050c553c3b8f7118ff349e8cb7c425079450388a33b57c83d28cfa0f5e5e21bc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/Aurora.exe
Size

1.9MB
MD5

9c927e0518912c1fd2239b91f934f981
SHA1

67cc0c7ca7ebef409dcd7c069c91f1b7a631213e
SHA256

bf71a9c4389f5cae7a52782889b61b22efb70c5150d2e4288c3bd9cce720fd13
SHA512

c4a6ea2a2308c649901f4a895c747efd60f8d5325e3ffe6b6387d06041013eb542b780c5281ae6beee38d1d25c3b079d49b9abc835641684b256ad40d3c89001
SSDEEP

24576:mTHjsbvemd2l+QU1e2B5KZxDvAR+MWwY:mTHwC+Qh2BoIQM

Score

7^/10

spyware

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

InstallUtil.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe InstallUtil.exe
Executes dropped EXE 1 IoCs

Processes:

qemu-ga.exe

pid process

4656 qemu-ga.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

Aurora.exe

description pid process target process

PID 4032 set thread context of 944 4032 Aurora.exe InstallUtil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	InstallUtil.exe

pid	process
4656	qemu-ga.exe

description	pid	process	target process
PID 4032 set thread context of 944	4032	Aurora.exe	InstallUtil.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1888637039-960448630-940472005-1000\{F729D5E2-91D7-4467-9197-4B7BF0A909ED}	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

Aurora.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeInstallUtil.exemsedge.exemsedge.exe

pid	process
4032	Aurora.exe
4032	Aurora.exe
1244	msedge.exe
1244	msedge.exe
456	msedge.exe
456	msedge.exe
2360	identity_helper.exe
2360	identity_helper.exe
1036	msedge.exe
1036	msedge.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
944	InstallUtil.exe
4752	msedge.exe
4752	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exemsedge.exe

pid	process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Aurora.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 4032 Aurora.exe
Token: SeDebugPrivilege 944 InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4032	Aurora.exe
Token: SeDebugPrivilege	944	InstallUtil.exe

Suspicious use of FindShellTrayWindow 58 IoCs

Processes:

msedge.exemsedge.exe

pid	process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
456	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe
2080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 456 wrote to memory of 3280	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 3280	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1196	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1244	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 1244	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe
PID 456 wrote to memory of 828	456	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
3⤵
- Executes dropped EXE
PID:4656

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff1c0546f8,0x7fff1c054708,0x7fff1c054718
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
2⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 /prefetch:8
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
2⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
2⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
2⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2184,8296569139411052377,9058288725674629262,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff0d1546f8,0x7fff0d154708,0x7fff0d154718
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,17537769824147251777,4562782829069631728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,17537769824147251777,4562782829069631728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
2⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17537769824147251777,4562782829069631728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,17537769824147251777,4562782829069631728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
2⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,17537769824147251777,4562782829069631728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:2184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f621c7614503377ba83f2fcfca1c303b

SHA1
c7ec737f8e0262052e038691e5b38db37bdfe56e

SHA256
c2d2e04acc5e2cd129dd3211f73b498043051b74a2f661c1199224b37b681b26

SHA512
203e5e582007efb7d11b0442e85d4e37a4cc1332bd6367cd74b0d4b9de0d0df85757bdc66474f62309bf530841ab7a5e4c0d43c95aa416b7175129e2e2b36c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ebd667e8db80b0ab07f02f3dc844252

SHA1
461bade20eebf59e30e8c3620640d6df6db79249

SHA256
d04531e41d70e7832898e797081335b3f0314b09141a01de921ff679dba41b0f

SHA512
75f92d1f4ab942c3fdd3b70542956ea246f718aa8808a53f33d52278505f4f783e4c0458e5093ea4f459e72faea431f926373883eed2ec7da1109bd7efc6fb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
639fe1e284fa5ce5eac19de7ce6821fc

SHA1
71351a9608987ef41f15bb913fbf33f058bef278

SHA256
4f8f3b3cafb09485dc63efec62a8dd6c9c646c70d485e4ac7ca0e68becabdb06

SHA512
8086995dcceaa502842144824707f353de76c223e6f282d283fb984974806b5505a6418db74ea4e36cf70be8ff47c6477525b3d15d858cd4cb079bb356a94bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
89d6f5c34711cc83ef6610159b08c50f

SHA1
460e0c2301dd022219b396f1074643a2848463f6

SHA256
3a41f4bd3218acda30e4733ff545e17c17993636afc766972a1260f78dd39fe0

SHA512
e9cc2f61c97f1dd569bd4addf1bc288f9bcffda694937f6a6620408a929cb61bc7f31079911e15c830b6f4e8ac37674a1079a5da547d56f255df266f20085047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
b473ae0380d76981b7ead1afcf49a9a3

SHA1
05f673f143b746ae60062ec38b22525a7e9d56cf

SHA256
9667eb7555f74f5785cc4be30c4d688b89bf7ea53eeef9a90ef54b5c5f0e11e7

SHA512
69d7fa5f6c7d9729135e42a5dbe093fba6c50aea3f01a59f453d61c5fffae7b18ee582ace0e962961826fc0d292e9e72ce096363f5c4cf9c0b41211a68740d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2
Filesize
1.0MB

MD5
1d51448f45152d36f19de4ed44b4af82

SHA1
95ec6dba56b6e1a4df934ca02936ac16b0dcda47

SHA256
6e22a7aa75d81ead7302c927ebfd62a385ac7084127f1091d1a99432cf548062

SHA512
50e9277bb4813c4a44478c9ad750e77a7e1912fb8f676c9d7ae5508bb3d4d41922b40efa3bdaca6b53bd285e918780db416e49dbb8643385880130b90c4fdb19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
12c5bf6621fd88906204b1ae534be26a

SHA1
8a04a405829781ce90297bb9d0f01743c07cd125

SHA256
805da32add69cc3457a53be445ca3f10c8e15ad8e745a7c0d6b42b48ebbe7195

SHA512
d55bc169214831d7acc5c54b8da634466d489fe847ac1f732e96389b7c3adba0f8adf36eb43fee96d53de4e1373fa94b319e99de553ddfc9137224be05f84f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
67KB

MD5
b4f5a12f4abc77d9aeac39d27609f939

SHA1
6021ff43027cd4bae7eb3d38a727884137483db4

SHA256
662ce2a8b66ea997b06dbd19ff19c04917eee288c50aa9d0d7b9be3394b419d7

SHA512
ea99fee0b6469663866fdc92f8cd28a1a9fac0e91cbca2dabec09291a95bdf012e53873e77602b1dbf24a16541178cee103ec1a975743d249fbb093ee82d352c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
250ef1b70248ba4b6c4b1681f84657c3

SHA1
5057dca959d682af7aea5bb13dbfdf07f0513929

SHA256
fbc85dbde8926f3fe2e5b27cd418b5b9d68de5d5e9715e16d8d0fc6d9bb8335c

SHA512
5b5da07a3e3ea4ff3b20672fabe32d85d50f02674269708e1a43db61754b2f04a3df05f0a87aba31996853710476fcf51959184de8e89ee6c0cf869ee91661e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
28KB

MD5
75bc0a50f7573cd8a3a4a5816aff2cb9

SHA1
d6325a19b97f85aacdff49f0ef8f31c8fd27004c

SHA256
e7965555a0874f91ccf4c71d15eda63eabb666e80320e7409493cb688c3227a3

SHA512
cdf0e0d091d97256187ab29595796272faa54750cece86c986570864d571b7b41b28e7e10e75752b54425cef8acac36f13aba3d31caa8d1ab415ca389b48fa7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
319B

MD5
93e0101bf2dfbe05c80cfb992671f00a

SHA1
408b4558a7f56611a20fa5a40ed39983fc11aa76

SHA256
e009927239b03252915760a7e681e47d0e96e3b6a03222a38e0d843520f4cb0a

SHA512
a4118132388f728f164077e1c261a8cf2acee081f3bde300dfd3f52af64b9e478945d6ed415bd51acd87b698b318057b49975c972e5831a04e54f0d4c7352bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons
Filesize
24KB

MD5
007b9c803e9e734d6fa36e69e3696527

SHA1
3d1df327a108d5a440863e685fdac74322369a27

SHA256
794b23d22157df7111b7cdfbed7975c7689f4d3889288463745d98b096cfbf26

SHA512
86e46031d23a9c113dfd1b6b807269d54ab6f0b1453f8bb7507a6729d2487bc93d0d1b7dab21c08bb4010e5832ace3e4ddc9a864e11d43058494da36240c0c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
2feef2ef312e71bfb9c94c8eec326b8e

