hxxps://u[.]to/3JZiIA

Analysis

max time kernel
140s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/3JZiIA

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

Processes:

LogonUI.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini LogonUI.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	LogonUI.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57af6234-0000-0000-0000-d01200000000}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57af6234-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002dcba9b37863da01	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57af6234-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4344	msedge.exe
4344	msedge.exe
4676	msedge.exe
4676	msedge.exe
4324	msedge.exe
4324	msedge.exe
1016	identity_helper.exe
1016	identity_helper.exe
5528	msedge.exe
5528	msedge.exe

Suspicious behavior: LoadsDriver 10 IoCs

Processes:

pid

4
4
4
4
4
652
4
4
4
4
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4344 msedge.exe
4344 msedge.exe
4344 msedge.exe
4344 msedge.exe
4344 msedge.exe
4344 msedge.exe
4344 msedge.exe

pid
4
4
4
4
4
652
4
4
4
4

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	2552	LogonUI.exe
Token: SeCreatePagefilePrivilege	2552	LogonUI.exe
Token: SeShutdownPrivilege	2552	LogonUI.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2552 LogonUI.exe

pid	process
2552	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4344 wrote to memory of 2248	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 2248	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 1356	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4676	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4676	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe
PID 4344 wrote to memory of 4876	4344	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.to/3JZiIA
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9dc446f8,0x7ffc9dc44708,0x7ffc9dc44718
2⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:2
2⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
2⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
2⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
2⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,6183259699950100025,13273880423684028188,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:5728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultba0f72eeh5546h4194h8170hbcdff15d862b
1⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc9dc446f8,0x7ffc9dc44708,0x7ffc9dc44718
2⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1211405169735236170,13668619966982812612,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultef2204b3hb8f4h4480hb651h29baab586270
1⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc9dc446f8,0x7ffc9dc44708,0x7ffc9dc44718
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17537360441709856961,10824341760154673979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17537360441709856961,10824341760154673979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17537360441709856961,10824341760154673979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
2⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3962055 /state1:0x41c64e6d
1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3073191680-435865314-2862784915-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg
Filesize
343KB

MD5
28958dd2b1b25a05dd0d45e5d085b1eb

SHA1
6f205b9edf0e0a4b78c77538dcdf7a249eb07c28

SHA256
38933c90ebb55aea790cc3a1b8ba882f3f9d92cd63e13f14518690240c787012

SHA512
bf67f3a27c7e3c49f4c31535d2f23d512851c39cb39530fe1a2ec6262d556ce1c7efa8c35718a6574f9e378446a83729f6c378a391e68db18b4c814222e35409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6cca9cbe1a7caaa218dc900afd76079c

SHA1
18f2330cc85a7568c2c4df44311937d3efb3b211

SHA256
22d2f794cd58e1e784fde0cc72ffa59233ed8cac017e570c4c6d18f90fb0fe4d

SHA512
5cc5c1260f6420c6c00d3d89fa71085918285847b73383920ff1fea0faf8ac74d19410a6212e3781c4e152342dc13fa3fa943ebadf361deeabf66c643bdfdbde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
39e5f7d169a91e3a8fe202d6c92e35ae

SHA1
d6fa61b25d54a363dd582fddb8f35a8b5b89644a

SHA256
1e6f3662cc0e6c833350ff8e726d85153ee3403ecac5b3ec8c1b50b429a92e64

SHA512
78aaadd80c0df4a1aee9a3623c53a9f6c596879a3edaefae8f6304c9b4f8954055a04a7f6a8009b8dde49abbce5dbc215586c622566934c3fc4eb635c21b84f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
977c84834d4b97e5661f58f8d641d7a4

SHA1
d2def24183d3ff1068cc26be47e3ecb7c632bb7c

SHA256
96c077950f038e4db7115723696fe7561c92b8ed08b59ef6a69009bf6b359294

SHA512
495aac371aabbce3d3e6eb07961ab3c206986f44a74a6c6fc40d07a260b037205eb9d9f3c4f5c065706e6b189744b998ac04e2239f0a71f554ab5dbd443c98d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
504B

MD5
e793c6208ec89e0f711b7b93b6445751

SHA1
18bca4c09b3b08bb9c83cf92cdae0d4877e69ce3

SHA256
fd1ce114119f713cbd26d032fabdfb536a528dc222fc1241a1b6506a55de18d5

SHA512
41dcbc1d280d0d6e6b89e7952c8373519868f641991957350aafc5df3042ec6b4b20ba4531cad3dbf6672f90197dffeef05d4d38a27525fa9db9c1ab577c56b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
730f4644d91eb88ddf796c8bdb956e03

