409387ad3733f10904084875a11f03c3dd99677876d0fc2fe39f3621ea66b27d

Analysis

max time kernel
239s
max time network
241s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
21/02/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

moneda.jpg
Size

26KB
MD5

29573db11779dd340fd170807ba20cdb
SHA1

60cc05ee74e9bc8368ccd2f20270224a9224a0f6
SHA256

409387ad3733f10904084875a11f03c3dd99677876d0fc2fe39f3621ea66b27d
SHA512

61e667989e84cc376b052d8ea51542ea322d373a2f94adf185bb4b6360489c945da5e71b431b85b62000ebcc82847369e75965578de30804a15545174705577d
SSDEEP

384:ceIpRET1IQ9kZQeuvaFGhPSsv5y+F/hSe3v2to4P5Bf+PczfttR42DsC:/qe9qwaSf5VFJenPP+Pczl/4qT

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{09395E01-D7B1-4F48-BBEF-2A52E224BC76}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 118366.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3308	msedge.exe
3308	msedge.exe
224	msedge.exe
224	msedge.exe
2040	msedge.exe
2040	msedge.exe
1632	identity_helper.exe
1632	identity_helper.exe
4684	msedge.exe
4684	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3416	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe
224	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
956	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2112	224	msedge.exe	97
PID 224 wrote to memory of 2112	224	msedge.exe	97
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3280	224	msedge.exe	99
PID 224 wrote to memory of 3308	224	msedge.exe	98
PID 224 wrote to memory of 3308	224	msedge.exe	98
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100
PID 224 wrote to memory of 4496	224	msedge.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\moneda.jpg
1⤵
PID:4736

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4512

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2832

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\A639DF76-BBC9-404B-B35F-B15C3C9A731E\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\A639DF76-BBC9-404B-B35F-B15C3C9A731E\dismhost.exe {5DCA20AD-C889-4C3D-8C69-1B414E70F8F9}
1⤵
- Drops file in Windows directory
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9a843cb8,0x7ffc9a843cc8,0x7ffc9a843cd8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6876 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6164 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,11080115470208591486,739359787713755389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
29KB

MD5
c9bfbdd5ca2878d0c3e29eb6ee1b2fbc

SHA1
071693a9aac5ade31f06adefe89e4c07c098f11a

SHA256
58815bacd261e13e020ad6ef9917c2f66031f5bd5aa91ae855ce0d4f657f696e

SHA512
c2d3427bf1211e0927218662e87c13b169689b6215c6cc446d9f7b63774b196223d19e438a45d969eb668ea950adbc096e7c61625dee299e74686c54291233ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
eeb2da3dfe4dbfa17c25b4eb9319f982

SHA1
30a738a3f477b3655645873a98838424fabc8e21

SHA256
fbfee0384218b2d1ec02a67a3406c0f02194d5ce42471945fbaed8d03eaf13f3

SHA512
d014c72b432231b5253947d78b280c50eac93ab89a616db2e25ead807cab79d4cb88ffe49a2337efb9624f98e0d63b4834ab96f0d940654fc000868a845084fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
57KB

MD5
25c2f88b56ef24fecaa03dc7ee551b2c

SHA1
e18efefe61fe8828a698ea996f23dc742a9fc103

SHA256
d9c6ad673596489234741f47547ce41ad6cea25bcb7db1b2cfc1e75581e2db2a

SHA512
2a9fa8433248ede840e883b7c8b5e6a74d7ab50597839853ce96b27c37dd3744351e1bb1ba4d26b6e45597bde0e7e6a3f0a6021d5f635ad230e0141de92dc719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
92KB

MD5
2d90c58cae1e99a45f87dc59484dbf12

SHA1
e3fc1692840e44544cbf3f44cbb5851618bf5c9e

SHA256
22714ebb87afb7d4cc7e78138f0d08d5377cbb6e974c081434ccdf72dc3f7422

SHA512
986e267b44465b953405f4f3e7a9dcfbeb76731e1c09712ad4eb03cba43ef1b16e178eabc4bc83d52e5bbb6f882899269ac0c45990adab7963696f80a4064a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
62KB

