hxxp://facebook[.]com

Analysis

max time kernel
161s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://facebook.com

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1815711207-1844170477-3539718864-1000\{8A139F72-2F6B-4F20-AAF7-663F8D9823DD}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3696	msedge.exe
3696	msedge.exe
4924	msedge.exe
4924	msedge.exe
1836	msedge.exe
1836	msedge.exe
4020	identity_helper.exe
4020	identity_helper.exe
5576	msedge.exe
5576	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	firefox.exe
Token: SeDebugPrivilege	3688	firefox.exe
Token: SeDebugPrivilege	3688	firefox.exe
Token: SeDebugPrivilege	3688	firefox.exe
Token: SeDebugPrivilege	3688	firefox.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
3688	firefox.exe
3688	firefox.exe
3688	firefox.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
3688	firefox.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
3688	firefox.exe
3688	firefox.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
3688	firefox.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3688	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1528	4924	msedge.exe	88
PID 4924 wrote to memory of 1528	4924	msedge.exe	88
PID 3688 wrote to memory of 3460	3688	firefox.exe	91
PID 3688 wrote to memory of 3460	3688	firefox.exe	91
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 3688 wrote to memory of 628	3688	firefox.exe	92
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96
PID 4924 wrote to memory of 3036	4924	msedge.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://facebook.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa887f46f8,0x7ffa887f4708,0x7ffa887f4718
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:6388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:6508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:6500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:6532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:6236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:6208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10749449893054017035,1104109796635594662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.0.357088241\862385869" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94d61fc7-357d-4e7e-820c-5716b4b257c0} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 1968 25dfbbd6458 gpu
  2⤵
  PID:3460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.1.858420315\1589008690" -parentBuildID 20221007134813 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {363d8161-543a-450f-8084-9b69b6a33649} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 2420 25dfb335d58 socket
  2⤵
  PID:628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.2.722741417\2047037819" -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a026719-48b8-481f-a625-294f2b8f0ee4} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 3396 25dffafe558 tab
  2⤵
  PID:668
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.3.712721154\2063375916" -childID 2 -isForBrowser -prefsHandle 3188 -prefMapHandle 3140 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e4d04ce-6eca-4048-b911-3d7aa24f2592} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 3504 25deee62b58 tab
  2⤵
  PID:1028
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.4.1957856192\295551315" -childID 3 -isForBrowser -prefsHandle 4916 -prefMapHandle 1588 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12648acb-94be-497f-8cf2-062c0c400f3c} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 4808 25e018e7a58 tab
  2⤵
  PID:3348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.5.13104741\110454628" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5168 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bef421b-677a-411c-bae9-bf52f912bbd9} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 5180 25e018e9858 tab
  2⤵
  PID:5596
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.7.1883130542\739445299" -childID 6 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {086930db-bb30-4ddc-9c14-22241990d382} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 5512 25e02086058 tab
  2⤵
  PID:5828
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3688.6.211099712\1675853749" -childID 5 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1200 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cdd057c-ae94-4f7e-9b76-c2422647afce} 3688 "\\.\pipe\gecko-crash-server-pipe.3688" 5308 25e018e9b58 tab
  2⤵
  PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa887f46f8,0x7ffa887f4708,0x7ffa887f4718
1⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,17215420088914120849,18404894538231124438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,17215420088914120849,18404894538231124438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
1⤵
PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b120b8eb29ba345cb6b9dc955049a7fc

SHA1
aa73c79bff8f6826fe88f535b9f572dcfa8d62b1

SHA256
2eecf596d7c3d76183fc34c506e16da3575edfa398da67fa5d26c2dc4e6bcded

SHA512
c094f0fae696135d98934144d691cee8a4f76c987da6b5abdb2d6b14e0fc2cfcf9142c67c6a76fb09c889db34e608d58f510c844c0e16d753aea0249cfc14bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
98KB

MD5
5c4222c2006aecb38683ec8d91f12d8f

SHA1
bca768c9119b8f81c4f527f5da65ee857698dc44

SHA256
45ae07cdd93ba58755c6dfe57ff3159d91587b4e4cda918a6b29fc1bf2ff6145

SHA512
cb44b97881820e01a4455dddc7a7332455b22984a5133c3e10725078d537d8208cbb4724f07755b3bc529e29e57b5d2ba5eb60480e2b9f463f6276fe0ce9874d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
18KB