SHA1
176cfc03a9e057ea0fd2632f4e2d299e579c0a50

SHA256
71c694eee766787a295521084bc647943f55acf7a8beb358c179056c972d8174

SHA512
32d645496859a350e7359ef62d934ffdde80afd39b87b1fc164085c5869b1e2838beafbf353f91637278aa421f89cb82daf41c0cde773bec9fc90112dca9c84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
24KB

MD5
0786bae124076539ed341b8f07d4d7c6

SHA1
54c88ac4ed4f37de0a3673128499ff8728e803ce

SHA256
3a6efc2d62095acea4bd4ed1f8080b2d692d626b16587b7bff83638efacf560f

SHA512
2c423a3e14dd20beca16ce750d9ed12f4f4c5eab164e099c9fcecfc44f20968998d81216dbfa59d3efe2b550a7419319d61f624c256b9972e38001740ada31a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
358ac37743a9658599cc42e3058d3ad3

SHA1
2605e1dcfc3952cf9970954243da6aa3f21d2c87

SHA256
068f1fb02bdd4f03e48c0632f74c13d56e7065411982af3c94011af3689d8592

SHA512
4567e7d50b0bbfcca55945b3d7063edb48611c2d83d5e48cf88a0f700c2887b308bba3e70603948a781054969624619fbf1d18072118c68d3e6bbf48292b016b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
366B

MD5
1f31433ad6cfab477c420275b7633958

SHA1
f96197e4136b743d307d1f32c57806ed12c10256

SHA256
46805699a6ac16858688ac09c87c9721726890a60f307cbe6b9f1df83eda8849

SHA512
5405b5151d6a7fcabcac7d534f732d54a8822e9efa8d772136ba1a174db15ac575bfcf8327868f9891297bfc26af6bc60b597bd0e0a89ce0e9d0230f4fbb16e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
c3ec0a28a0f3d9b71b83fd3752e5a13a

SHA1
0ac39e8f66de035b0a4a99914e94fef90329caac

SHA256
5e510a2aa79830a0b8b281db4bee020a3a56da61577a7319c52e34bf0c5af03e

SHA512
f91c921fb3222e45089eb1eab6ff56a7c21dfd644dbde21c4af53253c55dd108762147ea3c46bb11f0b8b7bd281c7e4c2748a70076fe2713e0681542c734d6f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Filesize
48KB

MD5
b2838bfd71c6edafdc270c46f6b8db80

SHA1
48eeb5ab00ea77fa0e795e7f6a9aeb9f31e163a1

SHA256
394f337bde1dd9460964d860e9dab75fa8a57b43dc7b35290fbab08061bd9afa

SHA512
2847c5ec5a4e05a0fe22a7d34780e578e0068df80b63c5fe5c41dcd577b527841fcfda4c2483baf27604b660b76c41cd7ab7a1269d79d71d407775d93d7d3b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
01e2d6f5a9a7ce8445820db8fc4ae418

SHA1
860044dd3bb76dffd7b4b949fb467fafc491cef8

SHA256
b764a4b13f693d3d3854281ca53f4b911da77a41f52ef8f98d2deff8408dc34b

SHA512
31c62027b59b0b395b34d4a2d3a508d8d3fa4876112db851ffd6ef2559926fd8acb2239e942c68a0d1fba19bb6bb0f7847818b97acc70586b137df00d679956b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
d0734bd3e76b35ba6e3b0b4312ed1f85

SHA1
62f85297357608f5c5a2bed46bc2eabad027ef8f

SHA256
7c289638221fa2fcb087f352648fb13ecbb20c44ae92ac345f6581c7e5c9db9a

SHA512
83a27826a2755f1b1fc8ec5c97ffd56c83342160525d77cc4c396b045936fed3efef2785a5c34564ec4dd2813a271743891ef7bd25a81f911fe8f10d7fd1c359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
7bb3d396040e196bf56eea8920bfcddb

SHA1
aaf628354d701cbd3b10e3e0f3f51815bd264768

SHA256
edad0c05361caed27ae2744c65ac2c0c174e444e812bcbad19c6a651db161f6e

SHA512
193fddb98806ab303547a07227cdc12e3b1e8815215e6b8640432d6416941534d961239829273c677dad5b83ce7fdbb40a02d384b663947fd63113aa3e66caa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4be7be63ff9b08aec84670e1cdeda8e1

