hxxps://archive[.]org/details/DoxToolV2

Resubmissions

01/07/2024, 21:33

240701-1eptmsvdqn 1

26/06/2024, 12:02

240626-n7tbbateqa 10

Analysis

max time kernel
243s
max time network
255s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://archive.org/details/DoxToolV2

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643432833325668"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
4764	msedge.exe
4764	msedge.exe
3204	identity_helper.exe
3204	identity_helper.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4764	msedge.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4764	msedge.exe
4680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeDebugPrivilege	4932	firefox.exe
Token: SeDebugPrivilege	4932	firefox.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe
Token: SeShutdownPrivilege	4680	chrome.exe
Token: SeCreatePagefilePrivilege	4680	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4932	firefox.exe
4932	firefox.exe
4932	firefox.exe
4932	firefox.exe
4680	chrome.exe
4764	msedge.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4680	chrome.exe
4932	firefox.exe
4932	firefox.exe
4932	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4932	firefox.exe
4932	firefox.exe
4932	firefox.exe
4932	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1072	4764	msedge.exe	80
PID 4764 wrote to memory of 1072	4764	msedge.exe	80
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 4136	4764	msedge.exe	81
PID 4764 wrote to memory of 3544	4764	msedge.exe	82
PID 4764 wrote to memory of 3544	4764	msedge.exe	82
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83
PID 4764 wrote to memory of 2812	4764	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://archive.org/details/DoxToolV2
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb923946f8,0x7ffb92394708,0x7ffb92394718
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,16471512152064628302,9247627025894471203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:6520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb8064ab58,0x7ffb8064ab68,0x7ffb8064ab78
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:2
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:5620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:5716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4580 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4936 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4308 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4392 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:6216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:6524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3200 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:6532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:8
  2⤵
  PID:6632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2268 --field-trial-handle=1868,i,505215416722327125,14290846860973231133,131072 /prefetch:1
  2⤵
  PID:2492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5800
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.0.60234807\1765287780" -parentBuildID 20230214051806 -prefsHandle 1760 -prefMapHandle 1752 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbf8c641-82fc-47a2-8434-cc3cd5a012b9} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 1852 216116dc458 gpu
    3⤵
    PID:1964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.1.2109369067\228733876" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c5c732-fbbb-4bf3-9e62-3fb3e2621ec9} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 2420 21612b7a158 socket
    3⤵
    - Checks processor information in registry
    PID:8
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.2.140921033\1199198292" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c5e1aeb-230a-4f91-9271-e10032a13ca5} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 2972 216151f0958 tab
    3⤵
    PID:5720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.3.307946316\580570107" -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ea81640-9e8b-4b17-a5bd-f2a05878a2c3} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 4140 21617750758 tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.4.1161287553\1622738913" -childID 3 -isForBrowser -prefsHandle 4828 -prefMapHandle 4924 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dac0bfba-e734-4c1f-bdb1-ed58b471b70d} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 4936 21619c5e458 tab
    3⤵
    PID:368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.5.1100835574\774787635" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 5064 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5dd0b46-5e9e-4bed-81ff-bdffb4f57d7e} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 4952 21619c5ed58 tab
    3⤵
    PID:1144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.6.420682130\1428873125" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {108342ba-2827-4da9-97b9-09628dec9be7} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 5252 21619c5f658 tab
    3⤵
    PID:3404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4932.7.268209298\157972090" -childID 6 -isForBrowser -prefsHandle 2576 -prefMapHandle 2760 -prefsLen 27771 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf85c2d-c401-4908-a109-28bf81a7c07d} 4932 "\\.\pipe\gecko-crash-server-pipe.4932" 4304 2161775c458 tab
    3⤵
    PID:6864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
025e3a5e7f3534adff8e672bd6b2d096

SHA1
f1ed783204d962758f07749c16ea81a99fab5944

SHA256
6d376a43506cf018fe2ee060527088eb3976dcea250d893ad9d0df6021c11246

SHA512
ceb82b58e02188d8932f56e996ba081b3442c6fd8f4822fd4cf19cac8dd46a4aeed20acb04a5c43af873b0362b440eb36678c1b1f3eb11074819c8cb26b7f6fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
df7544e6d933a518dda889e04852cf4d

