hxxps://138[.]124[.]180[.]85/

Analysis

max time kernel
256s
max time network
258s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://138.124.180.85/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
40	4980	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
27	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache	AppInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AdvancedIPScanner.msix:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4140	msedge.exe
4140	msedge.exe
660	msedge.exe
660	msedge.exe
4892	identity_helper.exe
4892	identity_helper.exe
1808	msedge.exe
1808	msedge.exe
3508	powershell.exe
3508	powershell.exe
4980	powershell.exe
4980	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	7zG.exe
Token: 35	2468	7zG.exe
Token: SeSecurityPrivilege	2468	7zG.exe
Token: SeSecurityPrivilege	2468	7zG.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1908	AppInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 4020	4140	msedge.exe	77
PID 4140 wrote to memory of 4020	4140	msedge.exe	77
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4848	4140	msedge.exe	78
PID 4140 wrote to memory of 4536	4140	msedge.exe	79
PID 4140 wrote to memory of 4536	4140	msedge.exe	79
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80
PID 4140 wrote to memory of 1484	4140	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://138.124.180.85/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9eed3cb8,0x7ffc9eed3cc8,0x7ffc9eed3cd8
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,11054823979247345351,9144102648485526741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1696 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4456

C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe
"C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstaller.exe" -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2576

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AdvancedIPScanner\" -spe -an -ai#7zMap24411:98:7zEvent29816
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\AdvancedIPScanner\yxAEqSbV.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0fcda4fac8ec713700f95299a89bc126

SHA1
576a818957f882dc0b892a29da15c4bb71b93455

SHA256
f7a257742d3a6e6edd16ac8c4c4696d4bdf653041868329461444a0973e71430

SHA512
ab350ca508c412ff860f82d25ac7492afb3baf4a2827249ebc7ec9632ee444f8f0716389f0623afc0756f395cf00d7a90a0f89b360acdf72b1befe34eecb5986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
21986fa2280bae3957498a58adf62fc2

SHA1
d01ad69975b7dc46eba6806783450f987fa2b48d

SHA256
c91d76b0f27ccea28c4f5f872dee6a98f2d37424ef0b5f188af8c6757090cbb5

SHA512
ae9ba1abe7def7f6924d486a58427f04a02af7dd82aa3a36c1ed527a23ec7897f00b0e30f22529e9599ae2db88e8abc7ba8013b426885aa3c961ee74678455f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
696B

MD5
fedfdfd76d931f917f2f902126d85041

SHA1
8a53a8f2b2048a3acabcae1a36b898d962046909

SHA256
6de794af438f0b2c1496a633d746b3f064ad143ec009e2bce0e482000c09f7c2

SHA512
e8a4576597be03d791faa67f3f255ab1ea6299766f6bbd0691d0d75a8b1871ad95bc6d676152632c6f1b2990e8ae336d4fe9107f2d24deff77655c92b5f3a2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ac00797d785b89c62b6d4c43dcb8db3

SHA1
2fdfd5414012c796ebd725764832a04e461c0c8b

SHA256
e4f810c558b8e471cd4ee7b69d67149463e4beb5c650467b4f3462205de72dbd

SHA512
ee54070e6185b2679f6f714ef3b1569b694716795672f4b0ee636c0e7e1c941a25cb2f82e564bd3b8d922c93f5fe78cbd600793b07330522cae2084ff8271121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60a27205e58d7caecc9059373b96f3c0

SHA1
83ab18d6c987ac05b0c401d28c0a9892605b0f5c

SHA256
daf60891626d590ccffb35882cba37efdb396c034bfd4a055a5ce8765826f871

SHA512
4b5917c560bdcd19c41a612f62d81510f6507f7fc2c27ff05b0794c4303e0b3bb1ada5c05e58ad6d8373abdfb6c6491af443e6c5398e659cdb45347c60200dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
844666b97ed33d6d13be4273e060982b

SHA1
c97b297feca707a8bce476d33b5e52123684538a

SHA256
268fbe497cba25416b625d90560748d9f0d4d40a23f9eb0a7adfa26f83b53e57

SHA512
3a64c2feed16e110278e12421bffa2555df8ddb5802844485d0bccaae4bd4cc7a83bff4758c11947389298681142e800a8222c8e974de5f0a49b7a893315e31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53b4f7a0b59949e17cf1b313b5bef29f

SHA1
b862765307dd7fbd4dfac0eda8d2951974919624

SHA256
46a5d89cdecbf18408fe85f2c3447fc5c3c0ed2032c9378b98d9c6052a47e110

SHA512
3583b66c0370a2f2f833a99bb0acd3e90c7ffba1701fd75bcc74ec601368772d75f67c2b81b27fd258456fcfe420be485caaf3fc809a910d7daea8d662b68142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7ea6e13cd3264a74f7b64719299c82ef

SHA1
95e912bf6da205e18fb2916a978b90590af6c9f4

SHA256
582b9ce34b61ca39cfd9e98499d5b0e23a95faca7ff32c4cee3ac2764e902b49

SHA512
052271083fd532401a7f6729337f1b00a2553da1b7a35ff1865d8f7c7a5e8a1a7efbeefb8c6273bec74c9149d2146719961fc90c5cea1366fe81298c219e44f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8327dcd7679b7dd469113c02bc918204

SHA1
ef48a678949213910c47f4cde41fdbe008267f89

SHA256
e3d500a60eedc983cb1bdff4617baa982875ce68ae71eeaced88d023403dc03f

SHA512
7753560aa4368a558b0e761d5c6770a148ec9c76e4ea7ee388cc113d2fae0db7f952f7d94e47ac44f9bd22f31d1f6e3a51a5eeb6c3b8000e7b4324a6c418d8f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
917B

MD5
d99af97ad2447802393519ff0b9b1372

SHA1
90ece2691525d76e6eaac6b4c63dcb017344ef85

SHA256
2566c0758adc35ac07c57db56b4584d50915fbf89abc4ad5c0fb50ff069f7c3f

SHA512
46d9440efe9d0a7f149ca971b29fea8c18a899447073875f62cd4a8027c83c1f6eea8b27e85487ceaf51b5facc12d721fdc0ee95c6a959824dd86f2533377cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwdzqivs.dgf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\AdvancedIPScanner.msix:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\AdvancedIPScanner\yxAEqSbV.ps1

Filesize
5KB

MD5
6cc7d2135dbe7c41c59e58cb3d19b342

SHA1
9723dcc9509566d742034d57e28e6f562514f520

SHA256
9c5a2f3a82a50c726e7dfacf8b046ad6602ecf194203c567cf560e352b94d2d9

SHA512
fcad8717e149a6c09de16f484c671ce4c8ebc0a0941b911448816f9fc3603bedc7ed08a607f96fbe39561381bdda2da7cd56211005a0ef397ff6cf333e9572b2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 649126.crdownload

Filesize
25.6MB

MD5
c79834aec56238560ad7f9fb7e96bc85

SHA1
ece7856c45f9fb7f3e90713cb66daad77e1aecda

SHA256
5146ad24aba859794d182b66cc6ce8e3544f2e36d64bb682d7cf1ee1a78a90f2

SHA512
c59d858f585410ddcd6dfaf430ad94254ba05ecbf6f138ab0d80db2d0851384b4d28232989586493da1a72d51130acbca440c53c0d113b48974221dfb145b8b0

Download Submit
memory/3508-663-0x000002126FA40000-0x000002126FA50000-memory.dmp

Filesize
64KB

Download
memory/3508-661-0x00007FFC8C490000-0x00007FFC8CF52000-memory.dmp

Filesize
10.8MB

Download
memory/3508-662-0x000002126FA40000-0x000002126FA50000-memory.dmp

Filesize
64KB

Download
memory/3508-651-0x000002126F9C0000-0x000002126F9E2000-memory.dmp

Filesize
136KB

Download
memory/3508-664-0x000002126FF10000-0x0000021270086000-memory.dmp

Filesize
1.5MB

Download
memory/3508-665-0x00000212702A0000-0x00000212704AA000-memory.dmp

Filesize
2.0MB

Download
memory/3508-680-0x00007FFC8C490000-0x00007FFC8CF52000-memory.dmp

Filesize
10.8MB

Download
memory/4980-674-0x00007FFC8C490000-0x00007FFC8CF52000-memory.dmp

Filesize
10.8MB

Download
memory/4980-675-0x000001F93D070000-0x000001F93D080000-memory.dmp

Filesize
64KB

Download
memory/4980-676-0x000001F93D070000-0x000001F93D080000-memory.dmp

Filesize
64KB

Download
memory/4980-679-0x00007FFC8C490000-0x00007FFC8CF52000-memory.dmp

Filesize
10.8MB

Download