emotet | 35091e1314cf0ce5b7fc7c4d5f8e62bae5de7054b8f635026cafd4cee3a5912e

Resubmissions

14-08-2024 00:49

240814-a6vk4ashrb 10

14-08-2024 00:42

240814-a2f7xasgqc 10

13-08-2024 22:37

240813-2j8yravcmn 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
Size

149KB
MD5

95062f159bddce1c47bd708d8d244370
SHA1

4f1742f0f5cc4e19ded0654080ee0b8931c98c69
SHA256

35091e1314cf0ce5b7fc7c4d5f8e62bae5de7054b8f635026cafd4cee3a5912e
SHA512

b7855c6491aeb5476de2c63f7474016b358f514aed0423140e9b7c85dd44f8559040bf3f0d50b0a961310d6eab7d81d00454941ce94c3a84e01fde6615f4a879
SSDEEP

3072:ufDd+s5q0Fy/3sU6OtX+9F1cYsyE5+FAdjI:uLng/H6w+L163NdU

Score

10^/10

emotet epoch1 banker discovery trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch1

128.92.203.42:80

37.187.161.206:8080

202.29.239.162:443

80.87.201.221:7080

190.188.245.242:80

12.163.208.58:80

213.197.182.158:8080

201.213.177.139:80

62.84.75.50:80

45.33.77.42:8080

185.183.16.47:80

78.249.119.122:80

177.129.17.170:443

51.15.7.189:80

152.169.22.67:80

119.106.216.84:80

109.169.12.78:80

51.15.7.145:80

219.92.13.25:80

190.117.79.209:80

rsa_pubkey.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Emotet payload 3 IoCs

Detects Emotet payload in memory.

trojan banker

resource	yara_rule
behavioral2/memory/4608-0-0x0000000000690000-0x00000000006A2000-memory.dmp	emotet
behavioral2/memory/4608-4-0x00000000006B0000-0x00000000006C0000-memory.dmp	emotet
behavioral2/memory/4608-7-0x00000000001F0000-0x00000000001FF000-memory.dmp	emotet

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
144	raw.githubusercontent.com
145	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{D86E74E3-9662-4A85-9D94-372D04533A63}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 379127.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
2552	msedge.exe
2552	msedge.exe
4436	msedge.exe
4436	msedge.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
1096	identity_helper.exe
1096	identity_helper.exe
3880	msedge.exe
3880	msedge.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
3304	msedge.exe
3304	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
4608	95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3216	4436	msedge.exe	94
PID 4436 wrote to memory of 3216	4436	msedge.exe	94
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2968	4436	msedge.exe	95
PID 4436 wrote to memory of 2552	4436	msedge.exe	96
PID 4436 wrote to memory of 2552	4436	msedge.exe	96
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97
PID 4436 wrote to memory of 3248	4436	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95062f159bddce1c47bd708d8d244370_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc28ab46f8,0x7ffc28ab4708,0x7ffc28ab4718
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,14960340265834314752,9467733417015809325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:1
  2⤵
  PID:5512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x44c 0x4ac
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
9f8f80ca4d9435d66dd761fbb0753642

SHA1
5f187d02303fd9044b9e7c74e0c02fe8e6a646b7

SHA256
ab481b8b19b3336deda1b9ad4680cce4958152c9f9daa60c7bd8eb6786887359

SHA512
9c0de8e5bf16f096bf781189d813eeb52c3c8ec73fc791de10a8781e9942de06ed30ff5021ab7385c98686330049e3e610adc3e484e12ef807eec58607cfae63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
27KB

MD5
c3bd38af3c74a1efb0a240bf69a7c700

SHA1
7e4b80264179518c362bef5aa3d3a0eab00edccd

SHA256
1151160e75f88cbc8fe3ada9125cc2822abc1386c0eab7a1d5465cfd004522c8

SHA512
41a2852c8a38700cf4b38697f3a6cde3216c50b7ed23d80e16dea7f5700e074f08a52a10ba48d17111bb164c0a613732548fe65648658b52db882cacb87b9e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1ba208775fb5fe09_0

