xenorat | 27178a08e0d8fb6e5e31ae9bff6194a5224406666fa1f528d4719c1e4a8efd67

Resubmissions

24-07-2024 00:10

240724-af2xgszdrh 10

24-07-2024 00:07

240724-aeqstswfnp 10

24-07-2024 00:03

240724-acj79szcna 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xeno rat client.exe
Size

46KB
MD5

d23d8120af87a615a456a12b43d4a98a
SHA1

73b41123d6f50aecdcf1c5e87a7d0319d753b0e7
SHA256

27178a08e0d8fb6e5e31ae9bff6194a5224406666fa1f528d4719c1e4a8efd67
SHA512

99026704fef97f9f9c01348310f199ad523851e105c7ea1f39312c7370cb6e50af5044fec1041298b96b6e661ac5f48d6af80687e21364806e62738d198ad319
SSDEEP

768:Ddqf04XKojwYybbZWsiBHUuOkU7cK9F9km3XNZ5SbTDay6t22:D4z0z3ZWsiBHUuY79kmz5SbTL6B

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
153	raw.githubusercontent.com
152	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133662531209553304"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-464762018-485119342-1613148473-1000\{A60691B9-E685-41D4-A0D8-CD0DF257D276}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1244	chrome.exe
1244	chrome.exe
2164	msedge.exe
2164	msedge.exe
4820	msedge.exe
4820	msedge.exe
5716	identity_helper.exe
5716	identity_helper.exe
4404	msedge.exe
4404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1244	chrome.exe
Token: SeCreatePagefilePrivilege	1244	chrome.exe
Token: SeShutdownPrivilege	1244	chrome.exe
Token: SeCreatePagefilePrivilege	1244	chrome.exe
Token: SeShutdownPrivilege	1244	chrome.exe
Token: SeCreatePagefilePrivilege	1244	chrome.exe
Token: SeShutdownPrivilege	1244	chrome.exe
Token: SeCreatePagefilePrivilege	1244	chrome.exe
Token: SeShutdownPrivilege	1244	chrome.exe
Token: SeCreatePagefilePrivilege	1244	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
1244	chrome.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 824	1244	chrome.exe	98
PID 1244 wrote to memory of 824	1244	chrome.exe	98
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2444	1244	chrome.exe	99
PID 1244 wrote to memory of 2756	1244	chrome.exe	100
PID 1244 wrote to memory of 2756	1244	chrome.exe	100
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101
PID 1244 wrote to memory of 644	1244	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\xeno rat client.exe
"C:\Users\Admin\AppData\Local\Temp\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff9e79cc40,0x7fff9e79cc4c,0x7fff9e79cc58
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2012,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3360,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,8666490922402141088,4532439383155765863,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:4992

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff9b1d46f8,0x7fff9b1d4708,0x7fff9b1d4718
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,184821790234752602,8400372714179537919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
af3bbf34916e302e633db7b26bb391a8

SHA1
97e2ebf3b58d36b5d8c418f009dabd4cd04309f1

SHA256
496feaab3235c2b5558d584738b30f65d163aaaca7dc48b2add381726be53c21

SHA512
1bf79340d8a3fe1aca4d70cecc86b33e23f3d5648d0db1676eee7334be0efc9d8af39aea0e25031f887b6464b315a6105c1235020e1d008bab1a043497ecd0ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
80a32d16641087b45cf4b3b6ef08c343

SHA1
8637a922d18b4584b84978b2bbce7424f75af109

SHA256
93c2accef1a7fa4bcb71677dbc081417a30296fcca39dbef0f3c900e2248d943

SHA512
69908612b90e6a42c07796ba82e39e7aaa0103ca1ab174886dcfa3cf516695a2cba225a74d70e0a90eca73fc56f1bc71075c10af2f448e84286ed88cdb309938

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c06ebb33550c926bf63d923832013ab8

