hxxps://christitus[.]com/windows-tool/

Analysis

max time kernel
269s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://christitus.com/windows-tool/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
4468	msedge.exe
4468	msedge.exe
5196	identity_helper.exe
5196	identity_helper.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	5792	svchost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 4432	1864	msedge.exe	87
PID 1864 wrote to memory of 4432	1864	msedge.exe	87
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4884	1864	msedge.exe	88
PID 1864 wrote to memory of 4468	1864	msedge.exe	89
PID 1864 wrote to memory of 4468	1864	msedge.exe	89
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90
PID 1864 wrote to memory of 2820	1864	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://christitus.com/windows-tool/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd661146f8,0x7ffd66114708,0x7ffd66114718
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14144325418113120497,8965813461613113938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6504 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
b7c752d1665d60ad895e2ac27b3c95bb

SHA1
31fb4bde147e90d482d827c5837ee2afa1b9d9c1

SHA256
1c2b7d8214280a94e4bc7321d5f4b7de4873fb3a123de1dc5884ac1f54ca83cb

SHA512
c70adc9b732880b66a5d4138316b6ffc6bbaca666e2ed563d10c615abc9c854638d81c03a4a53ca67f469c88c1b41cc935d43a8de869fe67e6ba040f8cc96afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a1f429ea20a4be8957d3296fa3c291ba

SHA1
908e71b8fb838d7e5e4e22610f7bd788da845f92

SHA256
845d32069b8c0cf87667d99d2e507fafb994dbdc572ebbea38780d580840fcd7

SHA512
51dba22495bf05edf1c04ef1ede2ec1d4346c34a15fdbc062a3f966009eb29f948d956ef771f885155b190976c62d883bcbb52f3cf5afdb98f1c6b1981edc757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
de8adf0293af7d3df430a8abf3ee238b

SHA1
be9ce047f95b8f5b0d5cb89a6aa5d2622bf7fc74

SHA256
e6e9f7bb1adc443a40b28a729c0f69770d724ea1674f7c6bd22c77905c789008

SHA512
388126727139286bcaacdbf6793256c4fb4b927a27c2afc10361381e7b104e03e474ae0c7c1b460f97d9a3d9b89e72af106bd8c6e4f325deedd8286be92a056c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
41a876206cd9efdd3ffbedd01e381ddc

SHA1
c407f9bcd8cd3ce85af1beac43382c37771ef6ce

SHA256
53e90905639ccd50e8c59a8aac8b90db15a0d3bd3b646ac84303a467051d6413

SHA512
d581396a5ca3f4f5f98012f0f8e9d9d81a244f6f4e7da203c6d2b847f17796821ca48244142d73264367068ba3d4879c45c4b9dc98f9010aec63e7162fd284bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e1d64686a88a9a02447f8803bd7356ef

SHA1
bfbde30d2500a5c3668808ba86571a5267fbd04d

SHA256
c2c07ab36479264837bca8863decad9a5dd1c480a9552dbbe61ec30851cdd34b

SHA512
d77dfda5b6bde52017c88093f52930495cf3c45968219520cb6fac562f349fc1f5f03c7f509672ff89d1bdbf420126bba9fd0c65f3f9c232143e641883310a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d5aed8a22340033fae92abf6a96e338a

SHA1
c443a2100087623500298eb0d1e74992423f1e86

SHA256
19cf6eb541a83df8e7eb214fbea3f64bc77e048e1463e2fff0bff1b40e906e05

SHA512
f71d3a9c6643771b57888192cee0d4d4933523edfc2abbf2343094175d7e304771abd458ea52eddaae22c5d9f817d9173b77d28f0055fe1af7947eb708901b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d115a94754721f791d6ca7676380169b

SHA1
633c22db9d897e8b4fc0e1374475b3b9857721ae

SHA256
74b85fc090f1c7d33d0b59fd463e08f359689615f3237a170075a9e692348c10

SHA512
3798896fbda63f20cbb29c2ff65384706d786c6b1dbdd3624467e81918bec744e5cce99d2f8f7a9f3d512693d2e520a6c21943b34109dc8281054953e883894e

Download Submit
memory/5792-287-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-293-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-284-0x000001660C4E0000-0x000001660C4E1000-memory.dmp

Filesize
4KB

Download
memory/5792-285-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-286-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-252-0x0000016603E40000-0x0000016603E50000-memory.dmp

Filesize
64KB

Download
memory/5792-288-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-289-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-290-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-291-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-292-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-268-0x0000016603F40000-0x0000016603F50000-memory.dmp

Filesize
64KB

Download
memory/5792-294-0x000001660C510000-0x000001660C511000-memory.dmp

Filesize
4KB

Download
memory/5792-295-0x000001660C130000-0x000001660C131000-memory.dmp

Filesize
4KB

Download
memory/5792-296-0x000001660C120000-0x000001660C121000-memory.dmp

Filesize
4KB

Download
memory/5792-298-0x000001660C130000-0x000001660C131000-memory.dmp

Filesize
4KB

Download
memory/5792-304-0x000001660C060000-0x000001660C061000-memory.dmp

Filesize
4KB

Download
memory/5792-301-0x000001660C120000-0x000001660C121000-memory.dmp

Filesize
4KB

Download
memory/5792-316-0x000001660C260000-0x000001660C261000-memory.dmp

Filesize
4KB

Download
memory/5792-318-0x000001660C270000-0x000001660C271000-memory.dmp

Filesize
4KB

Download
memory/5792-319-0x000001660C270000-0x000001660C271000-memory.dmp

Filesize
4KB

Download
memory/5792-320-0x000001660C380000-0x000001660C381000-memory.dmp

Filesize
4KB

Download