hxxps://www[.]xnescat[.]info/

Resubmissions

08/03/2024, 18:07

240308-wqp7bsdc75 1

08/03/2024, 18:04

240308-wn1v2sdh9z 1

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 18:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.xnescat.info/

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{39BB60DF-1317-4B83-B6B7-D9729203073C}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2912	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
1500	msedge.exe
1500	msedge.exe
520	identity_helper.exe
520	identity_helper.exe
4324	msedge.exe
4324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2912	POWERPNT.EXE
2912	POWERPNT.EXE
2912	POWERPNT.EXE
2912	POWERPNT.EXE
2912	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3252	1500	msedge.exe	88
PID 1500 wrote to memory of 3252	1500	msedge.exe	88
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4316	1500	msedge.exe	89
PID 1500 wrote to memory of 4480	1500	msedge.exe	90
PID 1500 wrote to memory of 4480	1500	msedge.exe	90
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91
PID 1500 wrote to memory of 4364	1500	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.xnescat.info/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad5df46f8,0x7ffad5df4708,0x7ffad5df4718
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2216,15249860575540521678,1101186306174962749,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\MeasureCompare.odp" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
31KB

MD5
58e7f729586cc870ad3f110fd7b8aabb

SHA1
e65d1ff5f12cca43c04aaf9bb61ce473b5a82882

SHA256
62a49b907b76ab2500aea2307fec57623d119f26fa4e54547aa716838c870f3e

SHA512
bc392ac998eacb5b2a7fdf5fa2da0f9ec2531fa5f948cfed445cfb7e6ba5abe3517d27f2164bfea7ba58a0e7485ec20642a3775a8e1b48fafeb4907dc5da7fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
1.2MB

MD5
169dfe52bb24a44b10553d6a566f53eb

SHA1
6698d8afd49a74a96710f1d6ad05ec7b534d9250

SHA256
0c2c5f039d20f356adb7006d384381d7b89b75ce7d388fa9000de6d50176191b

SHA512
b879138d5269c4d9bffc5d985aed9755bf73458678b1bd6b18de53143e79e2ec7425532a2a5c61821097c34f780c4e0b9612e04de1600e9b6f8bd252d953e478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6cdb009ab8c66ae6b7df1b7a2dcbadd6

SHA1
8e75c8789026f10b0726d6294f208515dd61b4fc

SHA256
eb330280e001be13018a4ebfc9a4650ca3657c7caca83c676dd90fbb68d4de20

SHA512
ed648b761a36b2a68414cf5efce927eed9ddec0a0e0897f8074cc8b18c9d7f40ce7e945439b4bd9e09fbee73a4ad6c8ae85c49862b7ee084c8e63b0fa9757c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
17c705cc88ad733dc7cdba503bd6398a

SHA1
f502e2287b9392753be4b538fe3d064af57e2e4d

SHA256
8dd9a2a8b3ea02aed6a5a0e8433e6a82508af5e02ae8feefc1220efcb09485ad

SHA512
9ecda9e1cefde384ae0c4a8f9f37301f4b6b56c1b1f05375aac3c7a5dfcc99360281a86f3da4be8a82a8aac72d06065a617f818460d0c83bd3dc681027bc90bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
eb53efd815df8dfc3e6f9975518d3a4c

SHA1
7bee8972d3a5dd80d199fc740ab23773d95021cc

SHA256
6414b21ff2dadfe4fad939629b1226fa1a106c63f5d56cf0854be37d67db6629

SHA512
e0e04ebe2b6105cd11f7fc4f69df332069c1d6561554ac93737fc237469ce820a4c9ae2f8374d0ec6f46bf1dfb271e908f5535f25d7e27e088c2cfc2f33c7684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
f190859c5fece69bd72c5951485f41d2

SHA1
33f3ac0a2e7eb35b5f2eb2be936b9636bb0a663a

SHA256
39d55bf4850e2c6f889139bc835d2de4c7b6231389a7dcc269cf372ff74f00de

SHA512
fd43cad9747eec04eeb8f63e48bacbdd87df1afb67627ea30855a8b113e31ff1d59a4e9ccd5f0df73e1e11d67d010ca1b240d58e44763b83cb69cde2b393fecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef7c7f52fc9d2c81bab83e37637f87b3

SHA1
2e15eac261c17cc112a08465a45cb93d1be06306

SHA256
8d1065f8b6b2a2f1de68188ad93773d9fa62756a43fe6bbb4307d15779bbb296

SHA512
6c4d1addac159c0088875f3ef087fb1adcca44ecc211b6e6e1948316aa292e859329fa85f9ae0b0f78baefb0280122fa46c7410990714b88dff1ebbd7a8054f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4d8cb2d943873e125d617ac748d66248

SHA1
f3a65c638540af95b9406ab873e03c283bf8f855

SHA256
25616f0e9b570349c50b802f682ef2844aeee651dbfae4707c49e9554164e368

SHA512
2ffc21c670f584c12897fef4143b68760c6badc2d496712855bb6d1787a5874abe6e23f21e25c4d0c577e6eda40fa2da6f166114149f66726af4126f6acde736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b0663b65bf98293d553136681187a37

SHA1
b14e89000accbd338caec52d7d90bc5f4d87688a

SHA256
96e626611f7f4e50185596689a0217cb06dfac5ba255735ace2c7b4226cf117d

SHA512
1e4dd092956c47a26c09a5a0cecd3cae90e1712988c49e02d517da105b194e87a5795535c72f562846762edfd25d736da9552767c7007a911583f6b8432379a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41a1b9b5cefde83897e258cf341703e4

SHA1
9c68ec7d819d37b4127bc2d233510c5c4dbaae83

SHA256
eeb754f5e831749d46ada291db1d68669fbca54ec59aea51484c58a46677ef4e

SHA512
5affdc139296c5d094ed59bde3ec2f4af763b3bbcc438297941d7cc1236ce7905477752636fd1b45f2342b1c88b027a6944b749cf28dc60433fdbe81c36c03c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c1b56cd4bc43e8911ad16255658930f0

SHA1
9e3d5b0a8e3a09a715b56b9539db9489f9ce9e8a

SHA256
5c57fa31dc811a99cb745c3a28b980c0ae5f9612900c6d8c51dfaf0426a24d98

SHA512
d39fbc08e54acff25fb1ff594c4c7a677186f079f6c25aeedf4a746a40647b579997a553e9711d9880b92f2685c3495767bc78c299b50b43408434b57f81520f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
50de12466796c2f584f4fa97b75896cf

SHA1
736d69369f445b61dd7273659adce57659087ea2

SHA256
fb2aa90469e6ddefd3b4ac49f21e89b583a2b765a2fd6ad5b7207c8c88c204c0

SHA512
d7af4525c45f8e06a839950c08131bc536213cf37061c8a0438183021f1e78cee7c000d160a02bc8113669f0504cf7ae2517a3ef9edc751044ef677f4971a7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9b4be44ffe3a2b295ad87b4f1d0f6d9c

SHA1
18e5bcab46b046e4dfd07af37f230c9cc0344984

SHA256
1c145d8ac830231c96ac8aaa93d7eef8fc53ccbad8d69728190b7467803098bf

SHA512
45b14f88f9271dd8ea85eb5945ed75172ee14156e286bc3c053158044becbe5ae02adb2aee4bf05b25a5f58a5d586ea14acaab3063f08e16d7634318c5824c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3d4b413b3c2b81bd3aee14338df8cc01

SHA1
a004cb3a85b42cec09952cf8c6bfdf59db4aa80e

SHA256
64eeee4e0916459d4252e4f729d60326809bfc0ebe37a82006a51a846b3a9b86

SHA512
4f4f4430415ee09ffdc48f7f6597c902ed37957a0b26cf119db977f8841c5c95374b8aec109451203c871c68ff3e18f65b7c1bb5feb37b3b0acd636c069b9fca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3b381ae085a18e57ac1d78b30601567c

SHA1
365c36e3e782fff23df108cb33d57b427420b87d

SHA256
0030238dc6a516d4811ac787b0bd2bb74e90eb52709c91880a57e41d8354acc0

SHA512
f90167d0e55c5fec62803a34096ec7847424e4d4e547ce1795626ad502b3deccf94408304e7db4a1517bd9dcb3196bad470852b276ea16970cd157b62ab39a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
03b9c9574c49598ff067357f57b481aa

SHA1
0804e6a061b5d03b507c742ab8463cca019f0287

SHA256
a1c6aa465b4ff232d880cf7bff8f3c0a500a39e82fb7c234d8737d2bdebb05eb

SHA512
7a7f5ff52786ff055070fe26013784040523bf4c934c18359b9586af8ba188df936388805af75d876a0adf1371a26b2634dcf2774fb86aca989b034cf297284a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
60e078516b529de5f5531798b90f9e96

SHA1
a424e7d07a736229782f99e6ad809e530ce3355e

SHA256
da130f72ed2cae613edc83cee401dc042f9fb212849be010128b0510adbff160

SHA512
c1fef9bd3d4b6f9a04fc15045977e5d5c2fbd272610b8723bd350874587894b8122de73b1002e8fc570c3c4625defb6a1af5556984a64f7e13cbeb647d676f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583861.TMP

Filesize
203B

MD5
4b8d5944189b2beaa1be95cf859930a6

SHA1
89c988b1b557dc96afe8b0c8acce9ea8cb823c3b

SHA256
b84d4d768a0b3e8df026a7f314e2721d6e2dea712ff55a041fdb4953b1487fc4

SHA512
b6f985fa1c219a3d5d5a9843ebd39e74aad021f7c5249bcb7e7fd1ce8597bd9dddbd3e7fbc8b47a0b07a37141d50769bd0e51f62d2574a7d7caecdd1bc16e38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\88291d25-0961-4334-94ec-5898756ab88f.tmp

Filesize
24KB

MD5
b0442867ea06b092fc56abffa55fcc20

SHA1
88129fd71dce7570b65b3024ff4ac638a20e032d

SHA256
843610b1106b72137b1406ea3584c6a8ae9c23e3f7b3a0ef259ec15960d885a6

SHA512
3851a18d082e06617c49b6bcd1eb77748a180e9320c4e69d31179761e2a13b5fb66306a4577b188b1d5582fb6835e3887de653e731fb8a5b097f30c417f9458a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\Preferences

Filesize
1KB

MD5
14f904f907e38d6935e4f30e13412182

SHA1
5374e0a4f3411a7f92c74810898f5d8bbd8c5416

SHA256
83afb9adfec5fe8c0895bea32d8704d0c8320f72e2937fa7b034f65b1ccca838

SHA512
167e649911f7f3aedb36666599f3ec6e8b75318b899dd239b1f1426c461f3acefabcb108393360ee423fb3256d8e0d7ba5b7aefd5d0660a14f430e7e1169aacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\Preferences

Filesize
2KB

MD5
44ff8aaa5427bd82fe9d878e093c3744

SHA1
2180aa2143b131a1fd26611f8cce57872053a722

SHA256
73ae9fdcf37bf7712fe45c14b710e03b5caf3edf8d8e10cd317b50b1736de7ba

SHA512
f392daab41468f8574db41c988e3d6e436469313232819d86134db905135576348496b59f2b9cec0a1b13b80340eb861c1a883adcd57ef336bd5eb1c97c19958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\Preferences~RFe58c280.TMP

Filesize
1KB

MD5
5841608408ad827c90927ccb5e00fb20

SHA1
ef83004e6399c360e7c2e282b5694ed71bef3fe2

SHA256
b5cffb378330e4fd4b62e0cbff7e514c787ef0b517ab26b4ecc9a33fc5c2f247

SHA512
a91442c8f6f885f791b2dd4f4b1efc44df07a827df282cf187e88f7bc5f07bcfaf963b32de769c0e73b3ebf23e4f482ece243f67311d28529b3454ef95ca7a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Guest Profile\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eb73c9e1a08fd51106edb010e852d228

SHA1
a59543e4f6fc94f412f7222d9a8b873c4e931e10

SHA256
388665475cd8211a0cff07158bc2156848b29da2b5db12da1a937f4bee3c4c83

SHA512
2676824d9f3b62429926b8b3254b3a1e39a985b1a3776e675d4c7f3190f38e781941adba4719c782f72969c23b551823ff9fadef7bc905523f5e1a8f26e234aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3e84018e0e2404e3538411d9956696e2

SHA1
4669746b0a6484c0b47be9fa4ddc84d17dc551df

SHA256
4c47eaf7787fe05f165978cc500ab0d6445138c5f0d1e3c94f83c2dd674dd394

SHA512
af95cac5eb90e3dd7084b866d1f8d0389812d0f5329628813709117631e3a4cb867c28b62812d550a415e4f202e498622cc4394ad40fa1d55ee9ac7d01840b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PnaclTranslationCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
8539bc8cf39daa8eb4a4165e209333bf

SHA1
6332553f29850fa7289bee146300d57316c11b99

SHA256
96fa0011f96214f8734ad2d39665d8480b91c58aa97507522d1c7440b2bdb226

SHA512
8150d780220fe97b99b46d3b1708531530c3228ba74c5fd92e307a9a8e879092ad6cd003e578f5367f8d94487fe7dfa5a998c0d20438fe329b64ce420ecc2153

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
27fc356df9770e014efb935cc396fbc5

SHA1
e33bc43a616cf38506a9efc1ee2915f843198909

SHA256
150d2ff374ec0ce58c50c58c5eb2266b51fca33d91d02150bda0e6308aba410b

SHA512
5085c7b180b1b9c23771b0f86e38aac53340869f14f9853323ed52797a9e116834f5a286f288a3dfe9849d90a72b3aba6c0d82ea392154431b14587616452be8

Download Submit
memory/2912-984-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-987-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-976-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-978-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-977-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-979-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-981-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-980-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-982-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-983-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-975-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-985-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-986-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-974-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-988-0x00007FFAA1AD0000-0x00007FFAA1AE0000-memory.dmp

Filesize
64KB

Download
memory/2912-989-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-990-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-991-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-992-0x00007FFAA1AD0000-0x00007FFAA1AE0000-memory.dmp

Filesize
64KB

Download
memory/2912-973-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-1018-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-1017-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-1020-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-1019-0x00007FFAA3FB0000-0x00007FFAA3FC0000-memory.dmp

Filesize
64KB

Download
memory/2912-1021-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-1022-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-1024-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download
memory/2912-1023-0x00007FFAE3F30000-0x00007FFAE4125000-memory.dmp

Filesize
2.0MB

Download