hxxps://bazaar[.]abuse[.]ch/download/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0/

Resubmissions

02/08/2024, 17:20

240802-vwh5jaxfkc 4

02/08/2024, 17:17

240802-vts7qasepr 4

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 17:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/download/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0/

Score

4^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
3540	msedge.exe
3540	msedge.exe
4620	msedge.exe
4620	msedge.exe
2984	identity_helper.exe
2984	identity_helper.exe
1552	msedge.exe
1552	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe
2764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3204	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3204	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1580	OpenWith.exe
4320	osk.exe
4320	osk.exe
4320	osk.exe
4320	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2868	3540	msedge.exe	78
PID 3540 wrote to memory of 2868	3540	msedge.exe	78
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2972	3540	msedge.exe	79
PID 3540 wrote to memory of 2924	3540	msedge.exe	80
PID 3540 wrote to memory of 2924	3540	msedge.exe	80
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81
PID 3540 wrote to memory of 1404	3540	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/download/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff98133cb8,0x7fff98133cc8,0x7fff98133cd8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,14397213020962026249,8381347391444163855,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3820

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4080

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1132

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:4084
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B4 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0487ced0fdfd8d7a8e717211fcd7d709

SHA1
598605311b8ef24b0a2ba2ccfedeecabe7fec901

SHA256
76693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571

SHA512
16e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5578283903c07cc737a43625e2cbb093

SHA1
f438ad2bef7125e928fcde43082a20457f5df159

SHA256
7268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2

SHA512
3b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
5af0f08589262b2aeb5b1532be2f19cb

SHA1
1801ef0eb1fd2c18e274a3f4ee81e37fb2cb529e

SHA256
de75ce2fc3663862178a74496013edc6a0931b9f1127962b04a28e15d7c3cbc2

SHA512
e7d835dc2c62f2d6acc73ef4e92ccfda6c572893dff3dd770382080a2d975c4c5d2a9720d16ae892b67516bf039ff54e93fe5bddd0b83e74cff8a84765a7e227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
65d212e1bb956d7ee21cdcface06cd04

SHA1
27295adbb03750406e04cd7940181948df37a2df

SHA256
f70b2c06b18743473db3043a5520c4d14d7525960a906cdc06da0d690e052054

SHA512
0dec595796bc76ac13bb1225f630ed5832cee927f4bf571d8d319e92c02f51658f9f4bfa740557f06dbb970fcc44ed931b5393f7c1e38068ba0a2085341ff858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e19d74cef46182993aa2919d9f13d5fc

SHA1
2ae8b5e23e2c7c773d52fb0a85e8e18b4db0cf98

SHA256
98d143b27b32defdd31613221aefe8af40f62e4819e42790d2711d9a058d90e1

SHA512
fe21c12812a93e571b68471374e9476f77769fa4ae0d38362e48aa8f2878706f9218a7892ca41821a8704fe4b09c2863e7509bdb966de08510b105e7ad27fb1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8df912a8ff6b66cd7a37ff9ae247cd1

SHA1
cb4937f3e1cc3c6aff16420b61774eae26efb8c7

SHA256
d4ec2eb4d9b25082a3b0b1297dc74884de1e604f58d22ac36aecdaa4d457dd84

SHA512
18e5fecda22470bf9e11c42d15529d347302d593168044ecbde2be43f6a3966b7f253e3982b58408ec77987e029db35659d5e8fd6606c172d18704f6d42e95fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4e2d04e8ef0e1c25cd18b547c1b88e6

SHA1
f609bb6acda6e14f46ab6c80b759b4f91be0a6c1

SHA256
3dbd8de8ca6476d5a838d938a1e40786900dcc6948b2acbc9f621174168a8a70

SHA512
00bcf753c6115cd312b8f962e1fa652f70ce1c2e453ee521c929a78b478728c7bbe9382868907ee0c7834c069b13e977562e427dac9a26bc6a74c5731a35958f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
409c626a0f2910d1717fc933b652fb7f

SHA1
3d9a1fa6c5df4c6655ca91b8df2bc0ee7cf915a6

SHA256
0cad4d5de766fa363c0a3e573262f50eee5db35546f6dcc8845482d2b80c7506

SHA512
301e54cb4bde4ea7c86f16728f51f59a0e37e0fc8fdb74d6430e458dd34ec55b5dfb705a94e41db2a646ebd303d17c08e22293dfd1010fb08c6843138e261935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581558.TMP

Filesize
370B

MD5
8eaac92946c75da0c729463011fef37e

SHA1
e07aac2a4ce36043d02672af57b9aa5a9cf6ce5e

SHA256
f42df5af25217ebe15ad0fe2bbaeb7d6116c35d764d7df522983528f2adc6cd1

SHA512
6a066e6958554219b7b055aa0cd8beb122b15b6ced3b11c072524e93fe08127bd0b2e68b3032bafa8cd71018c638e382a83fdbce5244764cae19623215f36a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4bdeb5688c72e8872c33cf80101c2ca

SHA1
dcee750efd2d014e0f2940ec2557c826255e4696

SHA256
4d9e37aaf37b567803d3ac689f4304d19133af219e6cad9e3e6f40a099ccef06

SHA512
9c2e0c034cd1f70a28906d39f08903e9a0082fca7ff448cb3cd58da14f28ffd66ddd0b47e828cf3757a723190847db3e92f5c88cb11cf9a3c6a543afd54cdb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e26b762f5b420a65149ad1fbc6cce327

SHA1
47e81b22ae5e2a1e393e9eac8bd31fa68debe3a7

SHA256
0a272452eccab32070997518a5e1f0a9e961392bb0cde0ff5cfbc48cfdfe87fa

SHA512
934173273ce7839363b3c675fba634f9140a8706b9159b8ad337a8eaf4e1b2ba16a5b8c720c4d9aeda8d0b5bc171035c463c603bb1e9d230b8c92e3d17c488ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-8-2.1721.2060.1.odl

Filesize
706B

MD5
732e90a5c531a88f49d5999924ed686f

SHA1
ad0a42b7b1b7e60442d7d73eb4f2e447a3b73a91

SHA256
7ccc56e48b6e7fb5b90982b9df6d93ae4c87efadc76e5dd13487e2aea01e23ef

SHA512
49466aec56acbed86a589788fc338696ac55053820939fc83d1bf01034674488251cafc7e95f681e0dd8384a4fae4ffc2b1de86160e7572b5bd5044d04efdbb4

Download Submit
C:\Users\Admin\Downloads\4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0.zip:Zone.Identifier

Filesize
202B

MD5
f3b98089ab503c59327bbf2bb26b4632

SHA1
bdedafaa7c2497889e197dbec7ca681516e4a78e

SHA256
05eca8277e69bec1c7d8b410c5734e2979dd5d1d1d26df88a3094b633b61ad77

SHA512
f0d24b1717e06a4f864d7e3b7c901df5a6717c85a03644e3389bed688f322846af3eeac1849b938f493296464aa269d83776d2ed4c0115d88a41be9c3c0a8288

Download Submit