MD5
2405e8a9027840ef913c5fd6c8ba35c7

SHA1
581d1d8fee78f92052189b78105beb14ad50e064

SHA256
e4ebe004db969a80bd1aa25ac423190eadd32c54ca16fc0cde1c74dc9b46ea4a

SHA512
b74642e2e8c484343698267517ee6e40a2028bd910a88c782b692354895cef0f6307684dd378763b76e3b8402783d883f657ee3c24ada77a94af206f909b689a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
17KB

MD5
2ba277bbbcc8715291613160a997cebd

SHA1
e64ee67165bbadd3b8bde989c3e5b1d2540cf09b

SHA256
00ffe000f78ae3c8c8d5557e3ab0089e29730ed10b2a190bd2b7a569812afd96

SHA512
c0f7840f181ad991c45ed1be0fcc0d90be100f8bbf36c54418ebe66f46d776652447eb5b7eaffbd2eb07c04455841d8e5d74f404eddf3c22daa34269d842435e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
16KB

MD5
458ad66f045936b71f72ae0944f0dd8e

SHA1
eb23f757ebdb1d10ed0a9965a8a9104f1fb1ad6a

SHA256
2c74e29495a819d22cdb7ec977ddf01e2862013b2043156b2fff754fcad6e219

SHA512
a673a17ed073779560a1a6ab7289169a2380ac518c4a7c2fd69674ce5753621a2660bf41e7701d356961761f239785485d69548126794cc531370e19faf7893d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
57KB

MD5
cb71bcfea84f17bd37fd9af67ea89c62

SHA1
99ca8607ab56744ffb0984cdf477f163c0bb43d7

SHA256
7b62514dd1f39e9a6761e3efbcab00d3edff6e237022e926c37a58563364034f

SHA512
f4bdeecb5b315bb2a937deec8d8d280f2d5a78f41147f7966fbe4b9cb22d5498aced43d463228e5d5b985a92f9e317ff7ff3e49ef158dfd305542b66bc0756d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
29KB

MD5
df217f862f4073ce4585999df73a53fd

SHA1
8f39eb965e90eee20c2e94f547acf0db9aec24ae

SHA256
dfc2a82c870fd4c1a5b67929c316aebf1bfe0e8fdb90d64158a111feeae9c0e3

SHA512
f52da493abb8eeae24642e958cfa6ecf50101cdb0038ca7b952a19f0df0531e44828e4d2b9e365fd08a73a3f78009fd76af37a1ae58b8ec526720356c2767738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
1.1MB

MD5
eeb2da3dfe4dbfa17c25b4eb9319f982

SHA1
30a738a3f477b3655645873a98838424fabc8e21

SHA256
fbfee0384218b2d1ec02a67a3406c0f02194d5ce42471945fbaed8d03eaf13f3

SHA512
d014c72b432231b5253947d78b280c50eac93ab89a616db2e25ead807cab79d4cb88ffe49a2337efb9624f98e0d63b4834ab96f0d940654fc000868a845084fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e28eb5ad8342c8f65d54fbb5f9320080

SHA1
bdf9c7f226162e0d89bd95a03aab5472cbf93e4a

SHA256
918ecb596944985bd64dcca778df22ca9e602dda8928f3ddf4d2d2ca463770c7

SHA512
9dc011794f3cf4558935d59a73fd64fe6d4f611cd684b4e2fdc2952de12cdaf9dc6e34558b4f7b267c2d433fd31ce217d093018d66827a10c056eb4cb69e055f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
762B

MD5
b394fd8e557357faba1f8f91d16ab7f1

SHA1
62ad213292a462471bfcbf751a7929507e2262c0

SHA256
21f7bc7aeeee4b20879834e962a9fb398958e7e4d0e9f7d0f6fb83167e207599

SHA512
366833421c1c2bc523a72c5652278f6dd5c60a41d11096811f8ab2003d93599bdb2ac305020b6962735aa61bdc2418990a85ebf99420aeab1265e7a9545eac41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfe76df024c3f075c64a0acc33393285

SHA1
4f66084f58c1de92a4b06949ed0fa9acf7823e08

SHA256
71eb1e83c4422e2e6d33840ff67830a905c70f654ffd7dab651de690e42ba525

SHA512
dec0bd4db384b02ab34643eb3ce47620b91cac520acd4a87eb1c6c8c014a4c7525f019dde7252b5d2d60dd02a96fb4680d24140d1b3f8687b2992c7a8e59b8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
728146536671ca9310029cc54069bd7b

SHA1
81b9c34fa38995b6152f2cdaac990c54a687856c

SHA256
13fa0226bb3172b6f29f706a0b53723f91649f8d37093de0c6cd661201296a81

SHA512
e55447b14cf8186c99e9f6cf7fd225f11f1ebe11ae34926f59ee8ba0012ab385526f2a016f9a0e7b23c5a48f678a152ddd7ceb58b157db09201e01dd8213cc13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e7786cdebd6104460fa99fcf345e29dd

SHA1
70e27ddcd5d0fcd5ceac9a0ca9a1996952ec577b

SHA256
ff06e2c8f02d56bce0cd6cae297c816a15215e5fb8c4c7ece3b82b3ea7a8ac60

SHA512
b2ea883a91880c0c5fc7e263459d9662531d255781d0baf221af88f6be75817f83e775b93613d83509cc28a91fa8bb8f07263fd506759b50d47e0fc0442cc98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cfc79b44b871d1d3d004aacc9341e827

SHA1
c99ad82ee8a230f64c6472b3026497ea0f790020

SHA256
d2e9613b69c30a557e8df39622cc63a6d5cb66d3763221cab8eb345c76f03cbf

SHA512
d16096c644f78ec3040ad48e710343454c03d6a019fcf49148d33828be81edfc9dac6f1cc72fb3065ccfaffb3132d698bedfac408a8eb4a59a5487a522540c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
185fe65aa206a459fd37e6631fcd546f

SHA1
03d37a21da8cec523c6e47045a9dea8056c4460a

SHA256
653e524bba6ec5c39241240c223bfa30d471efffa0db0f1224bea36de82a9e6c

SHA512
c49370a76c3a08c7ca0a0fbb0b34675fdc0fcce8f077319e7e027d8d4b97b2b0c2859362ab9d8ffc4cad204612ed31c0fa7eb9e14571a2e1d98be763761f723e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb2078bb0e350d6adec00195d2f6d10d

SHA1
50d75170ade50c0333a1a3834d211906f68b2cfa

SHA256
d138507794fa5c247ffc00727528b1831c715535e47625dc31ee5923dbcb8f60

SHA512
0760f3f072f79df3b7e9ba375a12f43862ac45e1fe9d7d972dfc459711fd90f3a21c1641a37e356a2aa1752bc0ff0b9a5c3d0d15bea0319eeefdb32c03544fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c3e8e6e83047a86dcefd80bf8d98e15

SHA1
b5e4d524b70ad96278b2f66c8f8c7fb3fd130a1d

SHA256
855fba3eba28c5292d68121b4505d8649f77ad305c6e57dc38b7a812c4719607

SHA512
823c0f3c95529fe27d9e0cf6f39374cb5315b37c1824075abebb3a1c62c2ec9f450c93cd7cb2b3f28a7c0589c283c02aaae02a7c82f8c39a9a68cc681d986b22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b59106a3364e45cb343fe198b22a4c34

SHA1
c048a1602dec4ac903abf39fa8dfe8004fcd294c

SHA256
804d0620e69c2b7002e2cedb256259311f9d7987c36e75080e64dccbe7b65b29

SHA512
004a71f328a8c055e796048bd3d76b6494b9b8e85e1959ee2eee2024c0c8bb0ad7695f58e57073b3ed94fd515e2699da7f49eea14d3ff114a4f220ff2b4c3c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d994147ba372241f686b03a16652c30a

SHA1
f35239efd36fdfd7585f3ac068f19a6573d283e9

SHA256
38a09b727b7a675fdebd3cab803c88dfed06b49b76e6759253d7a9da8d38909c

SHA512
424a4e150578937c09f37671f4770694c597ed185b97c8aae1ceccde008ecc9acec8fc0737e6040d8574c3c098415db51b5a23f11b6ee97117e53887e10df35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
22b0f3bd07147b7c0065b00a8511dd31

SHA1
d33cf98e4ade71d5becbc3000b9b18faec330539

SHA256
d3649ca688dfaf360ffca94e2f8de2d9892a0a7b32098057c8a9593add9189ce

SHA512
0088802e18e1967b05b00a742a2433eca8a58edfb5e2dc359cee8ff8db7431fd7609bb796f80a1d4c19dad64153c17684d534100f37d518d02dc74135e3bf950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a20da5e817a9b3073df59da40875829

