hxxp://crt[.]sh

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 05:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://crt.sh

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b6885b9b-7f15-40d2-ba4c-b0ccf6bf3f63.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230419073954.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4132	powershell.exe
4132	powershell.exe
2208	msedge.exe
2208	msedge.exe
2736	msedge.exe
2736	msedge.exe
4024	identity_helper.exe
4024	identity_helper.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3728	2736	msedge.exe	86
PID 2736 wrote to memory of 3728	2736	msedge.exe	86
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 3764	2736	msedge.exe	87
PID 2736 wrote to memory of 2208	2736	msedge.exe	88
PID 2736 wrote to memory of 2208	2736	msedge.exe	88
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90
PID 2736 wrote to memory of 368	2736	msedge.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge http://crt.sh
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch http://crt.sh
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffff1aa46f8,0x7ffff1aa4708,0x7ffff1aa4718
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7c1e15460,0x7ff7c1e15470,0x7ff7c1e15480
    3⤵
    PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8128142157409822729,2086715237567906266,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
fe065df67031730448cb1d45d627e4d0

SHA1
ed1e743de679848f715849bbaa1b4fa98b6bc2cf

SHA256
109fd15e44d372c0d0c081585d2b06adb8397ea792c78772e28438a5308d7cf8

SHA512
f26ec28033e92fd7cc501f6819ef7270b6841fee41cbc5b0b3b0ee639495265eb0c0bc745b40b17c1f76a7eec02f75b1136807ad8eeac8ea0d750c45f8c971ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
569B

MD5
0ce432b9547ccf951ff7a38982cb316b

SHA1
f2b653b10fb12088e4e03acdb7fc1ad16dd247f3

SHA256
9b8719acd0ed2295825f7f8458462086227cd515df30d6ff0a2b56ad97fccba8

SHA512
163d0f61e11e4fdf4e12724aa1d8aa94b2aab19acffd11d01588fc53abb5d6f75be34085837904a9f4d868833e7393f5837c65c807683c12b370135ebf057475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
13f7cd59482fc117deb519cc1b6cfb38

SHA1
0f16713c7b670f56d4ae431f086465afb71240ad

SHA256
297b69db433a68538a9d5b1984f6e0bcc10787618d8cbaf916fad41518b38d93

SHA512
258c2b6de180fe204dd237d7445e2a0bd60aecbb2f172a8f6dc206558884744c08c6060aef2ea51ce68a6afab1a9a2338bc372bbdfc001fc875cfc6e21d8640f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5bd557e8ede6a873b58e53660ed9d0da

SHA1
8c0d04d416709919dc1c3e32862e75b26aee463b

SHA256
c1af07806095e377d20a0ec86fdf5c1df931681453c74457a705ffe3ca6e0fa2

SHA512
69745437ad60f8110fc2b94a664316007dba69a68c2616458be742a9d79aa9f734bf936b03c40849d92a9e0bda87a61ed212e291486be84c9a00251587e74c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38597db94c692f0b7973889fb3f33b1d

SHA1
cb089cbde67c4fb1a6b94ae484389bae4e6e1cbf

SHA256
062c0f23bac2eea25c508cc9afaae0577ded5d66b4b5f195ef0ae06683e24e23

SHA512
a8ebdf8a67f5a74d92bb2ce5a5d1e58fa0363fccbf1fe00a99b6c0b910563b467674bf9718b088f501237b123c8a8855ab0d6a7b2c840c9953990dd35479277c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
455832cbd249a986b8c196c1ed321caf

SHA1
ff4c39465411752da64d8dabaac55f126e3600ac

SHA256
2d56e8ef70d027a40a4a825ce3c7ced0996f5414ca72ab288ae9f614e5baf604

SHA512
dbdfbdc0b7b9ea1ab1146e178a79743e79a19a455b06d7bf88dca217e2acc6a798a195a76817f3ed95b6f97e5c93cf59c52ea96dbfe0baa46fe6ee0f9b45271e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1a5de41f89dc37ee5df8d0669da183a6

SHA1
2374d818f4ae62fcaa4a97e8c749762787698737

SHA256
330711298a4d83b612419f868259a40fcaedb32ff5a623c14a7036206b0906b7

SHA512
af2a9ee5f3c9ce1dfbb30825888266ecb046bbf202a64d375345e076ab3533820d8b7778991e620f32b641db2015795a308504d836fa075bd6435063cdb2a97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gujttwjp.42e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
69f00167dee893419fde84f3666ad217

SHA1
8e7a94ed932f430ec9fd19da31a65ac77c189a1b

SHA256
604ac6e3970274a1249a707abdccd01f2864f9e332e011cafbb3804a0efd2d35

SHA512
c5756142be61efb3d1457dbaeba7a7aff5dc0c4cc802abb01e93b7b2aebf03f886c2a09b9112c2bad98f787d426c49bf2b1c22d9fa7d8689f8c7e3a13bb573b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
8b9df43024d4f4d95c8f0bb45d0d50b1

SHA1
e7a026328a1b76307f78aadd93f04072213a5902

SHA256
2c8ba83172edfbf5f71f8229e560e9edd8c101a21bbb2624e297075f14a30950

SHA512
d8a398c79c7b8392d5e286a3952f69b7a863f7f49ff76f1b8503f684e3499fc42a45e034ad91989c14accbba316980169f68ea020509099387d8d1ae7f77720b

Download Submit
memory/4132-133-0x000001E5F5A80000-0x000001E5F5A90000-memory.dmp

Filesize
64KB

Download
memory/4132-144-0x000001E5F5540000-0x000001E5F5562000-memory.dmp

Filesize
136KB

Download
memory/4132-134-0x000001E5F5A80000-0x000001E5F5A90000-memory.dmp

Filesize
64KB

Download