Analysis Overview
Threat Level: Known bad
The file https://github.com/eemattee/Cozios-Imagelogger/blob/main/cozios%20Image%20Logger.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
NTFS ADS
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Modifies registry class
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-19 09:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-19 09:48
Reported
2024-04-19 09:50
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
98s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\cozios Image Logger.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\cozios Image Logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\image logger.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\cozios Image Logger.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 89465.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\cozios Image Logger.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\image logger.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\cozios Image Logger.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\image logger.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/eemattee/Cozios-Imagelogger/blob/main/cozios%20Image%20Logger.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef73e46f8,0x7ffef73e4708,0x7ffef73e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5364 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,12515577405969783804,4551837647273265935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\cozios Image Logger.exe
"C:\Users\Admin\Downloads\cozios Image Logger.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image logger" /tr '"C:\Users\Admin\AppData\Roaming\image logger.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60B9.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "image logger" /tr '"C:\Users\Admin\AppData\Roaming\image logger.exe"'
C:\Users\Admin\AppData\Roaming\image logger.exe
"C:\Users\Admin\AppData\Roaming\image logger.exe"
C:\Users\Admin\Downloads\cozios Image Logger.exe
"C:\Users\Admin\Downloads\cozios Image Logger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 23.53.113.159:80 | tcp | |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| FI | 87.100.214.103:4449 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 87.100.214.103:4449 | tcp | |
| N/A | 127.0.0.144:4449 | tcp | |
| N/A | 127.0.0.1:4449 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b533661b945a612876de1e58ce73d065 |
| SHA1 | d93286945efeb7f33b49f8e594cdb264884c827e |
| SHA256 | e5480b47432d7b0ca972afe477fac49f5fc1e8e82aaeab6401de99045949bd65 |
| SHA512 | 672bc0f694e763a8597eebcce7728716a09515ad17854fae58d1f8df8aefca152eaabfd637bbaf8acae8e7936309809525a9f058a990148964a58c831d96dc4a |
\??\pipe\LOCAL\crashpad_2580_WTINSCQASWZBZCCP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8f38951143ede15b2f00d3352e458d47 |
| SHA1 | 1130065985230474657d5f744e99312f22c69485 |
| SHA256 | 3a559763ad1634ef40108700025a909cc76ca8c66d6c77f41a07e2ced4c9ff65 |
| SHA512 | 5376e21235d1b828a0d04e35d26154a1e52db3fe02690fa272ba982da55b88bb0ab7473e6b2031fe8d19798abefec072e22542132b175912b31279cda6f15f57 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e4fd415cbc4c6469aa34364c642bfdbe |
| SHA1 | adf7e5e8cdfd37b57ff120cb75ed0f643c611f24 |
| SHA256 | aceaca78b3184c2eb94f72d19ebc61d25caaa95d4847eb5c19a0ac042a11c092 |
| SHA512 | 601f1bea0ccc395419053bd4ddd13807e89110df4bc97900ed4823d7e4367cbbd5f6857d3b8a5c2b3e2c8b2fab13ab386d70ef1c020bd5be17af938f2d4eb95e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c4d9115f2a9ac0f1071e97cb7d30b973 |
| SHA1 | 930eb8ce8e8e978dae614cc2b9697f00f1e37438 |
| SHA256 | 2543f29bf25be96095e8dd5d8d855046a3b6b5873d0a9953950928031803a5f3 |
| SHA512 | a56fcce3456b6f39094373ebade8822e233fc3ffa270318d494131a48635f06eaa5f58cbde0fad253d76d7bfc9be3029bd760c9949126316edcffbb4da690630 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 29a65b6fe908b3663ce0c616b1873bbe |
| SHA1 | c828873769e7ee7b844429492ceeff326c423c1d |
| SHA256 | 00c67ea683d64bdfbf48aba92c4fae528a1aee08efdd2bd3b074cdb3568bcca5 |
| SHA512 | e4dcd9c5e567526bbdc98f26e0938d4f643734c5d3bba19572a51097000b52b59c047ec39223670599e2dd7af278e310859282242ae86018f64582b0fe9d925b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | eba8517f3652641367e901d3a54f7581 |
| SHA1 | fea9f4fd8d38fa53f21cebbc148d48fb07fe13c6 |
| SHA256 | 2d7c268095e786a3e6c729a4503a10709df851a8899197637e6d42aa11fce388 |
| SHA512 | da857ea24ab0a1f4e1eae0a23c1b50e86c5e4c5781f9cff94eaa20127671ed5b1ed681c9b626366f155ec89e767ca11554a77f0f4c3a42c44cf821654b483517 |
C:\Users\Admin\Downloads\Unconfirmed 89465.crdownload
| MD5 | 9a6f6caca9dd58075c1b428acd8a5f16 |
| SHA1 | 20b4dcf9b06efad871116eb14d271bf8344e5907 |
| SHA256 | 9c633404d41a3c07f7ea28683ba909ff5dd64f06e6680d0c143c6fdc66ef33a2 |
| SHA512 | ead8ac3ffb6940532e265b273e4f0d0ec8c2187eb60f9da1226f2c94d7129c1d6aff69125f454f62162a4d411e1d33a5f2e17f171e57109ceaf09cec7069a4b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1a384599126a0483ba86a91de23edc25 |
| SHA1 | 3672c3f6f6cfc9a0ea384159541e95d999c43d74 |
| SHA256 | c1ecb071789d14125ce9662c7c2ab5e93c45b5406942c33e9002cb8ad408b9c8 |
| SHA512 | d8ac6c2ae19f3ea30c82944637c75a1183e9c82f9e799191be3a1e184f5a37fb9c4adcce323bc8b1e7a5e731c53fd81d6288bec8819c98c36021eda7c0b98524 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58337f.TMP
| MD5 | 14df0760f5fbccef15c02fd1ca612a30 |
| SHA1 | d3182606630887ee7d5f16cce30b04a28bce9cd1 |
| SHA256 | 5e56b9a0b5ef5b087728d3b72e1ddfad9d8236706ff30958b91081d236c4f319 |
| SHA512 | f57df39b0ef2967a37d509dc299de910889d71171ae7d9698cfa593a50fb9804700896a8ce0bd4b714256f71817d87bae2d7c610ec8c76944e291a496d518390 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6c7701f2b2d0df16456720c1238990cf |
| SHA1 | e5aac3f37f1d143ce5434c18981ea47e65f908a3 |
| SHA256 | dd00efcd67a730fb42797374407e91eca62e43280f42f03e72a91e32d7f820aa |
| SHA512 | 7acb23a31d532727e9af018314295080dc764ecb9c2cb5fd10bbb31318b905d9b42a26463f133e26b8447729217fc95f50326a6d832fd52f50f75720806716ea |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a2279b2f60538d7337245a46adc3e159 |
| SHA1 | 4cfa8a72c0911f9633e9411e1723fd7a9244e714 |
| SHA256 | 942408ec00a589fa8eb348091040a62bc426e621e0fdc15154f1bbbe8261721c |
| SHA512 | c0e78d70a6a110611758e153f0f9bbf0a81b4e4ec8a27e2d563de0076d3152f708c4a9548b8b72d9f7eb3e10c247d090bd8e323d39927db246f6635a74d73577 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8f55b636b7ab83baeb559678bb1724e1 |
| SHA1 | 064b95877584899c28e4705fbc4c655d89958a7a |
| SHA256 | 7bcadb2bdcc0c0fbaed2a77eaab5f7b9038955d565f518fe337e91960ec39a38 |
| SHA512 | b8e98e14b15579ef08e06a03370b3b14df049a6d61e277d92d0bcce569193fccf4d1d816159df8dfe61c3d098cf5b2c2606156555fee9bea1af1b681d6ec2bc1 |
memory/2240-261-0x0000000000A80000-0x0000000000A98000-memory.dmp
memory/2240-263-0x00007FFEE8490000-0x00007FFEE8F51000-memory.dmp
memory/2240-264-0x000000001B5E0000-0x000000001B5F0000-memory.dmp
memory/2240-270-0x00007FFEE8490000-0x00007FFEE8F51000-memory.dmp
memory/2240-269-0x00007FFF09A50000-0x00007FFF09C45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp60B9.tmp.bat
| MD5 | 44618f50d3f9399684ac3d8132e10186 |
| SHA1 | 52b87802a5704e5bd8e00d0ebc536bd44f212954 |
| SHA256 | 062589773836a55133e08a3691b35cd1bdf64fcefea0fd692b296c7e4c0c4bb9 |
| SHA512 | 7ee3490db65bcd4f5c5b1eb5dfa48a7e8e3be414e4844368917c1ed2dcf97bbdaf4695459428a47ed4d92ed87a4f3128cde65fc94abb00def63ddbf9e69de9ac |
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
memory/2244-276-0x00007FFEE8490000-0x00007FFEE8F51000-memory.dmp
memory/2244-277-0x0000000002E50000-0x0000000002E60000-memory.dmp
memory/2244-289-0x00007FFEE8490000-0x00007FFEE8F51000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cozios Image Logger.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1296-292-0x00007FFEE8490000-0x00007FFEE8F51000-memory.dmp
memory/2244-293-0x0000000002E50000-0x0000000002E60000-memory.dmp
memory/1296-295-0x00007FFEE8490000-0x00007FFEE8F51000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a7d1701142cca705f833d70023ef4e1e |
| SHA1 | 1b76853132abfcddb4fefac42bf9df5d013c9815 |
| SHA256 | 6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7 |
| SHA512 | 806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0 |