MD5
aec3cac6e0ea653f5c0a0709525eef84

SHA1
7fc55ae8ecf988ab1fb70a145509156ebc07bc5a

SHA256
67c08fad1d1ba790d50f1616d01c76e5986457eaa3f211ea46811ab848e67e74

SHA512
3f11071f946bdaaf9b054d0a2871e77422dee07a27ca464588cd30a2772a269fdca58bf6fdb3cc34c8ba84140a1c476c3088712aaea33f8cf048fc47d97c7277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
41KB

MD5
683baae00c9fdf3641da4c2e0af3afa0

SHA1
1f5fb97a315cb6d31832627ef7f2805603296db0

SHA256
648ae212d63524b1f46a6cb01df5b64f430645f3b3a8974eaab26c21e4693ed3

SHA512
1bea8d21bb32a041f4b01a97a57ee819c56818bbcc599b359d1a0020fab57fc8c9e7a8d29563149310b0437dd55251dcf7f204546f5e90e4fd09448442a47a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
05f15254d091bd8d6cb4febfda4830bc

SHA1
d07263cfa9d7481967bc0bc1891f2e15370ebba5

SHA256
ee6e6f03138d8170b2ba37e51c0a10afd9e72d741fd82446cb0421ed11745c0f

SHA512
d1025c5f8c2b1885e344b0ef65418cb6de9ac2bda1720dddfaf0b2d2587f19d701e31ade996f4620c8ab8e7b2af9e88c92395f90e3b4346409af9923e10ea60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e2491969698c9c8c4fdf5125010ae95a

SHA1
5e49ee93ec6cfd9d15f368922266cb460405420f

SHA256
74d207fc4e9077a916f0adfddd1690a185e78d2826d735dd31e2ba67f539ee9a

SHA512
9ec43c23f3a65cb4d30c1d1c9fc74ef142436679d9fbfcf37d46e5a6a30891a53ed7cfa295f9746c52dc784d7fe7fe114906a09f7371d99d64197cb9f43ca771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
557B

MD5
b7d9ee57dd81e4b446d15ceca0043100

SHA1
b002f5618dbda5ca9800e18ad0608efb7676dfbc

SHA256
bedd839da5e4f6dd568079090656d0c7bceb8838b59f1f38c7e25128bd7fa88d

SHA512
f5c760591a58a2508741f0e0e2c09e2855fe7b999250f05f787e941ad2417bac19d5faf68627713d0f34001024ef07e0df1253bba74fc97387c97311e7661782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
635B

MD5
2c04ccc96496a2ecdcca3428f7608e7d

SHA1
4d45011a525ac102320ffdba25089f1d6fb25352

SHA256
0e35284d049f07bb766fd2800b68d9bc07b6d0b588a17a50e2f0a29f1d524d18

SHA512
da74cde3d19fba4e358d3821cde716871c051f69415f33fac10080af379bdfe6b243de8ce82d69f1f282bdf626b67e06b375351ae9f8348f37e323e3d0f3568e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
635B

MD5
01eec7c0a3a1f625d305a286b3c69280

SHA1
1c4064d2c2170d8efa0b731813d923acae50adc8

SHA256
877c1dead2062d53cd6c37c1a56622eb362083c353bb101f81f316151c87f587

SHA512
199e620206f750419020d861bc93225a8be7ff090c0bd4f748a684ae1a4c4cdab4bfb445557bc7d3940b8b8779e6a58dddf86f3b319e0f3e7b7cacd3cba1f446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
927ff417e4aa55876bb0cdebf3521679

SHA1
1e9a8746e1d7ba445a5ef0c0e2327eb6eb77bb32

SHA256
a473896e89633b63425b3f965831f81a8d70938a171fbf05e05edb5554d1c5bf

SHA512
a60190b984f2d7e62456b0caacf6a37947fddedba92e689e4574d2892abf8a364ab21b2d103d7e29b66637e8b256be941659923230104ffd69f7d76e10c4570a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
033d93cbce68603c4be97883864aaf38

SHA1
40dd64830bf097c230359dece598c1e2e54150ea

SHA256
f1fda1f53f5e66e7c59e55dfb09abd726f8068a91c87eadab03b08792c07694b

SHA512
8d14405cf784d0e322bcf8629252139cde2ca192e5df082d3c2c68551e51f77271b854187472fb75755c2e7afec36d8d5ad35ac8abe5996532844871e29bf2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
699ff1d1b77cee9c0238e68d524d953b

SHA1
e277e5353e17621d01e6d63b47b6da60a1f6d247

SHA256
d4bebb9792d1197573576be5433c9624a559865587494ccbf2cee969841fcc9b

SHA512
d8797fb943bf73fb9e0368092f499417f12f38ae264b507aa58e516c5b66485c62c58a2db1c7a198ecc820a9298c975473a03bd734d80fcbc85afd7906461688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
733749b7b106814aeef9265cdab6ad08

SHA1
8fd1356acee2058546b92e307933b155104ff544

SHA256
5a18304586f9a0bf2bb829589b7bddff696a589201210f7941f54089cd29dba3

SHA512
4450fbe6bf2be908f2f705aee159b14ab658e0d66b8253bf1de500883a5635a399450e7a7de269fe5677d2ad54ef4a1861c2ea172fe404e83a77d0f96251ba79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc60b575814857b813e53eee9f01411d

SHA1
33f3867098522f8e06376ff046d6b9acf6b195f7

SHA256
816bc44e6c8ab8b53011f9ace3a12b5e186cdb91c70d10a0e89a37e6457f4786

SHA512
3054073acff0fa14b903369dd43c600ecc3db3c981a500ddb799911fcecede3f640279ca889b80098b49a6e65c9fc787905391a4d1e1e721e69bb96f8832f193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f1fe2c5a0b33745785a5dd4bb3cdf27e

SHA1
bfe96aa13de3d2163bcde7790a158585cacf61b8

SHA256
8655383b493509d0eab7250b02dea3a0835e129d9a9305fe6b0aeed72bec64f7

SHA512
c84046ff05511d9edc3b0f925a58c304475e2aa571029ea31341e9c7529937cb1f044a43da68fb31e673d6baf0a3e4550ec546da0a4a710afa76983c32e2cd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9152cb5ddc70fab3ce4daf56640bfe4f

SHA1
218e8ac27ad1af45aad6785752b4f660b94447d0

SHA256
7baf528f44bcbfd10ba924772b1a25b1e9900bc9042757a30dcd13dec76af23f

SHA512
534d8940cf22c7ec3499f3efa5cb962e1ecc9750ab4838941a426be543e55c81cc3a7fceec11beef294bda5cb9990bfa76d7631b5239d6cda04729a177f6ec24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54c3f87343a236fff898a77c9cd1a541

SHA1
a598a771397fccecefe54cd8edadfec4a55b5215

SHA256
7db39f90597e51287fb9f366e77868c000dc830d003d7ddb4738d8f08ebcf005

SHA512
a41c5f2f30150c8cd48fa41eaf9bc1387673e17fbbe0e81037add531cef4f0132dac1f6f56d8ee170bd0fc7a9b8ba156a7eab92004338fa4fccced333c4bd9f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
868B

MD5
d73aca86ad3723f9698949e2826a9089

SHA1
f040ecaaefbeedf8623a2e93811806dd396e4924

SHA256
787efbc3bccfaa455ebb5d2587adf40e2b3e03f748e28ecf1b42bc9bf4dde5da

SHA512
e25ff2e37f1578eed7a4c891da4740efa7e15f016351ac1d046c374cb5ac2ac7f50a4e70e113100823e63a5b6fdef6a6530bb3ac60d1d876a71343f3e27f8d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d524636861a0a49437fb23b23a8a705d

SHA1
e6cdeae1ce7d028daf81a4f1bcccd1d1bc13a459

SHA256
525bdeceb2eb54961121ec7d9e83060b01e2f2c2ea96748bc7d9ee58b1a65644

SHA512
89907bdcb5260f4f9f16afd79734b260a2813652c563f053381704bc356d3ea0e255c312f161232c054eaec3eff68dd579f2b72e3dcce9e6362ba7d09ac8c534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
092c0fe1243c2fca91be5afb96a94ee9

SHA1
1392f9b7604547faab6e45d5beebc5c700cd0ea5

SHA256
dd502aeee10d2add5bd5071d40d99270c686ac6962f7c2ebcd99ccb13a58dd4e

SHA512
4b5da649115f6c5e1f2b257aff77f6af27c7d5903ef37b304fed733fc049c9fc4e50cb7e79321b6fccd3f98cc42d59d3416267cfa5441aca35dada52fdf8a66b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
871c3439c14b8edda6ce4611e2c641c5