Filesize
4KB

MD5
c136ad6f3f184ddde1029c642c1e7ee9

SHA1
6a819e590f8ba5e6eb19310d62d85298192cd750

SHA256
3536ae3ba8f2bd5d66ef0b949caa58eb8f4893ca223363aadbf193a4785e3e45

SHA512
6432d9b31c5043379362b467fb85193096ebe95c18520a5d276cc0f62a8c25080c3222f567f48129da5d8da2a2de0d02f0095c9a3503d5f57ecf84129be27bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7cf9843337c39c04_0

Filesize
1KB

MD5
0bc03930e89e99ee0ee51d166330b9b0

SHA1
55734f02d8c1887e28474301017bca793dfb5527

SHA256
d765e03bc5bba828dd022f46d1a15f9a9deca7bb5e4ebec283da336567efb423

SHA512
59da666558a77d54c9e7cdd78cbc0a7c12782f4298d208b84a06630c6329c7890d649165d48febfcb249ab5339ca3a548dbf19b041991480409564377cfd1642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a51ef587dc6dd4bd_0

Filesize
10KB

MD5
229b6149de443583c0fdec342d80bfd2

SHA1
839ab50c6f0cd18a4a766a8c9738557bef013190

SHA256
e7a3d3c38946f1e8c09f320dc9dcd42903ae78808f666a1434ad54f8b0216bcb

SHA512
f5db53036c52688d5d1a213217c0c2c3ed666a81c796ba7cdef95d0971533fa5dfeec443b82966c9c4cbd934355ea7935bb7c9af82fcfaeda5b7905ab632151e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f15925c0a386a6ac_0

Filesize
18KB

MD5
22cdf15483eae62c0435e0a564617db6

SHA1
8f233cc8c679d2e58c551c8b9945c46a4424af1c

SHA256
c50bfc793462cb7a33517da58d8a5fbf31ff9262a24b995f246c1401f01d4d7c

SHA512
3f50346f8493fdb56e5ca55bf7281701cc09c1ea26ed095af7315cbeea7e4d892600b1252dc1ebddaef2610b081f75616f7173a2e47fea7964d46503881110a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f20ec242b5c8f439f687ab472259458b

SHA1
bb65091eaca403ff0a75b63ac034702ebb34e832

SHA256
90fdbdd9e154b5ecdcaaa1046bb677dba12f70d028326d675009bfcabaafecc2

SHA512
28cd213c8bde6ef24b6e6e3c09f120effc68fc0e279e9e911fc39be0625bb53c031623b3a0a0330a0e82429fb11472c8554cd134bd4ad6ec21a6df15ed179d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
50c64aeb9b33067f3cfeb6a1641ef7c1

SHA1
2082dc76488724be2682686229aa90b143359b05

SHA256
0d83ff820b6cd93680cea32c9294d69391522ccd6f4d54c59cf293f0dcacdeb0

SHA512
2d2d3c9d1452761b0a27482d9ad67a3485f7cc9b4c4aed765349c1915f06fc7792c7faf598dda1b36f276d202a4e1d95c166bb8d25b505d757f97642d351df9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
479B

MD5
90922edd76e8a408aabcba0d39a519ac

SHA1
883a8b0f1ba8405117a66197af1eae196dc95e4e

SHA256
288f980217e4a1b2e16091ad365ba00a347e8ec3767808a5cc7a325ae337fbd8

SHA512
5c018ef7c8a61423d1fd55a7224557302420986efb8c66aaac2a7f0ccd41d696ed44dce72ab37923661c7b8f3c82b399d0ef659e2279ac13875ab2711814d908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
be03f697f57cd447833db335264438ec

SHA1
45b3d87ea14e4742ab01075cb96137cbee951cf8

SHA256
e5c994643897c868737f9b1cb0e9c7d096b96288da7da64c3acbe5a7dfdfb184

SHA512
19242ab7e9ee5ac376a1044cdaaec6b2939c6b0d10e82f9da393fbb2e39f31a78927367994be54ae97925c98ee70e184db78a9662741eedf7de4a7374f66c3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1104cc4e538e758e324b015c848d5fa7