SHA1
cde8ef66b5b17ec8828cfd637bf3411d6478613f

SHA256
be22b7a335f952c6dffefb2a7e7d912beba2385773caa1472f07298f31f7ce4a

SHA512
b7c4077cae19fbd54018e6c4719ec7dee78c7e60aadd55b9521c7ceceec949e7266bf9b030ee270f2aca9d31651a982765307d98ce7f976bb989835a8f432982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
Filesize
461B

MD5
f973718f47b6c0e5b06cfcc7d75a08b1

SHA1
8c53a817a3986c72f150e05fa238fb03688dda07

SHA256
5eb4611758a28a5df489b11fda03e46bb473bb05df64997c4b627a3e6a04fbcb

SHA512
03a65087350817aad692d655571b580c9fc1cf84290bd4bb3b4967f1a142c024aa9dbb1877f5ecf980dc73ef75c238dacaf59e216f46ba586df3dac03c06355a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
334B

MD5
659cd4e6df4d44fc7b4894c8297c9655

SHA1
fcd058f2885867a66ff06dc6f9b1ba68e52a4fb0

SHA256
6b1aec191b9e7c83e5f7ec6c5e3d1e22e3cfa93588f3ad5ddeb276d5cc5afa1f

SHA512
82707070b26d23b7f8c495af3378a2daba5257df98722d8a1396133d2a0150bad0e27b4bc58c78d54ae4d2ad844cf63f7b9505ca427545a138649f2d33c4154b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6e4f2fa179a442126a48a0d6fb44b2e8

SHA1
9e038f766b9c46bf187a5fabfb95414a37e90138

SHA256
300e873d3a387e1bed6030acb48aea03ef2c47bf8dd6b66b0a4127ce7489c636

SHA512
6187c9d1be445845ac3bd9c3cd245281b9885ce3e6e41a812fb1215203472dc9c800d7c5fe3ee8dc5591879587170cf06febd81ff1c939a01f106aa9a8fd5774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
98ba5a3cc1463918bcfcd884b3aa7ffe

SHA1
ef183a52189f0a55d65ef678735c4b7922c5b573

SHA256
675704fb9b74670e35c0958cfa06c44946914fba2f0465ed8f2c3531ad3f5882

SHA512
11e95ba6e328fda1e959ffe083dd54c0f8ac7be9a441f52476d47351fd90b7092d84c6d613c856366db93f9546587eebfcda2231421e11a2f1b0d0fbc4b0af84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
98daa83c2be4e13e1ea2fa86bbccd296

SHA1
afa3c1e9e3e04aae74e91e4ce9dce2ac02660474

SHA256
4611a20ce3a09584d37e391935dc3a9ada6e9456c08635f142758b98dc8289fb

SHA512
e26c2eaf32a03f0d1597d1cd039ef5e023e587686919d6a4e7d413347391b4e0d63546f7f349c454c62bc5c0eb35e5258bebbd69ea7e1659110f204640276350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b17d331c0288ce5cfa31879e50af7c07

SHA1
0bca490ae74dcbaaab27d067b3edc88b432b304f

SHA256
ca80ed92fc47afaba9bb0054e7f2f9ad83c6c49591ea9d06198e371dad4ec1c2

SHA512
158f7ac5d70159e61bba21857be57aac8acc17a8a3bfa97c08f26a0c2a22dfb0589a50b24c4c067e86eecb82eab2c78c93fa42bb204c5d6905a10b2241034cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13352977556660456
Filesize
38KB

MD5
b8ce73d358d64b985da3e4990010f2ae

SHA1
4c05ac3a06c8200ee5883b22efc81f8ec333054b

SHA256
b97e83d769ed1771eaa1a092327842eb591a4d7b0357148de7656810db98d078

SHA512
e0d187c3e7423563fe0bc152f28904d9e824bc2ad9b188014199266bce927bacc0f8a53fa6f6ff8488f97c01566ba195d20f51385e96c77e5eba453236cb4366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13352977556843456
Filesize
933B