SHA1
eb390b7db3a50cfe8775fe4fd4a07a443f0cf559

SHA256
04b2688cba4cc3de1cd04ba0f8463446c97548d7eee43256421a80cbc3e1e180

SHA512
3811033aeed4fabfd241716c7b01e70927a91f076a16b48ba2169d58326ec7eac1c0f3bc5ad94a5b287750bf020278b4cbebd59b81d190a602e34706b6371302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
53971d76dec9c70e48c1f30501698bb1

SHA1
e6207bd3e2fca6b58a6beffa5588466e2957e83c

SHA256
08461a23f78aff57f953309088f02cc28c61f1a6c647135b249ccfc5bf1339cc

SHA512
77bb4c17b9018ea92ed7457e2f298618557212888ca06b5e166fba7667f9bbe8d3f5bd2a19ebf5d64afb4dd1beecddb45e3d52f8ad066376bfe62d7dfcef4c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0c04f96f6295a9179c41072ae59c242b

SHA1
26018ad6685112dd76df32f354cdc1102a7700a2

SHA256
f72d1883c61d9335cd8812d6f97c47948e5e0d3780e405c51d04b9e9694e7a95

SHA512
0b31d0c61f293d81b61c16a0512eee5425cc2099e4511dcfeb37768701d2d572affc0fec75336bca5ae20a92c9bd3a69d32d9767c4204bddab12bfccfed464b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e45694898501a3e59574489a12a0d857

SHA1
5aa654a3f2ece9b11df0a1bb1c44170facc7de8b

SHA256
0b80925d5bf0647039744866dc8df1806d41497421f24fde4b5749acfa83365f

SHA512
b9ba6bc0d52ff0379dd805cece563bf1025cde15c98e3d8ccaf88930a960b4c4513c69e774ad0219d02ceaad97916504e3e0a361f0c2fb13a8d0a4b393c11179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3b890ab4de04b0c56edccbd239428aff

SHA1
bcbbabb69e6404a84b59d7eb35fddebd2c4240dc

SHA256
605293666e1b710ee079b5a235c354b33f173376fdf32a70101f19b664fa4c23

SHA512
98703acb2905e56bb485f8732cd11fa7077587b2b6d7877287ddf7c679f2673a122440685c62032dd15d7da645edf1db7de64a26a58a6ffa55281992e632ef49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
aea1b63524da12976dc761f3c2e00f58

SHA1
56a425e8b74a88f52efd338b22026826309ffd89

SHA256
cfbb9b9ca6d88608bbd9ed92a42ead07ac545afd7fe25cf85fb0f499b0a54415

SHA512
84e725f5fbf31d3884d1593dfcc18d72c76df8c4cf6157a4cd351c0bd420f9ecacb7c27597e0bbd4367cf2b0960d5d10e3d20dcb3b98f5ce15b74acb12f8281d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0ca8975117e07e72153495949fb40bdc

SHA1
9144c17aceb6ef40382b3f2911d9772f337b7959

SHA256
5016e75cb3fb1c5c3f3b74045c577b887af9ea4e76265c7b3fb300c06c37a88f

SHA512
57fe50ccdfc73049d67effd36bef5d06cf257e5762a9eb9bdb937a3265f91ff70c31c6e1c4cfb6002ed9e36fadb01f879bc7e81a9cd55722c33111ebc4856302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e029efe70912cf57d40d04c01776d41d

SHA1
94eba5604a8e4523d23565ac3ebcdcda4005e4eb

SHA256
57cd696aea3594a27f18b3636da302823ca687c6a326ff9ed2b578a23a96ac37

SHA512
3c380b2c1530a103030562135f9b71eb36a15c49ea96082f64f717e7045ea578ecbec2d1f53cd569d720f7e37a3c091f9bc6ff3dfecde6775658c1c51a03f01b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
6ac701b203a9bf490f92a4ae8f850393

SHA1
7ba9e0644cd82509b53357d7f4838ac8a84bcb4c

SHA256
df748ea04e44a0f9ee260550550e18631e259166a6769553a9cf1905db6ddd3d

SHA512
19a4165a391fc9c8f27d2c0986791ba6e6f35eb421130a87d3b7f46f519c228eb65049135bec12bd3c9916a4555265d970043e9a09a99caa7581d7dd9617f0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
bd9c02944c311fb60ce369ce6824f348

SHA1
120d376073dc3ac69291a52bf4db7fabde1502a6

SHA256
6cd656213fcc4d0388e5296636961710c4953e7501ee5022bff1e147ab64c155

SHA512
738e915294365864d43ee857ec1bab6ecb39cd6cecb45dc6d0758e9de2f220016ca1856f925f2fa95aaaff73671249540a6be116cbd0c168b83a9815c46d1788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
a1b9a93715e1b1f7cc868483bed5d8ca

SHA1
f3ebe10d2e38a4743f1981d90c69813bf6b034a7

SHA256
9957a6e608c40b1d081e64ac8e30d6ef89958754fbf66c8a366fc186ed7145f6

SHA512
0d7045bd26886762f581e9fa178aff52e341690af5ca9bc34e342f75b432a771d2aa22d1b47b0378f476daaf613a3ee3cc43907ecdcdd83f10829716ff2e34e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
540B

MD5
aaaca8152ae232cc326791638a9d6cb6

SHA1
c4d5366e8d49ab6439babbc1263a3d5b53f4238b

SHA256
8ca5b8b29a5b9c09cb08d0487a84fccb3c177c32f37e8984255e4b1c94af66fa

SHA512
e7f96e978b3144c0b7cd15c3682468989bd5f9c113a5b303b652be27332a3d23ea95c5e9e389ed65aafc0ba3b267e564b7f90bb44c3de0d2069d88de2768d367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
65d33f54a6d6445cacd490e9a71849e8

SHA1
5680d73ec201ffc638b548ce8a6fcd260302f374

SHA256
f2ed64b25ce8b0c72524394cdb91c7bf9ff2fb3d8dc8dbac48e66cc0c5759b75

SHA512
69a2073eac91ba061477616ed1275435681c683c876a347dbe83eb853fd16927298943dd04e726877346ef6bed906adfb559f36bb5251ecec5fdb37a73743fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
3b457d6a384adc32c1f370730a391cc0

SHA1
08a5587439462995cda2aec8e1f404fa72a35c97

SHA256
d208413cdec0fcc03a59993a9e4e1eacf3df40370c1370f28cd1cdb101645e9a

SHA512
9ca6d76a93b12f47366ed8b5ebb12c873182d801a0a45e29c1af22d6c2a2064c4959c1a3f1fce1486fdd5b53bd5c6ca96444924f5df5ed408b0cbfeab96f23ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
5c6eb03236287104c44e736fa5eda745

SHA1
1c6d359e22d472e9f97acce7d3483337b8158e11

SHA256
1513ddd806bb0565d6778b120771e4a87b2c007e64adab4f2b092a40daddbeda

SHA512
e9f936fbbc9f4ce63e5bda69aca81935a429969bae15872440dd8a17a3430306250849bc39bb72c5c8a924311251cbe4fe1599a688ac034bd5c4b2d78124c635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
3.6MB

MD5
047cd18fd4f1434e52a2afa461e5626b

SHA1
74daa8033ef26c49ae57bf9c06257791e07a7bf8

SHA256
c49b2ab88edcba0f2d1d5f6c837ed2a3a4b6b34fbb608fdd2480406146d0764f

SHA512
387a6d803763f98a4bf7bd3e4f7dc5561f412864c00f21ea24099e7b79642222e292f72bb3d76c5b5f0bb040d8c6e74577627a56a6a118469101a611f3af0472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001
Filesize
16KB

MD5
dffb7164984c0c892ad67aff97aab87d

SHA1
df94cce03775263525ecdf1a4f6a55adf2e0b6f8

SHA256
6103cd48521fd7b05920814ed60455f92b327e00330008ec4f161e9bf5135502

SHA512
bc8c4f3643e19b8e2ead7808a433f9b3a07b7c64409b9428ffd5ada52052516bd7eceb77f0d4de1340d0b08b4fb943aeb827667aac9935fc1aa559173daad97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002
Filesize
20KB

MD5
e8e1f8273c10625d8b5e1541f8cab8fd

SHA1
18d7a3b3362fc592407e5b174a8fb60a128ce544

SHA256
45870d39eb491375c12251d35194e916ace795b1a67e02841e1bbcb14f1a0e44

SHA512
ca77d40ec247d16bc50302f8b13c79b37ab1fcf81c1f8ab50f2fc5430d4fabc74f5845c781bd11bb55840184e6765c2f18b28af72e1f7800fe0bb0b1f3f23b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003
Filesize
20KB

MD5
a4e164f6a15386763f5a9915b9b2abc8

SHA1
8d499d52070f47a4084008fcb8874fb148994d4d

SHA256
dad5ddc6868717a6c955e0c7627f0f93adca70d5d20733c1a98324269fa19f85

SHA512
9ae0dc6c7638553dc8b7c99f0f0b5671901409b50c0cd7666b556a08cb979b4334cee2b10bc826a3d7ce435a84536a0e81d2fbc79104e29588c5b506da97aa0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004
Filesize
17KB

