hxxps://www[.]roblox[.]com/login/forgot-password-or-username

Resubmissions

14/04/2023, 21:00

230414-ztk9bsbh54 4

14/04/2023, 20:57

230414-zr1w1add3t 4

Analysis

max time kernel
82s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.com/login/forgot-password-or-username

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a4b6ed7f-9692-4260-9c57-8aff3e60ce66.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230414205848.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5004	powershell.exe
5004	powershell.exe
4652	msedge.exe
4652	msedge.exe
2624	msedge.exe
2624	msedge.exe
3944	identity_helper.exe
3944	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2364	2624	msedge.exe	81
PID 2624 wrote to memory of 2364	2624	msedge.exe	81
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4952	2624	msedge.exe	84
PID 2624 wrote to memory of 4652	2624	msedge.exe	83
PID 2624 wrote to memory of 4652	2624	msedge.exe	83
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85
PID 2624 wrote to memory of 2740	2624	msedge.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge https://www.roblox.com/login/forgot-password-or-username
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch https://www.roblox.com/login/forgot-password-or-username
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa0cbb46f8,0x7ffa0cbb4708,0x7ffa0cbb4718
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3240
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7168e5460,0x7ff7168e5470,0x7ff7168e5480
    3⤵
    PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,587946003979926011,8770550133488628250,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d427322-5f86-47fa-b9ec-d1efbd1c1331.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ae1417bf00568faa2c917a00ee8f7bae

SHA1
a5e2a60c8aa3cdd58fdfea35a8679a3ad5cfbefb

SHA256
5dff990cacf97c85bd2a1474814a108255af0bec4ede8aa8bfe471ad2b75050c

SHA512
98ce702b9022f5238f55ffe3fe78ec6344ff07f10ae3866a7345a72a503ad8341e02cb73a75c7e98c92104565f3dc9caec9fbe635a23f7b955ddcc04f8eb62b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3a42351b8d9fac6126d88bea51cc20b8

SHA1
8d13a58c2f7d6be828517e1336af77624546ed13

SHA256
62b504a0bdbc3c406e464f2be67b4c0b0ba00d9ccadfbcbe07a4a6a94d6eadab

SHA512
42105e3387fd83a3f1c100371376ca0d008e1252d2992cb3befbc9e32c8f918b87a520feaf49d2d11f14c556ce33a26850d82cd9bceccd3c00510931098dd96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
bb46d855837d7fc31661ef31f8f45ad4

SHA1
ff0512ec4b8c471ed6bbe91a5cb879b511400e4a

SHA256
949e12f6e250edcae19d6ebdb1da8b7af06cdb9103d2800096c7c5021281c7af

SHA512
06baa4bb038bd32e792553b384a2576210dc4fba26ec59947e24ed863fcf929f2a2c2f586b38d677797cc94bb615908bce7733d9479484d76bca72ea3ea4f6bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
975B

MD5
ed588600ef23bf46ebfe97ca1097bfec

SHA1
698583cdecedfcee91c28c2d104a44f073261b5c

SHA256
b1a6f1900d4201e39d73de5fa874e7605509016043293aa66002440403bdcbdb

SHA512
31b2dc61ee2f57c38d705615a8f47cb3bd01b32f9382f10d54c01c484c1d54128568b0a7758f0c13f23a35cb0acf2e849b91cbadeb1baad7aa98f6b5a9e13e5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
8393d6359c2c3b0bc4fb326c21f45e4a

SHA1
fbc250497428b6585fde7ad1b0987e6e8d4ee2c4

SHA256
1a46700a4c88c7fb06ec5efc6964de094f4b4758ac528543758fda8c3bbf562a

SHA512
3061bb6e769dde92c214b4f4eeebbdcf7120d2ea45a34bc7955aad1265985c8acd9a91907a1bfe2c27b39991a21ef273b01ef76397edb1dddc81767a65de8b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f5b3e690c8bfaf146608327e8e33cfa7

SHA1
eb477e150cd05347ed44e7af3e5a1ac894bf4613

SHA256
13c9cab10f7c889a4347cf30b2c6e234bdce8dddd7c33a13b3d37e11c15fcb23

SHA512
b5499144d7ce4cb18185717766bffc55c6f348bb0fc15bfe3025ca36809ebc62c4ba61176c92314c27818f49eb1120d8d43e1105a5e1930a263325fdaaca53a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3e3ef50c00004d8ec5f6ff69c2a2fce8

SHA1
453c673f246539288b08fcbee1ef8cded853b468

SHA256
16f0b4b2ca83959720cdf4d0b06f1588cfcd73a052e9c47f78957865f0e59c20

SHA512
e47b4804c4abcdfadd64393950f8d7f2599eee833c922819250fafd4aa4b1d0f03753ddfc26e715ef20a6dda18f51b8908bd2cecd95875b26feff1434e19fd3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eefbef6211c49ded02b20d0c95a52da9

SHA1
2981eb2830e19126bd88b318596e36bae9a879e3

SHA256
9f9c2193e3150e8d0ae3c4c61a50549e59f4708b9f79a441b2d7057713531a62

SHA512
0be910542fc8c74a2ad0ce031fe2541f0ce9f199c3185c0725e2cf9efed1f3f4544082c3ae7113fafcb16a1510a3819a56d3b718c41a139970471eaf96e83a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e864cd9b69394c025503f072a5d440f

SHA1
44c88dd2f2f4fc907e171f7d706623379371bbe8

SHA256
10b98a8f672d9044f231635207cff79fa524c620151785d8c3d3b9c0400f7aca

SHA512
36420cdcec107d5f96cc6a344f8f245986c1f25270e0534c1f1c5c3e5596dc408d5aec1cee52a624cf05f63a49a0233309ebcd99e1e0483ce4cd22a89b39dbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b3660072330196615199fb179818cdd2

SHA1
868af4efccfe1ea35aea13a27be3afba5e14a8df

SHA256
5f7d084e98037a91ee31a3c0a5871ee7653de9744ffe0a6e978b92ab85b8e625

SHA512
599d8fec46fc86b720fd42fa5d5da850d1652f2c5c3bd8247589f33369dc44515e629152480d7f64f7619a56e6b383f585957d2c8879918db7d8b3dd13a6d9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5712ad.TMP

Filesize
1KB

MD5
5888be979d44af9eb88666b0397e5e6c

SHA1
745040db2f6cfc0c672435e8ad44356419c18c90

SHA256
2d689fe6276e6643e7fbc350973dac51ad643b5a318e8768b4bc59513dba2201

SHA512
7c22ef84156378c44a9d24a8a0e76e55a0b7e7c752e72875875fc2dba18b7de0f772b5667b5b380528489fc6f59feb37ea58787ebdd2e1dd4f2aa766007f8cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
efa726e664c3a403ea5648ecb0b1e81d

SHA1
e5d60b4f680528cd236976933761faa164efcb0b

SHA256
b37f51ec885426aa04fa9abf79f7095b542404b394b629be2fcea7219b71928b

SHA512
1a546f33ec3e04cf1b79405f1e8700e31ca0fe85aa787e9ac32d7bafbafd21992f1abb72b794b67f0d00e7cb9de35acb0bba5c73da67d114fc4d86317d38d985

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0tski30.gyu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
be077472947ab76063d6509381727a01

SHA1
0868f0cb884d1466fcbbf3ec85afb5a587a14920

SHA256
771cd389da4ff6f71fd5a2274e60a72bd7237549319c7c28bfc574cd485c3ee2

SHA512
1bfe3148fb2ff25d181ef184f671e0f68d02abbe7e725ae4babdd1ba8f26accc3715b6a0faac8e211c0cb7097e10aa3ec6364d6e87f868e1df4878f19dd2eeaa

Download Submit
memory/5004-138-0x000001D4D2F70000-0x000001D4D2F92000-memory.dmp

Filesize
136KB

Download
memory/5004-143-0x000001D4B8140000-0x000001D4B8150000-memory.dmp

Filesize
64KB

Download
memory/5004-144-0x000001D4B8140000-0x000001D4B8150000-memory.dmp

Filesize
64KB

Download
memory/5004-145-0x000001D4B8140000-0x000001D4B8150000-memory.dmp

Filesize
64KB

Download