hxxps://charlemont-my[.]sharepoint[.]com/[:]o[:]/g/personal/dennis_annear_townofcharlemont_org/Ettn6M3F0rVPjl5sbLxjRVYBsI2x5JrNE1LR1FSKxvNXCw?e=5%3AvdigcO

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2023, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://charlemont-my.sharepoint.com/:o:/g/personal/dennis_annear_townofcharlemont_org/Ettn6M3F0rVPjl5sbLxjRVYBsI2x5JrNE1LR1FSKxvNXCw?e=5%3AvdigcO

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\879a828d-18d8-4690-b6b3-617f534766d3.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230324225949.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
412	powershell.exe
412	powershell.exe
1952	msedge.exe
1952	msedge.exe
4000	msedge.exe
4000	msedge.exe
3696	identity_helper.exe
3696	identity_helper.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe
4620	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	412	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4000	msedge.exe
4000	msedge.exe
4000	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2488	4000	msedge.exe	87
PID 4000 wrote to memory of 2488	4000	msedge.exe	87
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 2264	4000	msedge.exe	88
PID 4000 wrote to memory of 1952	4000	msedge.exe	89
PID 4000 wrote to memory of 1952	4000	msedge.exe	89
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90
PID 4000 wrote to memory of 4340	4000	msedge.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://charlemont-my.sharepoint.com/:o:/g/personal/dennis_annear_townofcharlemont_org/Ettn6M3F0rVPjl5sbLxjRVYBsI2x5JrNE1LR1FSKxvNXCw?e=5%3AvdigcO
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://charlemont-my.sharepoint.com/:o:/g/personal/dennis_annear_townofcharlemont_org/Ettn6M3F0rVPjl5sbLxjRVYBsI2x5JrNE1LR1FSKxvNXCw?e=5%3AvdigcO
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffca36246f8,0x7ffca3624708,0x7ffca3624718
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff768e95460,0x7ff768e95470,0x7ff768e95480
    3⤵
    PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4710252939136280966,2596879545840369269,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ec463dca744e80f106e48c41bf944946

SHA1
806d9daedaa64b607a894dbc28428bfad6d1f0fe

SHA256
19f20f9d8290c852e0ab134fcea349d662b1b788fe26f70855d004a860dded11

SHA512
4bbb5364185f94f798fdfd4486e6ace2ead18ced6b240a3dd754ebd77022e7b5667f25021714514c50ca08568acb8ad76dc4cff60d057a29e5720e4faa25a98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
30384c575a0b3d0813e6efc4f490fe4f

SHA1
9b8c750e1aec13fad16bfd0b2a270f7ac9b23c63

SHA256
38c0ab2a496cd99078cbccbcfd4cb68026d961d0f02af4d191bc4452edc71f3f

SHA512
9fb336eed1d0586f5d9132f2b06987b512b263ad35891368a2d7f8750396a1b457a204c7babc90867b818d59c86d9016731f5ac3aaf00cd98913b5d153bf6847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
b26738e710d9d8836cc54acc603c2c95

SHA1
9f571a8d931bc7ebd00e2463b561c81a11f385cf

SHA256
8ef413467b7bc4d22708c73c84f6fa53c52a6021d29d95c7d301597f29154630

SHA512
56b4683a5274462ab8d173e2cf02447717619caa4686b05ad4ce1053b34a6c680549368b3146635f496652fb643753c816002f4e9aaa88f710c13c9aab701382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9d5296ce9fc4f9523270a15679b2a4e8

SHA1
3b6121da8b59e25cfec0227d6fe52cc725102a03

SHA256
b99349cd70c1e50d75b7c2fad6453b521611147dce7074c63f8e928e8aae3aa8

SHA512
fa8e4f9aabf3bbb072a0b5ab23cff6449159770112572187b48a1a9a5a8ce20aa71bdcf56afa8d721f3a43c597f5047f34a52fab4d3d1b753b10290ca4d6d20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
482bc7ebea14aafe7fbdc76d76c5f779

SHA1
76180768c490c372de7d8408084289424ce01ac8

SHA256
02b9d79f083c33d1e378f11f2978581bd6e15c9ed289c02b4e5200495fb7d426

SHA512
0b0e60304b6df6beffac362db6185db84d9de60be6e4bb8a79831f4ed057d69916344c2f4758fa59a7486414517020010b1d33cdb3fe437d6c429f7035da06f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
94ef41b23b14090b7bb269433c071ea3

SHA1
55213ab36aa24f7cea26a1064d5e811db5e1cf82

SHA256
7ba25b6e3a41d15a353ed1e90f02294214792d236dcba1cf053162af09268cc7

SHA512
a2deb5164e5499408a0f847caf2a722555957cd9bef1e81f1793c400a6aea5fcff10f24b32eef86fc46f680f3ace545d1f889ebda0ecc58b086eccf4471ec48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48779830df149c58388a98731549242b

SHA1
8fbda2771f6af782725ac6aad88911fe447d24c6

SHA256
d9a1e350f0087d22389c36b1bb183d8ed05be0a6c033baf2ddb5ac051c43d6d7

SHA512
d86923dea0376ded71500907219263b682c0a82861ae1570206bb070fca209f097ef4af5390ea86f1aea63daacdc17afd6ff270db8f745b54c092a69f1ebe1d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f89083d979cf3be6c64d85b4fbc4855e

SHA1
e4d5efd5387bc60cc0b14c2f293cef19223d09f4

SHA256
071ac56ec8b95b2e4a94f99fa0d57c776ff10cf495e9d9011c6c13eedf451a14

SHA512
b8d7ef2a2d723ac74350b6563178b30587ae96a2b3fcc68969744d8eea14ed91875fd01e4db0de4a984b255aed8c0c6b6e0563001384e60355e42d0376c36595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31d7ee6aa88744a1df7dde721afc003c

SHA1
f575b1dcd3c4a90311686131020c3ea65f60c2ff

SHA256
397d3a55e3e91a2367bfc4165098eb9bb09074fd6075a8d434b683302ef0bc7b

SHA512
c60581e82a902ee5d9398d876f9f564dc9d80de721d5261c1d7ae111f40e0eedf229018944b7af4263b1e1e6bc60c31f10467ebb789089a59c4c9acdd87a0234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8832dae5bc5cbaa9f935e7c1877aa660

SHA1
67789f43b3b22f723b7dba07f480b91dad0aa2bb

SHA256
43fd95768817651f05c216e14a2e31442fc3b0bed2dcf46211265ef2bf145f62

SHA512
253d6f313244c29acae57ceb20efe1788a211d98c702e53452a7320e4b267f31d50fb4cbfb0c7894a9c3d7c8b4916f930d2e74c5bff0a45aeffb74e388b1bb0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a7a0b94b9f79c29293f30570f115fc31

SHA1
8b0dfdfc88a3b6eb52079a32f8bd781b47a43594

SHA256
028209e76e551ab02b5fb6a8244dcefc0e760c4a957a156327cb9542cdce1769

SHA512
ee5c09f8af37ba6d517efb4326725a7493133eef88599203d32940aa668837d6943f68efdf511554dc0c8104bdc833075eb8f9b96d6c3b5ff33557123c288c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4b9ca6c117e2019359b849d1acba626b

SHA1
9835f4a86f0296a558587019c2a8edb72a23a9d7

SHA256
4b39a94ff77e8cd6b27957736ac4a35d6d738f33ae83aa2558dfdabaacab02d3

SHA512
b85a7a988fae7af63dd4c393ce51b9f6b4ee3a68035dc644eb6ce4384f8e70e30b71db0bfc18f28530f31030c3a50522a495b72eff6670d38e54a703e49ce644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5d14809422fd6d8ce3ebcb0fada83d96

SHA1
d3800da40575ca62241eba2b8bca93d03cc0084c

SHA256
1dbcac840f2f798ba028c6cd3f7cc8841b299dc35ce42e8a4231dce23ce9363e

SHA512
90ff67c88e9fdaf219a76c5cba4be3c3eecedb2c833ee6e893438df1d1609712bc4f726987e3d7e81f03cc56dfc22ef0bccbe5c76e65240fcd2526476e69acb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ad887f9c9ff1b422e09517bb69640639

SHA1
c69992f6705db738f7457c16cf56d0b626edb627

SHA256
9f4f8fef2070018337a55080c55a17bbf8e596ab02e67ee7abda0d819e1f586f

SHA512
0ea29ac27da6e17bca7b855ef186cfbef08ac5add50fb5355916574dd1866958059fe861f532dd8c112c144b13dff74638db355c872817230786a0472fdf441d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe56dd16.TMP

Filesize
1KB

MD5
7bf8d2c278c6b754311f81eafadb539a

SHA1
f850e1c5d7712dc253c16a934e5936f4dbf97f51

SHA256
fcf7351653549a1e27c214f3651fed2650f7b48a5fca6f10fcc1951c1bb23c49

SHA512
8d0404b4bdc0c3ff68de3477428ebff5b88c3b401c87315864ac5a30614227382fece56b548c071aa5689c0f8ee1ef75dd659e4445cd7fb3b303ef459b355d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
83bf6b38783f458b8a020216a4596d62

SHA1
0040e1afeca4ca5944644a60fd4ebaac7078cd4f

SHA256
9e39c9e4576fcb37e6686c1c7244c5c59ea27bceb935f3fb645c7d6a230d17bf

SHA512
c468d82b699dd3fac50c0e380318ca33129976e5cc6c59e3d536c3a501920ebe379172fadcd3bc04e7331a191c0f50acd4fb75c981a19edd76002c4f24d0ab42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
24f1eeb7e91c72b1978393cba88ee8b9

SHA1
aa92a1149918715e88cbaa3fcbb35283246e44c8

SHA256
b9d1716817813f276faff4c0131339fd8719320e6d4ccde29d1094cf40c07787

SHA512
0205bba0a38e750c620b83e697fd04132bb5a57743dc0ef0fd1e880e48650419d412fdf71a555a4e5b93896eebf4fd6c475156aa32072966fe13764ada566f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdwzlgvj.fay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e3b56b3dfee88edd31173df1d67bddf8

SHA1
5ad9a7eff0c166963e63b7fb41d80b5b552cfe90

SHA256
73f33db2fdc5b63ee6b7ced6097d5cc7d26252a2b2cbd80718f286f94c08c2bf

SHA512
78d47081122d7d4a6533140619136703315e8bdd72e9fbad65566b5876363fa49a9173be86446cae4e627e551aa709422a890fef45a8849b3162bbc68cb4ffc2

Download Submit
memory/412-133-0x00000298D61F0000-0x00000298D6212000-memory.dmp

Filesize
136KB

Download
memory/412-145-0x00000298EE800000-0x00000298EE810000-memory.dmp

Filesize
64KB

Download
memory/412-143-0x00000298EE800000-0x00000298EE810000-memory.dmp

Filesize
64KB

Download
memory/412-144-0x00000298EE800000-0x00000298EE810000-memory.dmp

Filesize
64KB

Download