f45a4708,0x7ff8f45a4718
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,469581010195668104,16109148805425457959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,469581010195668104,16109148805425457959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1444,469581010195668104,16109148805425457959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:3032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,469581010195668104,16109148805425457959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:3160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,469581010195668104,16109148805425457959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:2700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b4b103831d353776ed8bfcc7676f9df

SHA1
40f33a3f791fda49a35224a469cc67b94ca53a23

SHA256
bf59580e4d4a781622abb3d43674dedc8d618d6c6da09e7d85d920cd9cea4e85

SHA512
5cb3360ac602d18425bdb977be3c9ee8bbe815815278a8848488ba9097e849b7d67f993b4795216e0c168cdc9c9260de504cccb305ff808da63762c2209e532f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
038dd916385b8007b6ad7e8631eb1ee1

SHA1
a2a661f7dd6d45682da86a75c971dfd60938e78a

SHA256
2f1f8e24a035845ac84f04405237f166b1b3c40fd4b0d1b8fb1eac3af666c97a

SHA512
b06e3e0ec92cb153567af1d2abaf5df47c78b19811edcb19c3b24862583fc6442bbf20a0cdaede5c0eeee3fa88c3d809f6c4d9fd4f0f4e7c26ef0fc562bdd4fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
67e4031c6fcc5ad2ea200ca936c8889e

SHA1
97f9f121f8a3816b7479a8a169aa497c6824dc75

SHA256
6df3ae5a8b55437772bdf951b5c0362469840f1740cd9cca0e5c5a76ae7defca

SHA512
003970566dbddca53f7087cbf6249f1035d57763ea0c8e57463d177bb2aa7dd3256f1872dadccbc1cf295df6a889273eae8a493b873e913832b4a06a1b6ad687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\index

Filesize
256KB

MD5
700c6b4c5ad5eafc382a1164d2a29dbe

SHA1
5163b0d111c1a8af7102147c3c1ac7b05db2ee39

SHA256
1650f7e90f8975846ca6f9434179cb6d6802e466f1b0511aeaf82cbc30122fca

SHA512
c396ba216022d9d53a6585ce69b47b74849e66301111dd3c03df5e15e513cfb983cff5b425abb6a2e9ceaa4a1b8c77325b1b007f79fd28339b07dd5cadcc9fee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
12KB

MD5
9de54385a910745046e055c7320908d1

SHA1
dd2a8b985f02abf31388b90504b09e816d010b88

SHA256
47782d1854f2e293fabeb714962ace47f0490ed2b7285510d53212bcfc78e3fe

SHA512
83e0f1c0f16f4a71ff64011fa22dda9a0f7ebbad67d7a3323a6e9475d1625944d5b60cc7b3337f1bb82130c8587b078ad80f8bfd2b9c0fa7f0219e7c17d1cfa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
512B

MD5
44ecb918dc0f5bb4444d490132842518

SHA1
22722817c8bea42dcdbc5aa8a50d0de6cbcefba6

SHA256
45554cf760553680c8dade4693f6f79413be447f602f19c7f2f4d7cf8b932a69

SHA512
1f22a32b85048e1a30c88343ce4379281a1be951539ef1ff9be992f4fc2928bfd25221afb87c0ff65a2c14196f0ffb010c00b267da7aefd5e7e337f4b3519011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
cb9340247428cbee616ff7871d2d1ec7

SHA1
8edf063385161242e1b7ce61813a7b39c2783a7a

SHA256
cf5c9b3597535135f10ccf65360a41cf32c9f94a4bef7ae23828d075eb40cc2d

SHA512
9df6fd122cc62b26c2f6596e4a613f8fa4eb99859dc757e27463435e2435b017d2a60bcf40b9215ef9eb5ea50267d73eb7a56d88009c26f208f170dfb00a548f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
3ea84ecf7ae234e207b45852934fca1c

SHA1
889e78b0c9b8f6c61e4a64974b439c49b17d6610

SHA256
c87ff158354640a6fcf8b1e55ec856a7f00e1be3246134ce041623a39fdcf9e6

SHA512
77f77ea2b73fa3ee11028d163ea6628a2506a2b2232dbe27ef31392376c9c3c78f85fe7b35043aca550a9a6c66452084a6a6340d7830d7233b8f6f13cd1b3d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
344B

MD5
885651245a4e36276e58e0038ef74a32

SHA1
156b7c33819832fc5361474786f2c3acf38530e3

SHA256
f8ffa9e79ac60007b005aac28c6e733cb9cdb49acb26ab48c35d255b31989d2b

SHA512
b18651114641f70bf39a8fdeded246b704ca779073995601d9a46c57a51d32cf8c45220f8fe582d79561e614f0d59adfd5645ac7978109e0d814301bac96f5b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
320B

MD5
db7189ff576d6b0b4791de948d846e5a

SHA1
446d9ab0405ef8eb7e426bb31a5fe5a3d7945416

SHA256
d5361a3a7dfc47ab17ada7108aea0cedfbd21ec2718c33dd28ec7bc12f47ed46

SHA512
b68bf28d60e616dfc0d3f480fa367d9e4a0936e3a529db5011ad149411a6c2526de898cd1f8e10636daa4fd627374d5b7f7a7d41f4a1061ee979ee23b1d74e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
7193f0d851fd4099e756dae838c694de

SHA1
3bb21261ceb9eaccb99a8b31eb7ad4eb8f1570f8

SHA256
8343e174a909ac646a65490ff78c388a41ec7b960d31c3f38cb94201c68b6f87

SHA512
0b18625168ec64b699690053c029961f18c42e66161eef68f0654269db9ce7b0e3d16ac855befd313ade9a55ca79930a1c4e34afbe661ac3bfe2c34c096b421b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-journal

Filesize
512B

MD5
03d09b47fe13354ca58da90b78e0709b

SHA1
f2d0c0a8cb901e75d7bfeab34b019008f47ebebe

SHA256
d42f71389a91253a7c7fc47da0c98196edaf878cb25aa783e154b8411c3f15b7

SHA512
22e0c6d288d333372e1d5b57eff8857930b936849ca7031c885388953656e90b90f951df8b45aa5c494bac1d7e594e9b5ac73cb8b23c3775db127f698da2e9f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
42ecfcd960f63f452c1acccb0dcfcb73

SHA1
731daf3ce573461f37cf884cedc1cdc0f5866a4b

SHA256
6edc23a0d76d0b05309999e0685874af78006b2b352010d0ac3077245e4063f5

SHA512
0e8280f2c75afd8c2e313adbe19dadad3ef91e2375f16f8d9bf46bd4db6fda44c677e6f9af9c1800ab6dfae933ca2c4cae9ae4ac60c62604ae0c881e92c6f0a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638060404679709082

Filesize
2KB

MD5
445f7caaf6cf9117ffb4715a4080ee2b

SHA1
17af4df14539eb6a27120d99979d07937947d2b1

SHA256
348fc3bad6b1e5445753854f2199bbb2ea51c45e293e8518cc088e718821621e

SHA512
8c0bd0873b094cb562f1210f4db77c1268e48c9c507f17229de192ce670ad3114d77a805cdd8b330b54deee997ae526ee8771abb5376a9df81828fa94bb4a34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
memory/636-132-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download