MD5
50ae4fd0cd63a733cfc97c02faa8f387

SHA1
51a2c0b005a402bbe4e768012bb4f3ff0334a9ba

SHA256
f0f9cf76e0ba854dd290646ab7a3264d38c71cf2620221c28338035ace0c4fa0

SHA512
00b76c79e2d24999e34294a49abcf3797e3e9a38ce99a262eb0738c97eaa2e8e81deb3a9d79b37e6e37e60fed68e267d8237c49fdc029aca7e302d92e441e6a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
100B

MD5
ff8e8c93a27ab31ed34b082b7a9c82c7

SHA1
31b93f5a290aec7fffa2131c5afb3a128cfef888

SHA256
0261842a383733173911dae93110100b3ecebb28e672aa6016efdb5846e5ed1f

SHA512
1b98dbd84ab4b3c0ef10d7444862217fd6ed6a1e3b5c574702762f12666661a3f0c285b2ddb579a3482067739b1403b9ed2787bcd1f55c5007b044c67fe2c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
955a24d3f13f1f568f245384081f6c0f

SHA1
8221bea932cbd7935743de3fddda617e181f1e9c

SHA256
be957806c65d5f9d95b25b5a46973f6cd1b0d63c9e8b4f86a90d853340ba715a

SHA512
8f0cb10bc696765a1fc8a66563a25b67a03cdce7fd523de0c3d9bf9f5d4927dcf5e3a4b177841acf481e81abdf224e6aa0c9c661ef1245ecd73427a652ed01c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
653849948c7b8a0aed48ed3fbb84bb47

SHA1
11325bd927aef05de776324ee0fcde8217a3d39b

SHA256
451fb74b66820483e2c45363ba7817d4500e53d1146c6263dce94ee30b4e03b3

SHA512
9e5626d8674769a47151173006453206c8829db4f7f95e7180312c8159d3390f81e734691ea1624491c334d57adf6654e1aca2d4875db965dd52523d8e7b5049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
55b7047707ce44e0ac7a2376edee10cc

SHA1
6e6a8a6fbbc9be39c08d103ff52b2e58c4919b6f

SHA256
d76d478e634fb2bfaefe9cab485dc7d9cdfd490f58dc66f9d8110c796c7797f4

SHA512
e876dd0074c7255ed621cfa39458163b3b2bb921d067e913b7d95a6e92a02bf1b8ef0c3737a4250b0fb9da1dc2c327c696e53f2a90ff6e693b5b7e155d44c393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
116KB

MD5
62818e6457c27728da3f0441f4fa5e3b

SHA1
7424c40f9ede88cc150792349bca2e27dd76187b

SHA256
e97fff2397a003ccaa4d649746a117023c098f8ffc3786c60a14f3cd92ed8df4

SHA512
513a06cfdda3e6b5772104c8a9f058bc6d87825f3d707d252d0f1047f114b1fc84c9f1f80071d30334cc11773064b748a8f34faee6a92da9cb25d722f08652f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
Filesize
579KB

MD5
a14db8309e7a248bc64bd6a27da701af

SHA1
3988d1368c746ff9045d36266dfd1d62055a26ff

SHA256
7c958b699943eed3a14007a17ae9a5e087e29ad6dd6c3309b38ce7436fc3ff37

SHA512
72e3ac9b285de1839f434d0748a823c31d8c608af8baf49af9d5c7df60a77e8e9191cda590f8f756387eb22441723155431daa97d409edbaf2dcbe3e4fd0c952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
2KB

MD5
dee5ddcc157e555c649580f8fb082edb

SHA1
f86a6843a4a79cae898d5edb4f07f962dfe5b201

SHA256
e452ad8bf57e75113b93b2a63167b9250522734280ac261ec27c4e9ec1d58ff1

SHA512
f0e70315ba04090815816662a0d832ecfadebef781b58891e92a5defa6298d44e046d2ca85847d9dd63f634c989bbe49c702bdd1929c84f4f3002fd2503c189e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
180898c5fb3cba3ab9f340afce4fa3f5

SHA1
1c9835261a7d86bd01dab20a9391ac54f416f078

SHA256
eb75647e7cefba9129b6b52895ccdab1cc32979af2b2ebbb7d7c6bfc58472f80

SHA512
95823f362b13b973b67ce5e935ac616c4c4a02b997396940473d548329f3f25f905e9579eb0b59d35b7a9812c5c96101ebd5a6bc6c06f12e18d0bdae26e329eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
565B

MD5
2767200094fb6e00b70df499a916bf43

SHA1
6f2901bc78219cd2291220ea5d372dc193917291

SHA256
fd52b275de6190acf3aa28c14f79834e128afed43ae831d6cd0d5f769ab280de

SHA512
391e0535f93c5c1baf014f222071f910e55a0e0a6d5bead4f493a62ce7a8475e1cdb58248ca139254e989151e68d4fc20fb97e89bb2be7f888902900c1a12218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
e68bbfd3a11c08a67221d54946af88d4

SHA1
3f333df5ec94659efacf045d944505d58e205de8

SHA256
f088d3bb87b48f9e6923cf5b128a60113312a8308b87d1bf80d48f3e3b75cb56

SHA512
6ac8f16b9b7f34bf7e703bedc60e9530464e85c21471fd4f0629e5d7ccc3199e712bfc5c72cb1f8412f78c0f3d479a8700542cf59829379ba65ce67485d5e1f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
841d1c911d2dca6b181e359b995c80a3

SHA1
4a1a4909c6487245170b678ed05302edc7eb22cd

SHA256
fa958b01a1f552eccb111d15924f6a8ca75cf32ed22119e41c687da0004b4193

SHA512
c80c50bce5a1f5ffb37856b6aa1850bbf583e32638117c72a8a1957e9294026e43e7b2870317b8e99be9b8e229e25b9de6470f5afc6684d4d1e19e8bb592ec1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
979eeac500a165b257f1b98d4f0e3d39

SHA1
b1dda513a9d5affb7f053164607f9135c67644de

SHA256
05d0bf2dbbeec540dc661b6335fa9a5a8a0690f5dbaa1e850d87040d181b2270

SHA512
15f3f5285804ef5270dc94e4f1e2a0b3d3b22ba867c2141d0c964794df86dc54b47bba0199bd0671c2c49e5ce9fc1754e9a8f5b2c6f0fe8ff7dc364eb31fee71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
e84e0087f0a75c0033d34edb9cb77b51

SHA1
b667fdf750127c100822b12e510c0233ef31d7e3

SHA256
453ed13d357650f9914f12426fe6dc6fb00c93c1693cbdfae91153cd2c01d785

SHA512
54aedad8e8072ec7a005a0df99fda19d2a06a750c0a89a4dea5c9ccc146e5866f926a0096ded12c39679bb5932cd418a12539ed33fd93ff73e95733ccef8a551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003
Filesize
17KB

MD5
37ca5ed57d2b5d45067242615a74b185

SHA1
6e1cf1c4cb12c6aec76213332a3018d68910f750

SHA256
07758f3e0437771357993e5244b11f0c4c03a3ed0c25ce6fdf0df373c58732ff

SHA512
778301a73787e18af16df59c918221fb71eaca3863f724f5042ea0744fed1d8596bb5f77932cfbb630953713b3bc69c27a80f9e9bb453eb8996f312194884e90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004
Filesize
16KB

MD5
a33b3a3fdf5161be5bd861804961f557

SHA1
68a57897f1686a3e62ce9808165e18f31661d077

SHA256
ac33d8bc6d9a5e769472877d7dd3d035f8088274b886b16cb1898b106da48560

SHA512
c94c29a5a9da89044504fe06702f00a7fdd5bc7b85e1733c0cc9a363a812c8d8f95672ea7731643229fa4ae2f1a632c73096d90b63799f5bae7639b41151ccb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005
Filesize
16KB

MD5
dffb7164984c0c892ad67aff97aab87d

SHA1
df94cce03775263525ecdf1a4f6a55adf2e0b6f8

SHA256
6103cd48521fd7b05920814ed60455f92b327e00330008ec4f161e9bf5135502

SHA512
bc8c4f3643e19b8e2ead7808a433f9b3a07b7c64409b9428ffd5ada52052516bd7eceb77f0d4de1340d0b08b4fb943aeb827667aac9935fc1aa559173daad97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000006
Filesize
16KB