SHA1
849c0e364afb6dc9767e7cbead8ac5dc28c5f236

SHA256
02df1594596ab1fd15394324c041232098b08e81354ac3d788eb928ab3e6ed3d

SHA512
84754a853acc178211d0f1884e171bcc5f5f5cc0722978c8233fb2af5656628532e9c1fce8dbdcc14cac4374265df5f625930e5e6088b98593b4316b803979ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19714b09d2708987e6ec33a50135ffdf

SHA1
857cf2c9195f7307e8b0f43c84761b1e1fc067d4

SHA256
ceed1cb5d84b76c26b979af8368a6118180a9dcd4d30aa0186ce4defaa2a651b

SHA512
21c6103edee5d2bf5b8946f53b2d937f45e04ad4e8425236f2afc0f21c7b677e49a78d58bbff77ce5cc70e1ff6265c08c840685bb9fc72082c1c0f17c1fb364f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39f8ac7e61273b269d142f74cd0210a1

SHA1
0a3135ac9ed745e8c75534a30a715ca58c7f8f4a

SHA256
747e45c05156801542c4c51904f81e1c5cce25a2f397d080882cca15f952d0a7

SHA512
cf2e4892570e250852186ad0e3d066bebac6f3bda40957ca2308d1d7b279004b4577e9bfa6dc08459977b46d9739a650bd685875189a1c1140a3759fbb88fa27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da436e5219a7f442a68329317a3476ca

SHA1
b61fdb0df9212761c76901cc6ccda7e24c07d418

SHA256
f56f047155a33a6ec22e921858a088627d27328470165aed27dea4aa34112af8

SHA512
92efec21f2c23d13e853fb90dea2912eb46a49c4e8ab6b560ca471159f9f3eb5a2177fa9a722b0466ebe7bdcafbff39f516bfe0d7b81496e69b6c2a725f7fe41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
881cefb47702924f5e083f7adf7a2bee

SHA1
19087562b3a4021a62f857ba7238e98c108ec36d

SHA256
714811ad65668a79a91cd7eb82bf6f13e32665af2d200af6357f092752fe21ad

SHA512
76a8d2f3bb8e52698c14542ef1c907034c33ef87dc898b560583a599cc879dda1fac8bbec1fc52641cfeddeb71e5873c13aed3bcee52ae98d864bec92194cc84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f455e97ce377b9634fbbe5f9ad24d28c

SHA1
67c236c176d143b6fc20a157b18aafcc3180256b

SHA256
c18af679537e93820897bfb0bdd363988b9a930fdef79f39340288b225064fe3

SHA512
0c874977bb11f7283696cb66b98e6eecc70fc93f9ab3bf455f34bc2c434f46aff19d7a9789528a6096c3e4a79cc52167d19378df6f9a2ca8c769e19ef54f976c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eaa716e39f9bb40f2d9d4c60bf9186b4

SHA1
89ecd935bc7df91229575d199ffdb97b3568a883

SHA256
726f760199b5289f144544e822641dd96f2254efd4ceabda5a8bce0d0848a60a

SHA512
2bbcf1c646c956139313e6f275057aee63ccf1c40293f18f21ef8e29b51698c1b1ce04f8df82ea29f4fd4462cee3ba2f1ce3f595222a6e59713eae2949957780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58055a.TMP

Filesize
1KB

MD5
95f87d20955dedb3420ee23a54d15362

SHA1
c1102b3243d51633121f46c8706b82a459d1968b

SHA256
ded23fcf28ea636636143dcb6172a5d2d475bad45342c2c57c1e73eae37f9baa

SHA512
9433b2513dacc189d86d8dbaf1f5079040bf255d94c1ebbfeeef6f677d7fe7dccf35db0a17ba4310344ee4ceb5c936b2498d1afb8432a3ce13672fac4cb3ed95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bd970e0d1a8a41e47ca8bbb2c9d97cf7

SHA1
2a94d54465d7d2055b4d05e454af8afde84d5a8a

SHA256
b6cd9cbe1ba82db0cb60259acd45bf6569d0caf6c5392b24588f7899ac917e22

SHA512
2333b9fc339b8e1c804f380c53c3f2d6bb0c453f075c32abab162a44a88b15d4c3bf42646b464609587e9e5621d41130200420bca851e008c91af0c59fda0e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
329a5251bf3868b2bf059d3cd13f9afc