SHA1
43f0f532dfb0db519a41264afeb544a73d8f217b

SHA256
52813e16b522c88e7728602c94fbdbc09373850a8e6b0941999471304e25b926

SHA512
8ca65b7073d0dab6f9d3a3a9aeb86ac8564585d78d6764097d9fb1dcaae392887c483a554ccc729e0a86add88ee5a4052b131af21c217ba1adbd94cb8864e597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2987c41df1f04be562ab2fc3d64fec45

SHA1
045fd5fde194f868aa9ff9f37ba75391df4bd8c3

SHA256
7ef3a0636ed567da7885b35ac3adfb32a146af820d02e412825157352a06e826

SHA512
7f40d3f7aaaf22daef653f7c5c06a1d3e5ec744c43bf606e569a735a800cc81399333e3ba1b0aef33129f8cc61b2761b5033d31c6291cdc13632991c9cffbc0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f64bcf666fd6a9e9f2fa3f02fd77a6f3

SHA1
5fb1f4f7d4a86258e496f2ccd2f8de884fe73ff2

SHA256
fc61b47726ac36f1487f97e2c76ec0b30284126fc1a9ecdf9e55fa3427258b1d

SHA512
1bc1e7970c777f207e43768a620977d94c8ac9f5c24dd6a4da5428217eba42b65726f5c310a8817610e0916951e1087c5e8b2f45abcb37ccf7dded551ccac6c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590390.TMP

Filesize
868B

MD5
6ed2e7f2e39538dfebecc1250ba0fdf6

SHA1
92af817587b2c3f89d95c335952af13f17b9bbb6

SHA256
d5d444bbdab68f732bb8a5874c4e79a7266d6b715c2069cee5b0c098702a66c0

SHA512
8121a62fe814f1ff78ea956786ae820960bb446915c664188a538f841d085970270e0ef7728dd82fcc8a3c044d4f852b3e93ddb4df8b7dc64b90b6c9cd29352e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa9a439faca9953459e0941c4d8d933f

SHA1
511f5533f0fa71c1b98077be0b9227edc7eebaa0

SHA256
68402d220d0b4168208f3831ea89f7e7bd1ad18639cf22e2cec3047e272991b3

SHA512
976e7b824de8c893b175c37907de8a1b0e8164570baad95c820983bd6aefc58a3f4c54ee23d6f009b96a5fdf720472d5ce3c41e2dd95a2eb34a5951d26131733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1fd39e7c29d8c04e6bcc6c43950afdcd

SHA1
d70d10f67093803a211753dab6763c3ecc985de0

SHA256
f3a4cb3128cdb9b886ce0b2c2e116862278fdcc10aab6cb977cbfaab75fa2579

SHA512
1f4d9ddece44373e6bfbd7b6e0a03e61192778ad0f307681c6b1a7fa3224f467c9b69d4fbce5e495357f8ad1c87c5bc8cc009ff1ca2bd63a34aa9d364dce180c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c50e63bae9cc5959d5762f4e8564d833

SHA1
ee277dc28a60a609cd1b96bedd34035aa071581d

SHA256
5113d87ea974e09b738e7120ee9e36731e8db279912f51a913c35c151799605e

SHA512
500cfe024f2fbf2631049f54daba13d34e3c64bb4570aa6083ed0beff5759f444c701ab0d2fcbc12eb982e2aa1047b00ad942f179f67232809d0c1a39f086bf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
82678367fa4297a26727ccc84e0b2f60

SHA1
0c65ab90390566f7d2f5b4751b9027f6bac1d22a

SHA256
fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29

SHA512
e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
1d76b6ef2e98f6d7a3afc909efde353c

SHA1
e8e5e2cd338dd1aedbd88e100fd5ac8bbcdb7817

SHA256
fee0aaf3d16d045bc18da1ab85e38e4233a471716e7e4c7e7387bab10c35359a

SHA512
26347b69921472b895a21b6f299c5c75dab9a962cdc16ed6d2ed4aa9dd168effbf0ed4e12dc8fb0110ccca078e64f76b4f893762b7f422291443b5da5d7c69e8

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 118366.crdownload

Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit