hxxps://drlindawong[.]com/xzd/#cGFibG8uYXJlbGxhbm9AY2xwLmNvbS5oaw==

Analysis

max time kernel
106s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drlindawong.com/xzd/#cGFibG8uYXJlbGxhbm9AY2xwLmNvbS5oaw==

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230323095442.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7832d157-8256-4398-a60b-74008ec13671.tmp	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

powershell.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exe

pid process

4832 powershell.exe
4832 powershell.exe
3636 msedge.exe
3636 msedge.exe
60 msedge.exe
60 msedge.exe
4988 identity_helper.exe
4988 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
60 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4832 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

60 msedge.exe
60 msedge.exe
60 msedge.exe

pid	process
4832	powershell.exe
4832	powershell.exe
3636	msedge.exe
3636	msedge.exe
60	msedge.exe
60	msedge.exe
4988	identity_helper.exe
4988	identity_helper.exe

pid	process
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4832	powershell.exe

pid	process
60	msedge.exe
60	msedge.exe
60	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 60 wrote to memory of 228	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 228	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2812	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3636	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 3636	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe
PID 60 wrote to memory of 2816	60	msedge.exe	msedge.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://drlindawong.com/xzd/#cGFibG8uYXJlbGxhbm9AY2xwLmNvbS5oaw==
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://drlindawong.com/xzd/#cGFibG8uYXJlbGxhbm9AY2xwLmNvbS5oaw==
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae60f46f8,0x7ffae60f4708,0x7ffae60f4718
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6759f5460,0x7ff6759f5470,0x7ff6759f5480
    3⤵
    PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7452319128785743604,287931849615647474,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5a10efe23009825eadc90c37a38d9401

SHA1
fd98f2ca011408d4b43ed4dfd5b6906fbc7b87c0

SHA256
05e135dee0260b4f601a0486401b64ff8653875d74bf259c2da232550dbfb4f5

SHA512
89416a3f5bf50cd4a432ac72cd0a7fb79d5aeb10bdcc468c55bbfa79b9f43fab17141305d44cb1fe980ec76cc6575c27e2bcfcbad5ccd886d45b9de03fb9d6d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1a3c45dc07f766430f7feaa3000fb18

SHA1
698a0485bcf0ab2a9283d4ebd31ade980b0661d1

SHA256
adaba08026551b1b8f6c120143686da79f916d02adbef4a8d1c184e32a19fd48

SHA512
9fc93f01ab4b14f555791d757ffe881787cc697102547c61847552e597e206e70c6d35fedff559c72a0a67d1b95e769095ecb0a8a7d4f07cf58a7a0d57d3e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\953b7a6d-52ea-4156-85b4-444d7151cff5.tmp

Filesize
6KB

MD5
fa62de4e7e506b69a055262de5ad908d

SHA1
463ddf50111bc2e9f138e96c17fa70e92abd731f

SHA256
9bfce9e47921231b9dc183783e5c20ed96e3b45e5a03b394cf701e93909fc605

SHA512
9ddca06dfa1b0a8fdb750a9d4c6b0aae7958be61e6ff85309637d1a99f8254fee12f75e3bce7bc326a5bb2e126b6bc9e874a4167bd2d5d9dfbb449cdfa3a3e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
30KB

MD5
588f010c0aa12a16be80141d1c0e105b

SHA1
1ec1237a7bde6046822d78adc7005fc52c01a62b

SHA256
da792c99188b907f0d275c6fc01c561d37ed02d87207f804d3b5bccc9c3ec179

SHA512
8837918683339fe8dd26dcd5e829e912e702a1c3eeb62461e9b08ddf4c89d5965a592f3a91053ee41523c088b7c3c772107d31786b8ef4dfc37dab79565d11bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
a3df1598cd49c8739e1f5e1f7f68be16

SHA1
3d2e7e00db17d8ae0ccc4a9f35f2549df88f7704

SHA256
22ce63869eba53fa4d1a14f17cb79b8216ff2f595517fc88fb291ec9d9054b5c

SHA512
0b0b60c3255be0c66b3eaf24ad8f99a12893c34616c54f8db778fcb074fe474258715d8ba7999b9100554c223a1c82d2dc90a63fcd35d191c11aa7ec6d5f8c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
d514027ea04c107a85a5af3a974eb2de

SHA1
310d05f6e388c9f5f43ff1f06afe6e35753f9d1b

SHA256
b28b6453e743bc77058b12dc9ae3b5f144714d47362e2404571d6b8426b3be0d

SHA512
1f5a285bf5cdb186d6b18e8a94211bfc8a4a70b761afe54439702eb89522be42827e853785743fc7961e9b2337a49d7f76222bc9444b562cf5d5e3b415554a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
cd55d144e65389cdc908dc5c2f8679f5

SHA1
862782a197d47c58d13883cb73fceb82c73ca5fd

SHA256
e74c2f082952ed26dd67863ab0ee6b3ff5c74701a179dc14707f4cb046c3e7ce

SHA512
a27dc35ef749b687b2534fa3266bd1e308c1abd1f818b058fdf88848ffb0b3a8413bfe93536ce99044b6791384e1abfcc7d9b2a0b3444285abf2b5db81404ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
9006b0a766d50f505648a1b8a653cac1

SHA1
d13e6ef47a1974213afeeb661ee9da997612b9be

SHA256
533d164a890dbd2622c51b7285f2d85c91631e9f1c577a7f06af6ea3c49a9af4

SHA512
0145db9e4cbba20175cba22a38561e93056ced966e7b5c8444dae13d8f69ad5c7bf428bda600d5c132fce50e25f926e28e8424ddd6b15dacb453ca33c8e2a269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1c8dfcec7e59b2ad818a676ced92cd5f