SHA1
5a827e91df78fc9754e8b6ea8e5f06417bee3d7a

SHA256
d4d51cef72f3c3d9f4485fb832255775d14db41f571174af7baaad9a8ec2dbc3

SHA512
94777563f8cc014dbc155f60760cb3b18c3c7f4f6a25bc9dcd12da799ed8de6dc440b9e1ae5e39bf5d8112094f5e5e9715d4ed99187d948dc919a4e2c0044845

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\datareporting\glean\pending_pings\7d3f9e3b-870e-4c72-beb8-a30ad7d7d826

Filesize
11KB

MD5
68baf465b3a360f2a6ed17fbd8f11f3b

SHA1
072008de862b61738e1d98f710b1a3aed228eff8

SHA256
64e17e7e3b92fbbf512e501cbad0e7181f19f24aada09b7407082496868fb043

SHA512
eec68d7135c5cf8ee89423f7943838c2e54e63c3b22dc65aee400665fa26b276b7f57e13229ba5fd652517a13f863388939fd74ba692edfe7377457ede9596ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\datareporting\glean\pending_pings\aeb53e40-16d8-4fdf-a476-11a78b7152e5

Filesize
746B

MD5
6bf571a85032cd043080ea910b132680

SHA1
6c0ffa8db187a4027a86ddcfeda44b3288511b9a

SHA256
1423499f3b68aebd177dcd6593195114732a2abda9ca0528b5724ffd02013992

SHA512
c080ac7bb3e32de2f7308205bd5593ec1fb295c36a905106ba667b5dfab86de6a4355ec3af5c0a9f130a3351992d3507eada78fbb47c980b0fd886dbe76e0fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\prefs-1.js

Filesize
6KB

MD5
da3e2e089f3d915db304fab21fb826a6

SHA1
451100833afd25f90702c71a002283b8630eb4c1

SHA256
f7708374b715dbcf5c44e8557987a865fe674e9e0d3a25da14a079c91d9325a7

SHA512
1f54b6a9d45d73e1a906630f2976667222aac35d2ee0f8cdd56a18e9b2f84810471359ebd9eb5a86b308e2488bbffe2135c35a9ce8fe18dd60b10793772ab239

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\prefs.js

Filesize
6KB

MD5
27041aec4c019ffd8db1dda502e2d11c

SHA1
afb91d7a366f9920a9a96401a2dc4a0153dba222

SHA256
37c8c3b5157f07accf786d7249fd05659db73592dcef38e902cfb5be38116f1b

SHA512
dd1b4b32ce6332c5dcce148ccab3148a8db7cc6a633d3cb1ed375a31cad68eb508c7c7db294d5f72d8a32fb295796a1225f4eb8210e575100f04cbe3fcebbfa1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\prefs.js

Filesize
6KB

MD5
ea55b0f0860c77067d3ff3be026f52b8

SHA1
830a1a3478da12c45acb6a69e7a236e1696506bb

SHA256
ffc37e5bf961c2b17c36fcd1736ece7c20a45ae21918a04b1ef26351112afd9c

SHA512
972dc3b6446165fc5639df7d915e0eee4f940fb927288d637056faf9a0bb3f36d38c189a7e8b46c7580b86f1defa2a1e94a8f8fa88b653a9d3810a200dbc2aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ff2f4db86ab73f931fe0284607ed67ec

SHA1
84d4d9f21586a17921a642f3e1ab2f9e26752248

SHA256
f7ef2e70730980eb00782df6566e7d18ac024eba28294759e494ce737c48f3dc

SHA512
d0092d50918c09db4347d4ae3c5a0ee6d07b47f7845f3be3d853f4eb7ec5e81b5c64275318f183af89ff5ebc85dae3e97c36c9672dc2514a56b0117d70f52ee4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p6p4nphm.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
f3227d301aaccb56596e1910dc93012d

SHA1
82710ed6454f3ddcb6b4b38cae232694a62bbed9

SHA256
091c43092c32244787ba7b90bd02784f652e9c734fcdbae5ad1a19ffa0b17407

SHA512
4868caa2aec99d8bc836ef75ca933e11458be753f261dece04e5b50b892725e384117b2438093d028ff7a3519ec5788d64b21f6eec10281543637959e974a14c

Download Submit