MD5
e7f884f3e93b33420a307305edb14ed4

SHA1
b951204502dda9221b5089da9e56107383736b60

SHA256
e72ee977216ccc0e7cc260bcda1051d9525987c831339146979b278dbf5cdb9f

SHA512
4fe25ef726acdd7f8917f2dfddb0390f30b7611ae510d88ac56f6d527a122a667973be34e74ce364aadd5d9ec9d4fe340e3aee186ee9c50bf93c13af6ee8f503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000007
Filesize
17KB

MD5
6bc4851424575eaf03ebe2efee6073ab

SHA1
2d014fe2feb929d03a46322645a94556ca5c9e96

SHA256
abaded8e235fdf329521806af30a1cc7701eaca3fe2efccb9da760ec6d8e5e4e

SHA512
af3b7d93fa2243475d74d4bd7f918ce2706bf6eca28029b9e49869f5f793e483efaafdfab1fed6306d5fc77a5ed3b27097b27448cd04560bed4df6fa3268ccf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000008
Filesize
17KB

MD5
fc97b88a7ce0b008366cd0260b0321dc

SHA1
4eae02aecb04fa15f0bb62036151fa016e64f7a9

SHA256
6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e

SHA512
889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
340e12c7a73afc8511a295f718ffd08b

SHA1
f3c8b56e236874a8383c1e170cb37ca9a5df54ed

SHA256
ce6ff7ab89bee5f957cf3eca889b8c874993fc31f9e7060be1b5027927068b5c

SHA512
dd6855112429138f2a8010c6abc0090855dad30a757ca2e190ad85b575e70456e1edd463dab6b333d6207ef8bb18ec242fcb03e871b814dd54da02cf0fdede51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3f1b7af9dbb9f19379abed78e39539e0

SHA1
8c0969a896ed182375b8d3af905cc5ac4c240ee6

SHA256
f938c201152b34e1940b090e47640044dcc950d7858647dfe0d7129e59cd4d1f

SHA512
aeb1e3b2ead07cd2e0c07013518a499ef0431c4cc20039310fbda7a761cd725c105504b3f45e6a33e41cda2effcfd568078155afb063d38c5fb8739386e61949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize
4KB

MD5
c4189fdeff061fbb35df1d15d7037f2a

SHA1
aacc9f660adb7034bc54ebc985054b524d5521a4

SHA256
65d72bd6a0b7af65e947f63d1eeb8c7388f8ffd62afdecce2a4bea79e79f8c32

SHA512
51b43bec24ece91b52881024dd51d170b57efff337d1b93f4ce6250803e18d5305f8e0e06dd5552167d7960791214de17e7727290c1727213c7903c46402054e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
\??\pipe\LOCAL\crashpad_456_KSSPLEJBABFWWAIL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/944-316-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/944-348-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/944-315-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/944-330-0x00000000074D0000-0x0000000007692000-memory.dmp

Filesize
1.8MB

Download
memory/944-329-0x0000000007340000-0x0000000007390000-memory.dmp

Filesize
320KB

Download
memory/944-328-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/944-327-0x0000000006590000-0x0000000006606000-memory.dmp

Filesize
472KB

Download
memory/944-324-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/944-321-0x0000000005100000-0x000000000514C000-memory.dmp

Filesize
304KB

Download
memory/944-320-0x0000000005090000-0x00000000050CC000-memory.dmp

Filesize
240KB

Download
memory/944-319-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/944-318-0x0000000005180000-0x000000000528A000-memory.dmp

Filesize
1.0MB

Download
memory/944-317-0x0000000005690000-0x0000000005CA8000-memory.dmp

Filesize
6.1MB

Download
memory/944-314-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/944-331-0x00000000085E0000-0x0000000008B0C000-memory.dmp

Filesize
5.2MB

Download
memory/4032-1-0x0000000000B10000-0x0000000000CF8000-memory.dmp

Filesize
1.9MB

Download
memory/4032-9-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4032-71-0x00000000009D0000-0x00000000009EA000-memory.dmp

Filesize
104KB

Download
memory/4032-2-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/4032-11-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4032-72-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/4032-10-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4032-0-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4032-8-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4032-7-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/4032-6-0x0000000005230000-0x0000000005274000-memory.dmp

Filesize
272KB

Download
memory/4032-5-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4032-4-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/4032-3-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/4656-346-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/4656-349-0x00007FFF0BCD0000-0x00007FFF0C791000-memory.dmp

Filesize
10.8MB

Download