hxxp://edu[.]mon[.]bg

Resubmissions

24/02/2024, 18:47

240224-xfdk8abc77 1

24/02/2024, 18:44

240224-xdr1tsca8s 6

24/02/2024, 18:39

240224-xas4qabb22 5

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://edu.mon.bg

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
101	whatismyipaddress.com
102	whatismyipaddress.com
100	whatismyipaddress.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "231"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-910440534-423636034-2318342392-1000\{42F5E0AD-DFEB-4655-9F15-67D1D7B942E9}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5536	notepad.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
3444	msedge.exe
3444	msedge.exe
4740	identity_helper.exe
4740	identity_helper.exe
1696	msedge.exe
1696	msedge.exe
1544	msedge.exe
1100	mspaint.exe
1100	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1100	mspaint.exe
6132	OpenWith.exe
5176	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4016	3444	msedge.exe	82
PID 3444 wrote to memory of 4016	3444	msedge.exe	82
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1076	3444	msedge.exe	86
PID 3444 wrote to memory of 1920	3444	msedge.exe	85
PID 3444 wrote to memory of 1920	3444	msedge.exe	85
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87
PID 3444 wrote to memory of 4984	3444	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://edu.mon.bg
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9b3a46f8,0x7ffc9b3a4708,0x7ffc9b3a4718
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2992 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8344 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8496 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9308 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8676 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9984 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9976 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=8724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2004,10710611717377094319,8522257522941938369,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=9632 /prefetch:8
  2⤵
  PID:2184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x4a8
1⤵
PID:3592

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompleteWrite.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5148

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\PopSet.reg"
1⤵
- Opens file in notepad (likely ransom note)
PID:5536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a65ab4f620efd5ba6c5e3cba8713e711

SHA1
f79ff4397a980106300bb447ab9cd764af47db08

SHA256
3964e81a3b4b582e570836837b90a0539e820886a35281b416e428e9bf25fd76

SHA512
90330661b0f38ca44d6bd13a7ea2ab08a4065ec4801695e5e7e0dea154b13ac8d9b2737e36ebe9a314d2501b5ef498d03c5617c87e36986e294c701182db41b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
854f73d7b3f85bf181d2f2002afd17db

SHA1
53e5e04c78d1b81b5e6c400ce226e6be25e0dea8

SHA256
54c176976e1c56f13af90be9b8b678f17f36a943210a30274be6a777cf9a8dc4

SHA512
de14899cfaad4c312804a7fe4dcb3e9221f430088cb8bf5a9b941ac392a0bbad4e6ca974e258e34617bbffff3bf6490fa90d8c6921616f44186e267ddaa02971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
32KB

MD5
42934682695fe7f27319777509d96cde

SHA1
8b754e2ac6e70554bea21cdd04cfb1a2e839ae16

SHA256
47212d4021ae3fa29e41eb54f8368b6d4fde0b30cbc889dff2daebfb127c937a

SHA512
8bf37d7442736ff9413bf7ded65b67b6f13fe4eea6417ebdde438a2de41f9ebbd9185701c4926514a83fe54da2fe4b834d8c87c26859f9348f69fe5579bfcd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
61KB

MD5
1971e737391eabf87667012e84069a5a

SHA1
8fd29644afc6da70873c25f9bf9d1c495c759843

SHA256
c9aab23276584648e971c3745fca3bed6d9e4c7e373bf3dc7ad316f2aef42fd3

SHA512
23062a1d410b69532d3bf97ec7d1fa3c27e974613326fe3a3d80f909d595bda78f2ba366bcd612e494ecee1af1493264d0044a26fae604466e5437a25da6280b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
216da8ac608737e4720ee7e865ae6330

SHA1
ec4123ca435e6c3a8806ca687bd49a856a577044

SHA256
8f7eb1e126701634d2c3848e7d68a30f9a9b3703f6fcc94ad6180a358b17712f

SHA512
88d099e67ddddedc2101f305e09d3c707330c8dd8bb69d1bf394d9d269d8c5f64336c05cb248cc641854ae80a2b5e7c72bfa9210c14da4e52b57682852dd1f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
dfb33d27d445405fab42efd3f8c88015

SHA1
74c73cede14d7cb5ff7381835ef57e198371d260

SHA256
2110c08c4656e7f58d2148560ec31abf9824cf7159a84ccd0246ece168ba1366

SHA512
772826272b5264f18762d45c946a247ac4cdc3aaf0846bf1ef49408f8ef9d7b70114279a8df6e8aeadf22b24a750327f444baa76847c94860dc80f4f12ff28f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e0102bc9609dfced0365ce14f6227217

SHA1
33a600afcf76dd42cff921280ef193b26f5dc06e

SHA256
5dbd8ab888d30bbabfd13773b8a5b766705b6874950188ac764519e1b1b9dfba

SHA512
0d79db2c0ad0cf0b7218d460b97aebaa88549ca528da75fc0ba0d60946daac6dc193b624682c1469f56e4ef39babc39b634551185e88ce303c3d542df30cd029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
d77ce047cd53caa6a26a4610fa3f4c81

SHA1
a04f68c301b5e2e0d73f6197ce2f41f6a274f2ec

SHA256
dd317bec2eecba65f35847b1db919accf02c4d21f2d93a4c659026508cc331b1

SHA512
6d1c6c783a9a1f1b0af5d551c19d698eb5b401fe786302577d49482223f6e8d14faf2fcba6baeca5f8d8abdd5d622e865b124aa122f8b3c73ee1a76e9a027f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
946B

MD5
5e79fb96cba80ef891dc13895f298f2b

SHA1
60a3d969937207b93c023a543e74e31981169508

SHA256
0a0c1eba5fe5017de0506f246810c28ef329c271675ee5017cb5ce1d4dda6b4b

SHA512
3521ebf4778d0156cfcaf3b2aceedad49000460da1963bf0cc3f22eecb2f8f0fcc44fdba6df01bfe931f8c961f3dbfa42319d360d5042dbe5063e1cbac670651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4858d9fff1c5f4dfa886fb0e49a84bb

SHA1
218f62b7f6d12a3643ce5e7a97272c18e8bf22ea

SHA256
34c18ef0675b15b1b672c456908a60a39bb2152c8860de19f94af4195e181cd7

SHA512
35f7ea5ba9325e01417073881003570e5eeb9e4dce5bb38580a322aa3b47e0063d426c9882014c15c3d851fd0ffa7f3b01c40f87c95e866c44383fcb6cae7e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3a39e58ce2c1def1dc1fcef059993ec6

SHA1
5fe5595b5cefd3c6793e8c6267af5e1bad3b932a

SHA256
6255b5792f402a3e1ef3595fccf2ab92faa5e7581039c7c0ae76ce7b5cd33fe1

SHA512
722c5cdce2f6bf0b76c2fc9d4c1ec9f52c384cae325e736c9840ab5226ac2b9038d72b405de5923ac7dd6228274f4930308a61b74ed630a91423d42cd9d677a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
874c7e3ad36ebeea074ba537bf9819fc

SHA1
6674a3e033d9c8ff383bd487169733f794484ebd

SHA256
ac75476887456c852e2fd3fdbc619415d3e792b731d1a622df598f97ae5e8a82

SHA512
916b32088aee60e45dfedc79643fd46ed4f97ba1c1cca39ca56246199b16e0778c5b7700108d0e21a2f0ed2250677e3a80b03acc4cf49f51fa41e180ea53e791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d37ee1d57b38b69d0a214d58e96f31a

SHA1
e6e1ce82d5c7c102cf02836fa2c6350a79d12d2b

SHA256
0113f8716469fca1afb48c32ddb8c4984e1478fa76eabb306511aa8b37f3af4b

SHA512
7d03f617af43cc1ef577458846fe442e40b553cfe0bb4f7bf7fb4423aba410fe795d04e047214503746cac6b978b8d4feba8180a9900fe2cdee94fa843871ef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40d92d557989e7965625c8dfdaeafa76

SHA1
fdfde67a3487abde3ab4c2c0801f3acc56984bda

SHA256
69d78cf1157ca842017454b0885f26a9df6c994a304d7e493c939223a60c654c

SHA512
b15b213f65db81ef6495c31dd4b8be594e1945ef450d5aaf9a3192af79f74d8f16f8831c6e6912d0e903a8b97e2dc234c2b48370212b189793a0a0b44fe13c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c5d2657a8892b0c52ff1b1478b184ea

SHA1
363ea5f92e983c865a9ac798cdf74f86be7540c7

SHA256
2a3a3ef51138f126cb44ec952d9d737c1a1bcc755acfc479b0332030790d7369

SHA512
9c39d0e87b8c8b8f0bc8b4e2450abdfbff2c4ffeffcfa2fb58fd3828968f9368fbe66be72f5ba19bc2bb4e858c00aef523c9902462205078a98c89695db0ca16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
3e55eb9cd8fd44e3246a8c88f31e0cf9

SHA1
1cedcd0ff5edf43b73d4799fee819f2d51892136

SHA256
24567edf5347424a0b2f4ac46d6d890c825e1cc8a79bb1d3709a8eba0fca191b

SHA512
6a93a0fe3c532542249a7eb6c9c437f3f3c257c2bd9183d423854b45db255e33a6907e1ffba6af188f9279019b9361fc96a0be6a0d2d139e39a5355cb3209220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
861B

MD5
b9d5c6ca97e9266da912ad05a1dd8e58

SHA1
320caf02a264672f4ae3110cb0e4a65077a3e043

SHA256
339cdd28408369d4e0031479a94db40d8365161c0aedc003e2b9601d3eb4ec81

SHA512
81bb56c5dbb1a8d0e83744dd722abd96ecc9beee133fba032b16d7a69b4d5afb5f4b23b21a5a9ac1b124854ef1c86d86613ae4099a4433a095ca56eb9eb1b492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5fa9096a89ea8ef98ee9550e794d6825

SHA1
4820b6cb81fe20ecf86f487fa81f21712acddbc8

SHA256
db29f8e68c684911ef03dd976406a209e2382973901f2243eee14585fb9e70fd

SHA512
cb0a3fded27c9fe0981957db5fe31b7ebb638e5e74856d23352fcfb3cc4a4d726def70b102593d7fe84f949e93b60356ea6683541f40580f2268b6bd5b42a6c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581567.TMP

Filesize
363B

MD5
0f4e2819c96679548369487d3367dbd0

SHA1
7bce832d64bfe5fa6f19d4bbcb4668832d061c6b

SHA256
3627d0c3cc7ebe927e58c8ddcd759d0395fa87c1b4b6303086859997a9831971

SHA512
ee56f62ebaf4c6838ae0a8a982bd96bf336a5fa3b0461d32ab96ac068958cc4e19f7ebb126a0963758c643a2c5b5fcfe1fedce3d2c228f6512be542b8faa705f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23048504d62e4898dcf386bd2b45fab4

SHA1
5047dcff20626c1883c6a7a1019a225859265a6c

SHA256
a13deffa82b328e72aa697ae9c872efd5fe073279dee1e052ebeffb22a8e87fd

SHA512
7c3f36a8cf55235f656098b9ee181c8ee326cd4ca90e237875cd7ca90986b0ce5b6ceaac815f606d01f91b387c497a8888390927ddc3138f617698e9f7aaae5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9a53ebe114fc5f25761653fe63d35c6a

SHA1
3b395780d3b83707b747ae075bed7c6d74f05b6b

SHA256
69cbf7f112d64660242d067ab7bad2590b9f6cb59d85525cb9aaf6e213642c29

SHA512
824250c8b99c37a52d5d637e7dcdcbd5b72cd1e080f3a9f586215660e90cbb5acdde551cfe8d2493d9e452a30fed23ce58c4b9ad80d847cd61fd22302800f057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/5788-888-0x00000173664D0000-0x00000173664D1000-memory.dmp

Filesize
4KB

Download
memory/5788-881-0x000001735D9A0000-0x000001735D9B0000-memory.dmp

Filesize
64KB

Download
memory/5788-877-0x000001735D960000-0x000001735D970000-memory.dmp

Filesize
64KB

Download
memory/5788-890-0x0000017366550000-0x0000017366551000-memory.dmp

Filesize
4KB

Download
memory/5788-892-0x0000017366550000-0x0000017366551000-memory.dmp

Filesize
4KB

Download
memory/5788-893-0x00000173665E0000-0x00000173665E1000-memory.dmp

Filesize
4KB

Download
memory/5788-894-0x00000173665E0000-0x00000173665E1000-memory.dmp

Filesize
4KB

Download
memory/5788-895-0x00000173665F0000-0x00000173665F1000-memory.dmp

Filesize
4KB

Download
memory/5788-896-0x00000173665F0000-0x00000173665F1000-memory.dmp

Filesize
4KB

Download