SHA1
3bcc6a6b793a9a7ae57dc9f4ca69166598ba545a

SHA256
a45240d16c1b19c08d6f1773247490337687b6c103df98a10b3fb87b909a1bd8

SHA512
8adbb4c24986bc13350b65f1ff491b3a946b34dcb95cc76612345da6fb566788e1adaff20b8628f01f8713fbf9631b1ee6aa60caa8dfcf029d6d4191843a2c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2fbad4257158be457553f8c72b6c4da2

SHA1
d32075b45cc78816df899d61d41fb2dbe4867802

SHA256
903b2a841052f47ce195fa4397e1f5b916fea7462891ce59c85fb45432689a81

SHA512
1cb0c9200b3c87b724407db0ffe48cdeae8c6e237e214ff8f99879d5c4fd872a21781585daf91703c074a7e16f788563bd88ee9dfff7ae7bbd61059974305cd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\befe27de-aa48-4a66-a486-dc35e27d06c9.tmp

Filesize
15KB

MD5
994e2f54d83b8fe6a7112a5e9e453cbc

SHA1
a5dfdb54ef49283a50322d864d4136826d21bf57

SHA256
f571af7b401616af24bdc7edc5945bd050913ad18b519ad2006e1795a7756697

SHA512
a919a9d9a92f2e23ed891243cb9d0c4dba92e8627f25d745c3fd187c8b81d5f5a40619778e33603f4b5f3aa3373b55f94b6cbcb489729d246af5d04ea9161d83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
5f9678f2f7ba27382ad03cb1ffd4cc8f

SHA1
3614d6e4a2fd91e9b9d22411f4c4352e41f8c6b0

SHA256
a050a5f81b56b9a0acefb73e7bc09d65935cc685234c4ffcf2aa5e4aaa52dc22

SHA512
48a822aa774d6c33cc6c11521cf8861bb6e2b750a5c16f318514b2b31b7446aa772494be3bb8de521ba99abf3cb67c9229151317bdcb57909200fdb2330f6087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9622e603d436ca747f3a4407a6ca952e

SHA1
297d9aed5337a8a7290ea436b61458c372b1d497

SHA256
ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

SHA512
f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04b60a51907d399f3685e03094b603cb

SHA1
228d18888782f4e66ca207c1a073560e0a4cc6e7

SHA256
87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

SHA512
2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
41KB

MD5
91be4e2bf6957e5b01200b15f83b9af1

SHA1
cb9b994eb27a6e41885e4b3dedc78fa1ea9324a9

SHA256
9951e1f58567cad50199fa9e5a1b380e3f0784da276fb2d5f859110d5832dd93

SHA512
c633e932eae25c5858ac035be15f99d273183306bdc1e296e9f0154219ec2da76126158c4a2e5f2af2d27473f6077f03f518d2edd0f1981f321079953f876c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3f51086a06da54d6c2686e9c57096972

SHA1
4d7135b0c975b54f93c530ecc2601ad578614464

SHA256
8b8a313aa0793f1c2dc5fa2e2398b7dfc4c512cd28128328598a208a9dfdc1fc

SHA512
0605b55826787b8c8990ca75cd91f5a6b8256a0b74b019b5a957f29fdc09b0fa8dd58a3601dbc37ccb65d2e1138c64a208b34ecbb1adc8da931cdd1593c581cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
484B

MD5
ee4afd66395f4e6f38f070bc884399d3

SHA1
7b67c32c17e6b089ea4c67c837a58c78dce7878e

SHA256
a7e5d7147297250ede4c571b4c716de666763646790a86ed001e0b42fad4335b

SHA512
5d5c11a9ff485f0cb9b74895fe075d1d6663c762aac8c4e3241be97d5264bf0d3ddbb4b9e7594ab650825143a1e20a8820f6dd0285a8913f66608e31a3a89f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42f5dff3792288c651ada65c148acf6c

SHA1
efaec8f0c04dfd83e7a765fc0c9eb282134976e8

SHA256
b54ddc7f757d4c8b593715fcd866a9392057cc823946a897bd106b56ce634af8

SHA512
432849a83549a22b04b4ad7a07065a3c537a9c479d202747c0202f955199f5935146fa7ab45c8540e06029217dca77296dffc5acf83d1ceadd880ec3f7fce676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
645f805bb952e319c389457de740dfe3