SHA1
0032bff659bc3ae2117083cdc3eb59c3540a2b72

SHA256
03a81a4e82e46e193a7e8cb40bd41ce8c1b89d44cb978218b10a3d9180bed551

SHA512
c8f10eef43406e3ac0259a06421ad30db3e205b6ebd18523594836f5c53ea43fca902e8e6131aaf1723f18560635cf91a2dbe700977a947fb83213491eb84b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
59eb5ef4c02110908dd16b277ff3569e

SHA1
4888453cd61d1ba62575609e3267c750a36b3228

SHA256
3cebf7ab60f7160e614c9df9e2052bcf80fb0e444bcd92e57c0f1c34f09329e1

SHA512
d92d419142114535dcfe0ffc6d0ac710c7764541e21a300d08342add513a6a33b170de0fabb88b3e06bd33d259a34bba8bee70ddcf1643541c4d8b15137ba91b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
09651947d1222007efd3116e19c8bca8

SHA1
2bf3b8d7cfb486e3ffa0e8da0502a0559bdd3a06

SHA256
7905253f0a9a68417dfb335b49d9690c83aff8d206756d5af364c7c85765ebfb

SHA512
c05c9f85fb140657940af942fd63538f3451c7ce0b6e091005df8189688bd84b07b8e64b786de4c3f44d515b227819188d32ab3a908d3cf1f1bb36ea7c0b4ce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5400235c163ca3dfa7c0364f16087731

SHA1
d92598b43fbe68bd275a0865a9f36262883faecd

SHA256
a70bf5a3f8ed622b4371e2592a4c48933dfc59f59df9a2ebfeee7e9d75ec7b9c

SHA512
bd69e368a61be57b48f77de7acc11ee4ad4052974eca4da4366feec7c7635db3bf07a020452d0454f10f6bad551e0cbc40f6091a078229cd2d3cb8ab3e024319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5edab6d3ffbeee247ccb4423f929a323

SHA1
a4ad201d149d59392a2a3163bd86ee900e20f3d9

SHA256
460cddb95ea1d9bc8d95d295dd051b49a1436437a91ddec5f131235b2d516933

SHA512
263fa99f03ea1ef381ca19f10fbe0362c1f9c129502dc6b730b076cafcf34b40a70ee8a0ee9446ec9c89c3a2d9855450609ec0f8cf9d0a1b2aebdd12be58d38c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
8fac4b414cc8d76ec14cadadc684c0ae

SHA1
767a58ce5d34780430e1a215364dcb75642d0b85

SHA256
6bab46beb6ab41cea17d9f3df236fed8e6b2018b18cf54149c163a055a8f57c7

SHA512
6a85e571e27c8d829ba01fc4bdc5e9c2273358502c735c8fca0656042a896dcc230fed62c775abc3356e0b9d9938e15f0ac4897c49c40ec2de76c6697fa96f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe575f66.TMP

Filesize
203B

MD5
223011d73517b1f2d13ea0890ea16041

SHA1
d82fe2c47879e1e34d2086e13ef18be0e6550b62

SHA256
2e88510bbe9b1c9c3e0840264b85f77f84eb9fb502ba8de65fa862f68eb922be

SHA512
e1f4b7f6db0bea96a65b27c4cb8d424160d44684b727c6e435c10b2015e1c60a6eb055112ef66d83b87dd89d2ab7c5b6aabba2e017a19dd4c0fec3f71506533a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f18edd4c026d02170472d7366359ae6d

SHA1
d3f1047b7e1da4c0c8e969ac1797cc8f9b9283ce

SHA256
59ab223393de2c54e6da075aaa0feccd145d7f2b230880a82e0c06e4c83d170c

SHA512
b6465e063d62e2f397ebf17d7248e2a9d0a2280cc36495b64e090a05a24bd806fc15d377b22547fbf0f12831206281a1590bb40977f2b6f2c4be28851dde1d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
710d6102edcf25c8f31a19df3198d292

SHA1
4f1762b49ec51eadc7868082cc0005c20f44f45d

SHA256
7e326b6c0a68ab86fa0f8a32dd8daec192fac7c3fa6dd677806db3ebc69e1618

SHA512
ecf1f880e4c946b073d358254d4bc8e754eb886511d0d0efd8d100ca6bc83fd638dc37bef33c01caaea9dd32cac37b9676e17f687edc197ec7265d42fca9ac3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yikaqdz.3qy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
923c7edaffa5b7bc1278e70905c13f82

SHA1
f45744b8311565656271f57071c9bdbbbc51b6cc

SHA256
295b61e5c2e9864efc3941a6b2cd24b8a79fc69865c5f20224f0e2475fb8f934

SHA512
b192f0df674c01f77c7a945c95bfbd6a66aeb62a7297b43a55ad38105ce38ca49389cc82a458e75926a4fc92cc5bfaaf7edab960f45404dc80305ba6b3aa93d7

Download Submit
\??\pipe\LOCAL\crashpad_60_PVESSAUSSFDFYLGQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4832-143-0x0000021EB65B0000-0x0000021EB65C0000-memory.dmp

Filesize
64KB

Download
memory/4832-147-0x0000021EB65B0000-0x0000021EB65C0000-memory.dmp

Filesize
64KB

Download
memory/4832-146-0x0000021EB65B0000-0x0000021EB65C0000-memory.dmp

Filesize
64KB

Download
memory/4832-142-0x0000021ED1750000-0x0000021ED1772000-memory.dmp

Filesize
136KB

Download