SHA1
c6df77d26c02ad28f5151e5ad69b2e7203a59c8b

SHA256
3a73f7bbc603aebe2f4131e25bc1e32e8d14f6a86556aaecc99b66fcafac2e19

SHA512
c6011d5a43540058f03ab8c0bf8bd1b9e54dda49769788a3288561fba62fc203ed700d45222c6c17eeb841f1f8d438723cf0211fb41a0567416c422638731b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1beda527efeef17feae0cb45c41f281

SHA1
cd00bc66bfd8e1e546124db5629bf87b28d4e051

SHA256
a4f24ac4fffc727abf309feca49f9334bba67a1536779110b0634456f10fd4b8

SHA512
dc488af5421707e03d3b65060ed5837c411c7fd74e54f0543aa016e2adf3cce60b87abb669214cb901b8b5e5b7c5647b08b14f3ba616d89223d222133a4c7ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1fc40a100486a97dc4bb33fe0cef0954

SHA1
2e9ca227557bb1560407b937692cdb5be737efc9

SHA256
6598ee44327e76fb0a191ae147ebcd51241dab8377bfcaf88d3395fa90fa8941

SHA512
7fe675623a8b307ebe7a45165bf2de9c9cf28d25f82f60b89a8180cfb3ba86f437d08105c1fcc934a77cf2779aaa709c98a550d96ae47ebaff6afdc4ea05afc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9b212df0e2da5b84481989c5fb1bf9c0

SHA1
3f32b31aef1b3b4cd6b5d578a3ab16ba603c87a4

SHA256
5109325d89a9f16fb2d9cf3e8e0a978e40e339ecdd9aea51fa4eddd278c5fd7e

SHA512
5d8a3415e35ae7e45479c283fa9fb6301494df360b1e978a7af035357a0b5e9d7003d2223ffa87b74574313a3b5e9d7bd597b815c7ea9347022fd799f1084f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c224940091e699e524ff0ab51f33f3e8

SHA1
b9bb18b7546f0edeb26145553cf8da96fa8811a7

SHA256
518367381e7f03c38749bf7c2aa84ae46a24afd8c9ceda35f71f46e28b392124

SHA512
eb3304f9561131f5f83a7c7921e1dafec24442185de0b1e22eb046d641d806928b533eb3a60aa60598706f78243802163c167fa193c2f2f1c16487d942e2d468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
12bcb94d351f0623264f3ec07429d78f

SHA1
39229383cbbe0446944ff4dea4e3078827c57448

SHA256
387547c306e40b6a5b3ae918456a92fb0f880a90a6f84a7647ac23363f108838

SHA512
572b82f998d52f916e1ac9dbce9a0a347eb916ac4a1cf034a8a43a05fe28534df2ad4acecbeee3ef0dc2f1b82ad8c9ae22ec0a89d7c8b76cbe66676565ae461c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
2fcdebf9a622945844c9c07ee8d12b5e

SHA1
50474d3b94d7d5292bf06b0f7bf846a08aeaab96

SHA256
418d75194771355a499a49bd69f4f36913c71b066d2fbb93da193e382cb16b86

SHA512
c7300cdd4e277589cc1a4ee9e001b89d8b5443463754430821326aebae6f4e7d9bf73ecf0818e3f8ebf9d78a2aefa5a250600d60bb6d9d483343d33dc54403ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
f4ade083ac769501ed516bdd3e92dc58

SHA1
6c6968eba1d86aa7fc6b4bcc9156984cef1c639f

SHA256
4c36a54e163deb35f8c9db8e55392d72f1a25a371d79515938b60077b057ae05

SHA512
ab6e1454311afd21b6e2144c667dc3b0b0b8bca29c6f2b15ef090a4ae0c6687ce4926623b6dfad3b2a28b0aef9e33a443004012c6fa6a4a617d35cb4c4655ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a1597f623cc40c2a7ebfd81945ec087d

SHA1
d04bdafc9f452e08c5bb8461460fdee185cc69be

SHA256
41c6ac66461aaa7bc668b7c686535cab875fcd990363919db7dcd88d7a666efc

SHA512
12d40fd266d2d9d181fa6b19cb31ac7603096891274da45de5b0b698002ded4672bf70ff12ec8c75659a244af2127bd60e39978af5d9fa931c109db2344cfda8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fcf9af7f1f6fc93f926483de43c7be11

SHA1
1a1efcd03688b288a3ceb0a8d9bc29bd09d7de50

SHA256
bb6e5a313bf78769d0fa9fd7e4a9eb04cbb425bd3e8f0342c84a661ed257c30e

SHA512
1b45645292f423b8def1f71056fa397872fa8d775465b8369fd2fc90fcaedb833a91a6fd5400508cf92d59b9bc1c95d9d3ee76d509baf761b615419d58c293d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b0c5188f48f4e719f24d4d034b4943ff

SHA1
c81049a3ce3412a5e81ade45bc6c88b36b3a3088

SHA256
3113e782fef6526d071ef9edea1029cfaa1e9c19d24570f9b5740cfa08cae9da

SHA512
aad4c1c93ce3e63ef0ec31c8e9fc513080ec9fd9698c0a59f86450930bf54e69be9b2ae9b3288919e539b85af8b063415f7e0d639ad68bd905092a3615319ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8e7717d1b0185072bbe3fb29204b116

SHA1
137c502ea8898b1cf73c750793c33073b37df089

SHA256
ab19f3680361f0ac821ee06be458d6d942399733f5ef2cffb071b7d9b84188a7

SHA512
b95fed3867f179a12313ad500d6aa6d731b407cb3373fd9b13cbfe5709e9035b429e891a06abdaf6d6d21bf6e2677eee463eb8c6217fee2a281185da5c805790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
89a135ff5a5c2b355b1aefd83a434168

SHA1
8ff390b27f18c2f4e06f02e93e9c77ed65188574

SHA256
9df54b0baad93e40937cdcdd7432d32e6381c8728172f8d8d95d6ac0344db6c6

SHA512
bde019688a21999b97541fbd3b01daafa9304eb5f74ab986a7a2f0ea8a0d1e4ec3bb29bcf712a588da68cc03302ad76c226f5189ca051b55e6bb2a4550ec00b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583fb4.TMP

Filesize
538B

MD5
52a2c34e7e6ad1eaf49500f0cb67f0f8

SHA1
a484c45f1bcf0b7df9995b032d241e764e9cfa19

SHA256
0733be468464f64c1554cf79bf57db9bf19f2928b6eacedf5eadea2e6b1943dd

SHA512
1743b276d3877c9eb047a1626f109cccb317838baafde9838adf7d4284396e229a6c61489596026a30bc090f5aee6bc924006c0516388b7e40fa7f67cecd7db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f71633431d57a7a100d581c1d555458

SHA1
76e2db69948e3d382ffe0f7738bddf133ef1c97a

SHA256
376364ebe8ca131cb8789cd5b3204abec884479d48c02532168cd35567323079

SHA512
1ea2d004f886b4f3e46dbcf6ab5f7056971934ae2385a3af5f2cec17da051c1ac7bef7ec3b29dca174bc7af1db572fab128139e616e9e50e11106679a6ecb108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e6277f18815075c26736de31b5678eef

SHA1
9de39b99535c14fb16ceb5e53327c15c3eebb79b

SHA256
532c625c82724ec306bec93f2bf74ed6be2fff47704143c5fa419b0a915c8ef7

SHA512
2affc461fd0c22ae40ccf31f7bc6d065f9e28c1824236b70dbd8bbcfb7f4c70e5c2684754f5e5daada26a1d4eefccf5a2f0affa3a3dfdeb47229458cab907a45

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 379127.crdownload

Filesize
64B

MD5
5d9e0094c47b9de4473bea1d966c4f96

SHA1
7a6cd7ad7bcb31b6e87b2fc8ec8ec5e2dc3be55b

SHA256
cb1f493d64d2d4fda06c3ee8a1aed6a1041255d192fff223b78cf5645b371dcb

SHA512
016fd7a366a414f74c7388c499c27eec5d8a547e03584feab00dfabd503e25b6c63ce94ac82e3a7ea4b090410d58944d4cf4d4f12601e6af521619a361b22a5b

Download Submit
memory/4608-0-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/4608-4-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/4608-7-0x00000000001F0000-0x00000000001FF000-memory.dmp

Filesize
60KB

Download