SHA1
9263c3d2cf2786addd326144540b7ef4e08b15c8

SHA256
1e31d29a4ed133693622c87b8709c83ecc875773088268b8114419c03da0c8fa

SHA512
ab7c16694dccc071947aaee56a341475f5a145c16333cf5e6d722135f924de5fd443c3ed454a9fb3d054ff1e440a5832175d9d4d7b8ec5a06c61764f0a95af58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2eecec7f7430b61147243d03ab972d77

SHA1
dff83aba2f9629d3bfdd6d9c5c9ded194873efa0

SHA256
a613a7b1c1a106d566a5c71c9204dc3b249e4b36a04b2e83aece4b16839c7593

SHA512
2b075d1500c4b1a5524ef2e6db5f4af9db07747555617d3e371840f45cd9218f052b9830edfe9578aba11633c0c968c038b41c845f4108ac566571716d63610f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebb4bea08d885703c24a87ba3c0f819f

SHA1
38bc852385dd5c2a7d86a005e92d7490730c043d

SHA256
51d180957dc1bbe024ea583bbce75c2f2a598a434accd35041cc3ebd204fb17d

SHA512
0ead6627a47763252f041cfa28872e7fde0aa9c8c1f6fb1ad07a19610fee341da742d0647ac049400bd583461b24cc59c11cbcf2f2cefe43badc1882ee793289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c3d2e719534844507f628e760f4a824

SHA1
99ad577e62a794b9b13774e83cabe78c0b398f28

SHA256
d49f40083c9e865e70afc86cc7b45cfe5765d57ccf546d8293ccb6d1f4c74508

SHA512
7f225db6c259f3efd0d2895028eb5ce1c6c338e69cfd4e5713f37fa34e8f53ff395a484013306d318ac6f5bdd2e942b54f8a9c23117bb397e7eaf4b0bf6ee8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a331aff477e05dea1703999c0cf29b43

SHA1
7ce377d51efef015cb7b39ee6a9ae54f2e61056a

SHA256
f0e24a432d16bc0145370d23a4b4258154d5a2b3971298cbddcee521871275d4

SHA512
4284e5758eef0e8bdaa1e127b3a0954e03d38cad2e673992e190e47d641b11ce7be50a66b00f5863f496406e9387e15ae021a927c337b69cdbeb0306675f879b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5844e37516243cbe384d0b2d36f916dd

SHA1
bd667c5acee44127a94b84e56a59083d0a51008f

SHA256
3d0d91679fc8b1ceef1771273722aaa33cc12cbec40ce8b19c07d46c9b6253fc

SHA512
61f842896e8a93e40daf39f4b0afac79b59063c9577c3f265543c14a35a92b7a95f5fa125f8fbc984c6843184a9c26e375c8c41d0131bc323687b963cc69bdf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59d519.TMP

Filesize
538B

MD5
158df0f6a341f517bea071a40646e95e

SHA1
4304bee2084ccaf0bd070252bf39d1c91f349d76

SHA256
efa6ccdb098beff312be1284a8de6d6630e47e74f251e0b949ec1ccb462cdcae

SHA512
8bdf044edcb6465d6e0145f7cb468ca109174c73df91ae4e3ad99301212d3d25d9773eba6b80a5deae07945ffc2082fd1281f7252a0119655c76596eb89ba139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
547534cff6244c72667f3344e58a7cba

SHA1
0bcac32a9663cfd166d2acabb7067d60eb3cada0

SHA256
2379d3d329227bc106ce1f4fe633fc3e69b4c761bdf5647b6e65776860a29394

SHA512
2945ccc8d08d8f58fa98702d7072e9cbe45c800ecd6e7e091ff3ce4a557304f5c32b045ee5e6a7d67f43e3b8e9c5de67f6d91739ed2664ed7134644441e20423

Download Submit
memory/1016-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/1016-1-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/1016-2-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1016-3-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/1016-4-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download