SHA1
796b2648bdc49bc3a3796b9bc4abe9753992e5e9

SHA256
34b132f8bace23b96964f6f849b0e6686f982a71b5d4b727c7303ce1a77ebd88

SHA512
c1ff51a46932e3439f41898be1f56e5f4634d59b76e76d788b398ad25b014bab0b0b90194e166068c4d06ccaa8b6506316c571fb0f0c2f923bd285db3cbed2e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
27803a5bce39143942f289900ac75939

SHA1
5d25faaf5236d8835454ae428abb44d411011283

SHA256
01b8902cb7481edc61478da823452b23b78fab6c45b36e6e6835f0c7a41b1c48

SHA512
baa8a33289793764fbd4a7c4307703934d29732456b6fe2758c5bcc0d0380f60d1d99704f98dd5998fcd9b6cf3e6005a61d59600bea9483763a5df41959c047e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
8fd8dce6435dbc32530b3c239e54afba

SHA1
779063f870f8239d747d0ea8697bd87098686340

SHA256
e50f902fba90d0aef56782d56cca109e4a6e5766def2707c2a02738437227626

SHA512
776abf40ca146909fa68964bc22b7a0034c05b4a66fe7a6476053ebec58497192b94347547106a0c500ca5c4e45f629a7e190ee1b4ec093945871294d2df316a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
40ccd9fa37747fd356a022eaa9e95ebb

SHA1
8be3461767d378955c51db19ecc55484a57ff59e

SHA256
a0871e6ecb656ec698d4f3a79f88df06b557197a5271bdc0e4b9d06a5527e028

SHA512
25e638aef438dc17d41abe3eb47abd985740fc416d1e7534b258e73fe18124a2f001ce2b88259c7df607405695e2cef3867b3da4402652a7b19b0738d86140f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
e51fa8acd2fe462cae21eb8087fd2f04

SHA1
a619dfb353ce5f07ca941ea086447d4d9380aab4

SHA256
f3154b33d7ff59e79d660e439cc92a1d2e63fcc4922a7adbeb6b0c10db4cd4ab

SHA512
1353488529c59bdda402705ec58465a6cf9639c9dda8f970e9fc978e67d08f83940337224b4c9c7b0831e49586f11e795adbaa1fc72c262cdf65d2568eaf8094

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583f08.TMP

Filesize
88KB

MD5
2118749b911819aecc3be8befc5dfbcd

SHA1
53ab7a9e48c66f86f523f30bde9ad843f465c4db

SHA256
b16e24720aada64948ed7d43666f7f25030f72e4792775d7726f9065d9c53bf6

SHA512
4393556a539ce4446f11c79f4f42f1c460da1acfb4d4cdbbb11b7d1d2b2a0db753fd59d20c235aedf78721e935db880f4a680c165e3ea7041691e70ba0b1f5cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
08908977ac621f2f0207bada41954c31

SHA1
edcb6e50ab03391bc5fc2b22f27f9b83e84ceb98

SHA256
3cca615a3de1294c44024c8bc3ece0b59af9ccafe683fd5fcfc670064c47ef0e

SHA512
c83e99080d9288bf66749a47b65fa92d059a317cd721cb4d9de7d8aa5291fe0cfccabefb13b487e05c40f1dfe5047b8393b248ffcac58b03b6fa59619e4651cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
504342b70a5978b759eb8df2c5d2e53c

SHA1
23c81d1d89ec3d1473b5563c68eb5add2d45c392

SHA256
e46f46d44c4c3696b29535d71d22d1aa2a98d5a651ec6d1bb2f35c046683b802

SHA512
d8ef6bf01280c643bce9c7e3a33a81c2cb2b4afeda8c5bf548772352395a7dbac3f9c4e0353caa379998b66f479a7ad91556678e3a9ddb46df25e989a848ec6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b953573b87dccd63291f1a5b91ee81c

SHA1
e9ffddca78cb8f09b1fa196614085bb6c95d360e

SHA256
b5f86bbde38430e7e40d70d370063455c14567bde3f8ba138b29823991208e7f

SHA512
4db9f0e367c9d82a1ea603b5921ef05b1ea5342861da2b45abc0be9f35e01e8ae0c6a554ba01b35636f9230fee8198021d0831bed3e764c851f1f607c5418639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0ce6b603de4392bdeebd3817deeaf32

SHA1
8f0252bf655e0f7cc4f979281cf89ce37b4f58e9

SHA256
aafd081dcffd9c02b5a639f97e0b283d3a852f05d8d88513e61a6e3f44a00017

SHA512
80056650d0ba5cd9fbb2af31ba627d845d3efa18310cba0b1eff5ff5de6091d49f160b3b7349505d936761715dbb24bc7941e7dc4284bb855a35a93a1afb269d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4afd48e55a52709732ff0b56f6087e07

SHA1
3c7dc05160e07b6d42f2ddee0b3d284e03942dd5

SHA256
b3ac0fa37cbd00185305677981e9355f21d58dcb381452bd7a0dda08ea8beb91

SHA512
14d0d3098b4988c74b5dabd6f448b8a7ee093f95072d87777d113391edfe74986ab646085ffc61858295a0aebb4dea66648d82cd5876bbd944ed56f84308115c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e990e7ebb6a21c0c13403c5c17fac98b

SHA1
91aa5c2f5f550793ee8389c561e33f5a670f3488

SHA256
1dae96ee26b2d3ca39d12f7d973f8f35e8f016364bf9647c5b8d741d1c47f82c

SHA512
15f7ccf42d0eac2de6ec351d550905aac24f0b9af6ca017381d84ea8f612c0afb46f62dc1cd42728d7ac61e4b2298c4fba311754397fd9829d4e5feb9549c512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
21651d7bd2de16c0601bbf825a73fabe

SHA1
bf400328bf7a5c1a0d1a444e196b2c0d87184613

SHA256
7cb67f8e9b2834b2087aa636fe3af11e404d1025ae8aff0e43c81ef8f806ab88

SHA512
d24b811e67448a67ba1dced5b58b6ff9a476133531e99506e44e7d1a5a059187c29584288d6161a465f0563fad6043a1945ce8af28e551c10489936168cac1da

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
5569f5ec9f45de3bc87385b945cc7c6f

SHA1
4b1b4362435d3733cce31301a153ee58185f44a9

SHA256
00c0d05bdc5a864a2fa5a2631da52944b82a342afc290803794ce26aa7b0f8e2

SHA512
01894414d38529f41486a407931fa999edd6d863f2b91259cd4e4e5d492eeb3ae9a1039faa2eda896ce549b10e417e11650dec9268b26b4053f2ad94f40a607c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
e55ddd8009c1b2ae19e695c9ae268c6d

SHA1
7e990f64376c39c4dd24227370e3b311d5690984

SHA256
60a48ee2a56710062d45bb1be7c3537957c4afda071d0cdef96c293ede1ab7b2

SHA512
e15502cbeafb9a985b27260c00e8bb1970b548dd01b6bd6bb72346517a689331f92a6e1dbf6c9bb9a258ceed98197a35bff224b8fbe06e8317d84ebbb20ea879

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

Filesize
7KB

MD5
df62b9a93348368f47a1eea2e67b9234

SHA1
85e9a8554e187c1110b1c264fe14c18f5fe657b7

SHA256
703f4ae2c4e014347aef9f056b4f2d163845a008f9851653365bec9d7dfa7714

SHA512
5671492e50cec09735ea8bf931fa644027da30cb8556382caf6d031967b115913536a87be88b1728d888562ac15d2616fe21cb0fc34f69a23dafe906e3ff77e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
cb7dbe4fe4fecca5d6a03dfd6088bb2b

SHA1
95e335887e4fcf4c2a16e34b99fcfe548c20062c

SHA256
3568e83c9a8e3c48e277528f74be259abbaf1af8096ebe2326ff526fd951fb28

SHA512
a32bea1d2250b58c0a1028af5b87a8be6fda8f0b481b0397a5de9c26fcba73e216f518d5cfefd9456091c8fb17a8b5d036e70669da7f380791a53b94ff374109

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
259059838027b1cf3b4a0192e4ebf71d

SHA1
dd6266b79df026660de7e292450747ef484c397f

SHA256
4cfe4a526eb903d2014de01e329174e33f0494b0c8d370f4ffe148503ac8a77b

SHA512
32202713082a8e4bcdf4e141eaa441c298642e5a1d8540044fffcfef45211076351672fa6a01070e631181024af096279d20efb5390a9929d3fd31bdb0c0a372

Download Submit