MD5
384e5b959ce3e59e12f93605f61043c4

SHA1
bb26bbf602cc8abcde380f1e91587f15c6485317

SHA256
b76542269d00a0859d591ec572b0dd408b2f4c15f0dae9c23be7dccfdf54e18f

SHA512
ecda40def5bc359a1b8e0e4a033f5fa68f7262f2b36e2149b1efd472a88673e24b381d34489e5bcc899ead1b057763eb940f7c3430dc88cdfcd03f47a0992e2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b4d82ae083aa2e008f94f527884a2a54

SHA1
b97eb659c0fd193a4a59e20e3ff2cfee8c70b50b

SHA256
32fce3003329f3b3af7c7e78d0749742f64983b3e3cf91e4c340be9ec370ec04

SHA512
c229ed1a759fe29e31933edfe4ec43b9dcf576dfd55d57fb6149c1d6945aa1ed3ef4302617fffad5281138eebc8975d2332755efe4d9b9b4b0aadd5fab7669a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
f18b01ca9f8e286805cd43144f032a3e

SHA1
9e8b9742576bcb846bb5e8ddd68290bdd3040b5c

SHA256
733fff6ed9cfbf50cd2361148d2f15bc92649efd2503d165795688c48c77b881

SHA512
58813c0857204ed028ade613a43cf1a47cb5ba25baa2e8f26ece93a1e02d628d2a515d915678e44692a3c949ee0ca3ed87172b91a4355014d69d31a17d5a7d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
75868383da3e398c98e302926af06e88

SHA1
b925ce1683585136c866f19a8d7197f091062c08

SHA256
7eaea4d4c4c38849acb29678ef1425ff08e0cc9c3026758c99ec61ced8c55fdc

SHA512
cf2237b5281effd4e43f8156fc3f962b4e3c2bfe325e6a9bcfd99047e18c97a8b1645bc5274f6db404a30ae8297db9ffc60d1f414e920f2a4c9134dbfa395a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
0c33bc8816d36df6dec67747a8a1212d

SHA1
3240f83671e66448757194445377b7bcbb2b420c

SHA256
0457ae636839687ac9478a73530d5b4524cde0c773ff99c70ea762d0c154d790

SHA512
8e9c1c67b7334d13abc5dc26b5832bed9a23065d966fd55d5b8019de5233b32309d9eba2a29aa2f06f0360c73116a6fbc2593b43f00d7dc1666809649adc6bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
7db5397a572f76dafbec6885d3958f3a

SHA1
65681f87de69c20500f45648051af7141d4035d4

SHA256
63642c3aef8fc729860a349d80a54a28f8ac9b88f1a2296bd95074be072fab32

SHA512
41c82bca63915f79cb860c1b191409d0ba039abf201ded2f47fcef48c45aafca5411691939d14bbbeef87a1c69a57f9ea82b77c52f62b7af26661f6dddf3d77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
4aa7b55ad8692ea8133bc7be074d0480

SHA1
f1f520165c72d1ea17e277e86c069851bb8b4a1c

SHA256
154a372ccbd026200f2fa4fb8b9187ec9b2e4b17eb7331bbc2f9d083fc31559e

SHA512
a879fe44b9c179b62a12d7f62ca6b55380bc9a14544538ac5acc5e6a6a0eb8096a1d7de807e7823c8d621db08f9aa92726abbb3a896e2ba20552e6f92198ebe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
4af5417537ae56efd2cb137033d482a8

SHA1
e42faf396d3fc10dedc9f64e10171d936185543c

SHA256
79898530003c1b88397c34883b5409afbd16cedffb74816b9ee14d2f0d3cdf81

SHA512
67bfcd4d10424facc7ad7e42981636e17f9a3d305ea08d95546a4c2537e49e5a0b9e6e137954d28b6ea89d2730b69250dcc82587c88c9dcc605e8389d52ff318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
Filesize
5B

MD5
21c9f62dc58fa9a78a4176e27d074d4c

SHA1
849d35fa49a3ad21bc76f5a8e2360e3ed90c0da4

SHA256
bef9c2aed51db4022732138cb028b9151faef7fbc14205770981365dd94fb077

SHA512
887da5690a8fe7f377efc78fdc0c398045c567c7bc5f2e81d0ccf2fba00f7744acc693ab1480e027c435f8aa9ae64865a783607ee2dbe20831ba0b966d9ca084

Download Submit
\??\pipe\LOCAL\crashpad_4344_XTSPCBVCNOEXRZWO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit