8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
Size

880KB
MD5

cd2d434c0c751497d16291ea2d184d4d
SHA1

faf06f2ec5fd9633fbcf28bc6218da57d14b9f05
SHA256

5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638
SHA512

eadfc92878c68021ba3623e388d19eaccee4d265bb9e945266b070afeccf06ad3c988d1e187bc079e8f5b7c05bc1ab3d71ee218d4e17a14d9a9962a1ac7ee63f
SSDEEP

12288:dMr4y905aVkPQUH7ae74IC5UpClHGghPLvXMXiYQODOc5tVbXrOtb8CXYca5UzSj:FywJH7aeUIsACtGcPYDtXOlEUzS7n

Score

7^/10

paypal persistence phishing

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

jz9zO26.exe10Oj26mz.exe11oE7970.exe

pid process

3252 jz9zO26.exe
2572 10Oj26mz.exe
6300 11oE7970.exe

pid	process
3252	jz9zO26.exe
2572	10Oj26mz.exe
6300	11oE7970.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exejz9zO26.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jz9zO26.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
560	msedge.exe
560	msedge.exe
1356	msedge.exe
1356	msedge.exe
1168	msedge.exe
1168	msedge.exe
5136	msedge.exe
5136	msedge.exe
5148	msedge.exe
5148	msedge.exe
5812	msedge.exe
5812	msedge.exe
6364	identity_helper.exe
6364	identity_helper.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

10Oj26mz.exemsedge.exe

pid	process
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

10Oj26mz.exemsedge.exe

pid	process
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe
2572	10Oj26mz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exejz9zO26.exe10Oj26mz.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 432 wrote to memory of 3252	432	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe	jz9zO26.exe
PID 432 wrote to memory of 3252	432	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe	jz9zO26.exe
PID 432 wrote to memory of 3252	432	5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe	jz9zO26.exe
PID 3252 wrote to memory of 2572	3252	jz9zO26.exe	10Oj26mz.exe
PID 3252 wrote to memory of 2572	3252	jz9zO26.exe	10Oj26mz.exe
PID 3252 wrote to memory of 2572	3252	jz9zO26.exe	10Oj26mz.exe
PID 2572 wrote to memory of 1184	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 1184	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 1168	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 1168	2572	10Oj26mz.exe	msedge.exe
PID 1184 wrote to memory of 2444	1184	msedge.exe	msedge.exe
PID 1184 wrote to memory of 2444	1184	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2052	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2052	1168	msedge.exe	msedge.exe
PID 2572 wrote to memory of 2772	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 2772	2572	10Oj26mz.exe	msedge.exe
PID 2772 wrote to memory of 3848	2772	msedge.exe	msedge.exe
PID 2772 wrote to memory of 3848	2772	msedge.exe	msedge.exe
PID 2572 wrote to memory of 1888	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 1888	2572	10Oj26mz.exe	msedge.exe
PID 1888 wrote to memory of 1252	1888	msedge.exe	msedge.exe
PID 1888 wrote to memory of 1252	1888	msedge.exe	msedge.exe
PID 2572 wrote to memory of 3796	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 3796	2572	10Oj26mz.exe	msedge.exe
PID 3796 wrote to memory of 1476	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 1476	3796	msedge.exe	msedge.exe
PID 2572 wrote to memory of 1816	2572	10Oj26mz.exe	msedge.exe
PID 2572 wrote to memory of 1816	2572	10Oj26mz.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2148	1168	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe
"C:\Users\Admin\AppData\Local\Temp\5cb2e3146ea3274b3f079e836685e2606cf1e33338f3d1adfe019657232fa638.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz9zO26.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz9zO26.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9884778609661019616,13033738051931966599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
5⤵
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9884778609661019616,13033738051931966599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
5⤵
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
5⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
5⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
5⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
5⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
5⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
5⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
5⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
5⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
5⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
5⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
5⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
5⤵
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
5⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
5⤵
PID:6364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
5⤵
PID:6792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
5⤵
PID:6916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:1
5⤵
PID:7056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
5⤵
PID:6464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
5⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
5⤵
PID:7136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
5⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9496 /prefetch:8
5⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9496 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8572 /prefetch:1
5⤵
PID:6384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8692 /prefetch:1
5⤵
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:1
5⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
5⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1284 /prefetch:8
5⤵
PID:6924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7389344629028623954,3578733797339192213,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4936 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7533635574114245283,17428819326681792141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,10683036298176072304,5320838318233188001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,13138623190084726893,14124828911503855280,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
4⤵
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:5260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:5836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcdb2246f8,0x7ffcdb224708,0x7ffcdb224718
5⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11oE7970.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11oE7970.exe
3⤵
- Executes dropped EXE
PID:6300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
c8713ea1e18bfebe4957ff6e82e8ddea

SHA1
8e0fd9758e253a0f0ebfcc642de1b2b31de12bf3

SHA256
ad5e1be96febaeb6ccb8a8e6e05ef1d001cd72cd6955428cc52ab113cccce8e5

SHA512
59a392b2e2d0a5b7b188130b6e29d5fac78160e60dc4baec1c22ad87e769c41b6eafd1ecbf7d7b504fdb91c07d2f41c1ab6394cd0c0d9ccf538d51030c6b55e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7e8cd8971e854c5dce7606d4ac257690

SHA1
52c49d0d7f4c2a47900a36af772e0762e1057dfc

SHA256
2fb27edc87c8c2848f82f4dcf43ba55d88ba6e9ced82a038ebb9a069b2e23ee1

SHA512
8e55315c645fd506aa21b2acf720e5d9f6774ffb659d1a3f8fddbd3392d2979c7e7dac6b820d696d5edd4b6546a4393e35ae5d21082ec6c3552e5b387e751ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
be68237ccff9b8b95e138b246452c595

SHA1
c51836a1eb3b956517205b1de289d1695479259b

SHA256
9886ad21c7f39f80003bab7b13ffc2e507dbb8eac9af6362f39572cd0a5750e5

SHA512
bcd1b615ed8eb46543867cb38065d4a2ecca257f1e4ba2093a4c5ae117cdb6c4e807cb3f2a78e529c45a41bc49c810b45411fcb65931dde7b92ce7342394a265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
72f0bcffc1a2b7019d4b2f67d663e9c7

SHA1
3c74892b2782fa9f9fecf3391f6c5aae0ca786c1

SHA256
6e1213487ffa90f4fe986d5bb8e30757fbdbf766264461728d8727228b464cce

SHA512
45378b220dc73d719fe2a7df83725b090b1bb0bc5b507f2eca599b26f22b04484cb1b0e7b83eeb04fc45e39120dadc02b52a74d05dd6e81530b56e7458e8cb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
611601c8d7da1e9b51e55a5f690a2884

SHA1
110e14850c8ef302058e0bd7ddc40f5afd3c2f93

SHA256
2a8e9588d384cd1f900ba77487fb3d72309440a059c0f2c444545347b7ce7950

SHA512
c04a99f24db48346315d36d095a17f50279857ece975a5141e0bd9c7671d5c7fec41826cf0d6b5ff18f504b7b2568ceb3ad6114fdfa27f3b428b31d85b5b28ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
dc938f2296aec07678d8fa831247d52c

SHA1
6a2dc33c2cd3d2d304ea55d9336d8ef032e2b23b

SHA256
d94f5797f1ab3c65aa1772f28b5427100621aa242aec250375949af5f2c922b9

SHA512
889f7275f9e1acee1f29fb3cfb7c6490ae5e1f0fc0e7dc29ac2da0af73ab8200fefad618256b8b889cb7787cea054a1a5808e18a57f7f1d45c75ac884598632c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
00a58178737a58c455feee11455fc625

SHA1
a6aad096700c56cdf955c770edad2ff65cb994b6

SHA256
95dd9d5426c07beb3e263468e32c3eca043fc17ed414e14399e3b54b55fbc4e1

SHA512
6d1d1a5c496429917c3312dd061049fabc0e2f76dda846880640ee93c9c588f6abc1ec6a7a532e8296bad55cc865227de65eeba6032c4711ffb0ccf0973331f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e5f15d05722f8071680f62e4c0fec2dd

SHA1
f49c4d0175b6afaae10985e99b57766361409168

SHA256
91c229a54b4d0e4a2af22d5398c4d8e46e9f85c2fc450c27d3099302b68e969d

SHA512
64ac10a034a2978a5c58112dd22b577e7950ebf44bf3f5111d73ae61afa51b0e964e94d81d5057c75eeda68d0a44682bc3144d162e194c591733fdcb5f7c9fa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
31141c892c4816e44ff571867f205ee8

SHA1
e570cf209c5b17fbd1c404c13c14aa1a216e484f

SHA256
07d80d2952fa44e7cd3a9611c5fe95d6f443c2311b2aa6d587d6901ac035d592

SHA512
85ec63cd11f672364420b7e71509389b425ea66457c5ac9884d8a7716e631407b36287e13d2a10ce44c3f194afc8ac1542678c265f6b82cf649c1a22416f75fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
bf967bec8ce754ae0ff6d04c205a340d

SHA1
b8b824c5aaf7d11fce882b820da5617e4d3a04ad

SHA256
b13ae103f4630a54fa17072d03f7535a60c96b656ca1523ec26ecd0af6afd7bf

SHA512
3348d197b4c10dee3dff639b2016829513a90bbb5a6b76c5fdc891b99725424fd4b95502f167e4ca42000d56628d5798bd2e5f4045c555f72ed295e874a2adbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
9f3ccbaac992b6063db98acc5d729f7d

SHA1
c8b7f9414d8a4c0a083af91c8e8cc6289113a746

SHA256
ae79ba2649cb49d844f1c6c0e670911e3d98b6b6c016f1429c20189591485211

SHA512
5f15dc3e2af714e19d1114fe54f7ec206f54d0e4930b626ac3ae90281381d36157e274ba92cbb38774d4a4a15b260441469e050ecef09dd8046d5eba419f780b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
2fafe5d9b0340ccb8a97900bdd769975

SHA1
566fe4875efed95abccbc49caa984770f39cea71

SHA256
51ea99bb56880a6f0ea8beb7779b69da6cce0c26c1f1455e4810182331e6be46

SHA512
eea8f4783f91c9676aeb6739412f5c07c2db671e07c177a2381fc22de9ca6612e5623f33724503ce2d4e791af5092b2f830874da718382d00fd18b254f9e8be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
60baa97051257ab77e00e174a670e0be

SHA1
b1983c001c89d0c44d181e0f9a4b5bd92ca36b75

SHA256
62368c06ff004d67208b804985d94ea358eb86e1ca61da134aa58d5a81480629

SHA512
17e352b69b860c44c4ec24e95e736e079cdf65cafafc9b2ef977c5afbc55b177553f88d133f565523b21ab6e944e2c790e4fe010cdfa76aaa0605de1bd4dab27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5855db.TMP

Filesize
48B

MD5
72887710b88641b5bc9c0744d35d4446

SHA1
ded5237e9d9e5968a50d17462282ffe334467efc

SHA256
dab2107a02c60a37f89da0df8d1ec3545ea9330a16bb9a251bc22208cf25c6b1

SHA512
dc7c25d12349d14fa015f58f2ead60601d020fbf47bcbf461bf9afdb7cee6c9fe11dd36dcc5cb62e4d8d39e49a099831ef07014d6954c3b79161a21df8b0dcad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7d5d02e63fd9d6aaeefb8f01e88e62a1

SHA1
dff38af37f787a32affdb001511504ce1d0cf367

SHA256
074b237b6e407a6fd30970351ad27be36241ef886205efc15dca63be23bcd3c8

SHA512
c0d22c885a41308a2496712f389d606138d0763a2fc95f5bb95aa83e5b4feb4b1fbb06a308635d96290b0cc377979baa4ac9491748b2d0105dcdd94858f2d311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
87a112161858e96adc6bab1fd257ba25

SHA1
6d50b11f98f029f11412e4e7546284dbd58f93e3

SHA256
714c4992de776bd46c0593be4dd68ed7c8d1da1f162fc3525fd3aa4fefe8742c

SHA512
0e28319796dee07b047b8b22d40d07550c50dbb1e1a5eeae5f7aac86372f905e5e1eb4e96e64e7cfb83816fc448f8b2e28846bc5e83cbf8c60b091013c0b40a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
eaf14da875036dd9658c1862b664192b

SHA1
84dcacac13857dfdb6d8e429efc0654b95480265

SHA256
133e4795279b8780fe8150647bc02a628f355841a94600da95502ce62c41fe35

SHA512
40a90f78638bb6d94d5e1854c83243f8093821e98ebde457c73c8cfb6d51d918ff6eb1ff1c8f59e2fc756ff207fff3230dbc29040b6401a34f8bef79e538de78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e924e9574b6871fcc73497eb99f3c050

SHA1
4d25ba5485e7dbbb88734071553635dc157c07c9

SHA256
2408bfa598271cc979adebf1280a26dcdc6abc724f6e68c6b54f403a397ddc41

SHA512
dd7e1c46d92c5900796384059b9e2d0fc72208c1205ed4892a00f510526fa3858378f4cdd7ae5668efad9950e4eb943bb00d525ac1d3d2db3341913f567d53c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
62f1fc0a392cb812ce9df5133988cf98

SHA1
5c3a98e6f88c155fdccd8eefa22109d45edc3296

SHA256
0f408ea6cd6aa5de2e4212bc5415e2c82c1015954a850553616cdcb2f148227b

SHA512
80e433d7f34b4afac24f3b2cbf908391a5146123ae1645b320d61f7d2239ebe1a9e36f468b4b2ec8c90f20db32c3968b236732cf9c8d66f1a995d3a973d6439b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ac7c.TMP

Filesize
2KB

MD5
23015f866d138a5d2bf5f0c14f00cfda

SHA1
2b5c60051a395762b0d5ac15498c447bcf54c718

SHA256
3f58297b9672610c0175ef5ccbb08abcd4d2ea3c37875830089c4fe8c1ae758f

SHA512
f6ed9118a34079e9882ee8872a48f9eb0ff6a0b9520dea314ec0ef0fffe17514dd9faa9e705b93e64e7fe38deca32e69db4de9a760f9d74d25c87cf38ed3a0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ac0f08d60682b8ba01ba098489ab6758

SHA1
260e68fc9adff72132ea66ca61e2ca357f5b5165

SHA256
9fccad5eba1fe4af17f99da9c8b29cf9c1dfc352e2ce00453ac1ffd47cc9a671

SHA512
6c04693449fa3fe028c48736c3122f7940f65d64356c2478556c943ba16929ed83ca02400ae569f880cb0a11d0d8df2b16a40e7e9e70d81cbc91d64378f5811f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a70d5a2472cbed82fe423279c888682b

SHA1
43a1ad85052c5d57f9afd1dd0b61a66029be7ff4

SHA256
2aac03df2dfc08e1eb9ed0808e16bb8174592270e33fb38aa782815de2a77b72

SHA512
f84f0a1fb39e46451f136819c7504cf22e8f6ce236d6403aebba141f6ba21170c23e48c9aa72d3ad9ab4534484849e039db25bfb42f4f9730e066b27e5984f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2d50d786a0db9c62cd0a4252a5d29d31

SHA1
20534eb1ebef22bdcde9c5c2568ec32cc0ce5b33

SHA256
2bfc3ab3058dae529e4175c4be15c43cd730502f1dc81e8cf04b4b0deeefba43

SHA512
7df49fe1dff221bd860e89d8d5daef980029b1928d131a52e5dacf078a97bc34da510c9603b8d3ca19cfd2bd410108353c94bb5b2e358369336590931b230502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7b2b9c15c67d04a043d0f4482fb8c482

SHA1
bad9ca77a7d4cc669c3187eb54fc4f06ef84bd20

SHA256
55760b0b14a4fdfe736ff1da3f1631d1f64d905846bde2c928e5126a68be58ad

SHA512
e8ec115de5e41e5ba4502375afdfe4d9d97d6e775e42fa6bd1a45b76d18c4ecb185689169d0a1ca62c8449cfa9b6b6d77f34aecc8f1296f49d315b1d6854dc77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
87b9ce83dab9a2176e4ad6a04e8009ab

SHA1
c382bfc5bcbd640e7f385491d63bc7cc770546c7

SHA256
359297e0d12ac0bd500250a0c74fbafec56fe3e6895200153994a2ea14d6ac9b

SHA512
bc41ef66cf09de70fec46f254de7be458f6dcd96b6584ce65ece0194f3ae71dd6be8cbc0db06f8710ea3ad87afb0b07923a058221d7a068dfe4436f7f4017192

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jz9zO26.exe

Filesize
658KB

MD5
5ee6354b3c1462ad70379b6bc5373c99

SHA1
a9500d5d2e0ff9c944f75b447f7856c3ff52ebe7

SHA256
42790e47e89a95aeb2572e5cde3d514904723f7302a85482f0585af2e44b87fd

SHA512
3440ac0799fc126b59d45b59e169de9850cd4118a743decb9482c203bb355fc0a168ace04db81fbd9280f182d6195cc4e0a968fca4e393088b8665ac2ba7012f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10Oj26mz.exe

Filesize
895KB

MD5
957d1f106e91dd0a9b8bcb064e28b9f0

SHA1
c97b295a70dc91ce5b4399515dd450c204df8cfe

SHA256
11b56e8e786712544f92de2b111c900a8958b9cf7c4396042f98ef8c5d5cc1dd

SHA512
ddc85a3ca56af2a3d00070603e9b275ca5e737a4b8dd16a27d1f93fa784e580428fe175344eee30d8ec3130e926f0cad8276a1cb37326f075d9bb02dffefd5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11oE7970.exe

Filesize
283KB

MD5
092ff5d48932a2b39b994e46f64cf5bb

SHA1
14520bf10c161c1a6fa1d945b6f5d1c30a9e3350

SHA256
7549e016a671f1ba803d8748e410016016d216ee9c06436276cfe1a1711bc86f

SHA512
e6147fa0987455bef361b02e5dbc78eca22f3bd50888e7e149f65da9b21be777f1b2f26428e49c8709b70476202c0d714fe4329d1ed673707a77e0429b67f990

Download Submit
\??\pipe\LOCAL\crashpad_1168_EPARLPAVMFUETJXO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit