hxxps://ptoszek[.]pioterontop[.]rf[.]gd

Resubmissions

02-09-2024 14:56

240902-sbf4bstejb 3

02-09-2024 14:52

240902-r8xlxasfmp 6

02-09-2024 14:47

240902-r6chystdjg 6

02-09-2024 14:46

240902-r5b6sssepj 6

Analysis

max time kernel
64s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-09-2024 14:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://ptoszek.pioterontop.rf.gd

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
14	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-242286936-336880687-2152680090-1000\{BDAF99C4-E226-4E76-AC58-740A9FDF20FD}	msedge.exe

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\media_images_lubieptoszki (1).png:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_ptakwspodniach.jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_ptakwspodniach (1).jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_ptok (1).jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_lubieptoszki.png:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_ptok.jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_lubieptoszki (3).png:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_zimowyptoszek.jpeg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\media_images_lubieptoszki (2).png:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3272	msedge.exe
3272	msedge.exe
1056	msedge.exe
1056	msedge.exe
3664	msedge.exe
3664	msedge.exe
4116	identity_helper.exe
4116	identity_helper.exe
2528	msedge.exe
2528	msedge.exe
5020	msedge.exe
5020	msedge.exe
6032	msedge.exe
6032	msedge.exe
6104	msedge.exe
6104	msedge.exe
5144	msedge.exe
5144	msedge.exe
5660	msedge.exe
5660	msedge.exe
6036	msedge.exe
6036	msedge.exe
5428	msedge.exe
5428	msedge.exe
2596	msedge.exe
2596	msedge.exe
2952	msedge.exe
2952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3312	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1460	CredentialUIBroker.exe
5232	CredentialUIBroker.exe
2148	CredentialUIBroker.exe
5220	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2296	1056	msedge.exe	81
PID 1056 wrote to memory of 2296	1056	msedge.exe	81
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 2100	1056	msedge.exe	82
PID 1056 wrote to memory of 3272	1056	msedge.exe	83
PID 1056 wrote to memory of 3272	1056	msedge.exe	83
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84
PID 1056 wrote to memory of 1068	1056	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ptoszek.pioterontop.rf.gd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffced0a3cb8,0x7ffced0a3cc8,0x7ffced0a3cd8
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6844 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6988 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8988 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9148 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8708 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8868 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8976 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,9809197731776362850,3079205570628784376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9028 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3260

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5232

C:\Windows\System32\CredentialUIBroker.exe
"C:\Windows\System32\CredentialUIBroker.exe" NonAppContainer -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f8055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
102KB

MD5
68b0a390922fd778f5262c2397980e9f

SHA1
4f38253e586bfc6222caa30fd6f704cf213003c9

SHA256
8c42f9647d81db9f9ad7fa7981433801ced3045979dd378cc86e9685efa67307

SHA512
5208466e16f67cc8b0d29d4567e695b8c05afae3ded82b065d0b56d439b23f70ceadf09827205a6aa2c77ee5cabb72b29e25caca6d326b3b5e77e3edaf4c41d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
8aa35c9902f73d62063f03c34b658d41

SHA1
a6c4b256622167ff6fd2b8d1674d111139db9783

SHA256
6a03518f3b413aa65cb509a0ee360a03e502da4459063505004e9ff5e4ae535c

SHA512
67b5e6324861701ed91d0a111df94367969aece6a2cd8dede06e66fe473e3731e43e8d1b6e520031317b4bfcd7cae6eebe4e8b1fd6ac864e974f895b3af92a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
883a584a7a1441c454e44938dd3dcd60

SHA1
d810ec8f2131e699e917d24eec3569791a020c4b

SHA256
8eb4a317582cb9f6130bd8e1dcbb193ec6fb8f150832a220a43b3c63af5815f1

SHA512
d04144187ad4bc0f923ef921ae67e2ee2c6f65e4477e792bd60932a0fbc89e3a7a15450337ad72360e9424426b3f23f4ea70c534d1e6891f129bc009ff469d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4298f93c57bf064f6c3407744ac985cd

SHA1
0f40d6189e02b8e53640d4ba60a5afd4acfff181

SHA256
fde5d3952a7d32ad32e401fd842776b8f672025cac1e8c83dab570d1d9dcdab2

SHA512
1fae98e92c81166ff0a6f8665de2f1699cc57d49941dfbff59bf8e0fb52a7de634679765b00f2f256adfb5fdd80631d22deebaeb7cce9dc647c06e73b3318286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfe9794fc961d3896d136598dea0132c

SHA1
564952b05985a218250dd26eed96550546d5b8fa

SHA256
eb2a216875c3f9dd8a493cc8b115638098cd8babbf7d7df84e5856aebca22dd8

SHA512
4b946dfc3b3ac4f690e3a532c8da13b6899bd246ddfe93495adcbea72da19e07860b11101f9c559072b7c38de715ae066fab73088df4e1e6e93eedc37579d89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f97007362260ece6f969ed8ca564e108

SHA1
2d450b4b6eff62eaa6ea2b998f112243c5b2ae4e

SHA256
8916599533a56fe6085bd64357a50f1f9c71ee3501e314fbf1607502666cc4df

SHA512
03ec28e6ec7762c3e858e74caf95745d376bdb71b795c12b9ea7d5fcf60ff8e347f87131e729b7385674c8f799b9ed0b605a03e5ea410a28cf4979a5458cf49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5027508fbebe51dc6ebcb141c4e74ef4

SHA1
5941ba4ca49080d8874b0e896b8f6e4dd2e422e0

SHA256
0916373e90c187662f5c9428d894b6403df37aa0fe453f14989d778158933d5e

SHA512
0ff47bba1878e4f47bde767098db7b6b01eaf4a285022ed655966e409f31b832665adef39a95254697018550e38749a265265fa5e2756fb832f4ba8ea4c858e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4bb17c35708da74c33ed83dd9cd4214

SHA1
2dd5cb124349e590edb2adff690dc64445565661

SHA256
e7a52a3c343812917143316b45f50cf55b0cd2908f6e6c6348e49ffeb8b5e9ff

SHA512
516274ddaa80cbb809f3dae390b6f78b857ccfa2fdb9842e21f1ff36245dae9cdb119d6d4549788bea3cc25067d90a27f25aaa25fcc2f419e56efa082a9d8026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5465904bcb7adbadfe6bf7d42061a79c

SHA1
3b4e5998cc2924c4bf6f3a74f04e987d5920d3ae

SHA256
2a9ca8e5ecb1e2f672028d6fc63821a43caf2b5ed572095e8545bfcf44300de7

SHA512
65671d2d7203b45ccc6e6a3e570a1509f879e4a5b5bbed7ca539aec8c1dee8b52fe6aa13dd49bc7caf53d548e9bb7f2c05b6b547f1730b07e218f066e36c1926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8051acda44a766b899daa721fd116a4f

SHA1
374d6870e99ceede1f551e3d67c9a5c9135bbfab

SHA256
5f1cc35f7d4645c006a5ba26b3afad3372f9afb5ef559e134848f2891836af27

SHA512
22dec95dc76b59c469d1c4cb84d97a63a36c3ad0a74f9ebfaa1811ac79533640721c9f69b67a0005e80614a471d86dbc939a633145a64e78f61866d29ed68203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b7ec0b6f02286cc9af08fc27b9cf74f0

SHA1
c8401fe754096af502baf40a6bc81c7994feabdb

SHA256
5938984ea7eaabe11115378b21debe8534efef805a2eabb58237412a3e8c88af

SHA512
98b3fdc8fdd4c72ae959a60df608e14169bd3d8c0aa6761a0743e16539ae431d50df405c4622f8c7a259a1afe80a7985919731d84680bfdbb088a5772072169a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8ff02e7649450bc4cd7509b5051025b8

SHA1
92db72abbdfc072af91a4ffe101102e02f80f551

SHA256
0c08a9c3d5d42f37d15f3d21b0a79d1b43a7f22c94fceba51ce384f3ca00d57e

SHA512
ce2c679e1b4e0cea0212aa1ae74ed3e11d9d8235594eb5eb06e57981d9ae9a1a537b7fa6fc3fa1ddeafb0cbf73016c438cb6d9c592b7df64e15171044e287996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d6b9.TMP

Filesize
203B

MD5
ab498ebe1c96ccd4c387e0eb761fdc6d

SHA1
6e0e17a14d6e195493a65c13cab8676369794190

SHA256
693b1a1678270f05036accc6884c46bc058369deaeef2f6857aaeb60f3878026

SHA512
270db01ee8f8691fcbb413cb70b49b5997199d9b78045689d5cfa16cdbfd622c14e8d30b733ddf2809426a1899402f5b2be37d218d9b07a1e989c5854cae3241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
66e8585e747b05bbaf061033c77fbac2

SHA1
f372d6cd86c2f40f803179c398fe29325781e4ec

SHA256
0744eee2b8ab23449b82844e00eedff07cc6a38bb78e93ee5a8223b13b6a5c9c

SHA512
4a36ea2cd60cf7fdcc0f9cba10373179e80191bb29caf20aee37eb36e54572d7625c3f06b0c4b0661f9a9247bc73808da39c549a0d91da72332014d510ffe5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8967d8772c5f528da71369b1f2491e48

SHA1
8f4ccb7de925f23a7a56a2e3c35a67fa51e693f3

SHA256
abc47d20a50e04fb1b97104c2da9c022c622261cac179407c3ccf504e499b034

SHA512
2bf3c198bab01cab7d3b795f94ce36e54257dbb489e6647c2fd5a6a205f3c5f034c51a5e04b45daf2b144d845239313a112e4021100981071c73f797b8298da2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 711948.crdownload

Filesize
46KB

MD5
9987455160273726f5894678429d5abe

SHA1
5291675ba62eb06953ea2543d139eb8d8ba1dd4f

SHA256
1480e09300dde94453bbf45950edbd2bcee237629c59c4930ae3dffa675ca75b

SHA512
75086a0cd7c6768c1a004871ce73e2da80a4b8b55134a881729b81067610e5fc61b5db5d9f4c1840a55f7fa74a782a8d3e33df10cb37c3d50eb6d6a560e1ae1d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 794721.crdownload

Filesize
4KB

MD5
0d9406f22c33746ab08f2ae809c4e029

SHA1
f85811fbeeb303d78ed6e029593fd80ab0c15ce4

SHA256
7b4efa4e224f9a9befa780cab54fc03cdc1bc6d90d78dda68856c1b91e26b9b4

SHA512
5d047ce63a638fa81cc526be6feb755a53a168ffe03abf602d5ab084bd3b89c93e05bbe9edf4bb42c0f960765d264272a29bdd44d1b4b1b7778171ce9fe4edf2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 937457.crdownload

Filesize
22KB

MD5
064e97d007644379c202d10e85aa7b61

SHA1
67de184fe063c2ab06ca40f5704620229cf94e76

SHA256
2b9fe468dc52059f3a207414600eeb8d787423d5ea5d45bc5442a8c0158bd4e3

SHA512
2270990af3b489dc3928823289a62cdb0dceaffa0e550505dafcb749966302120896832cc722a5a138c675f4cf142ea97ea43e49f4807f0a9e2c9e16082376d2

Download Submit
C:\Users\Admin\Downloads\media_images_lubieptoszki.png:Zone.Identifier

Filesize
147B

MD5
0f9c9fd7c5b605ea356ddbc004b4e94d

SHA1
8c6a2677b7b971f825f20382293dbfc840035e54

SHA256
3b2cf8b04328866db7644a920d1999e9d1994d002d66aed15b4eb80b9499f8fb

SHA512
3f717478d8675a4ae40da80be4bd03cd4a9b48aa935e6d63f39e24f6c0664662a6ce19880487324ecc9be631a929d74d28e169b45c0f953e1686c535866f25ce

Download Submit
C:\Users\Admin\Downloads\media_images_ptakwspodniach.jpg:Zone.Identifier

Filesize
149B

MD5
3322a7c85dafccc08035022ae4afb820

SHA1
9868d4696365dd7720bcbb5cb90a5dd3907c368d

SHA256
58b5487c43a6c188a7827290c6075dab18e686ebb6a96ea8ac29b7a40e0ba821

SHA512
4e6573bca14cd8fc916b0f3e497e297a34505e88d8e28b52dd8a4a1398a0904967be7067539ce92d60d6d91230ebfefffb99fdbaf7eb11ecf6235d583511a204

Download Submit
C:\Users\Admin\Downloads\media_images_ptok.jpg:Zone.Identifier

Filesize
139B

MD5
c893d0b7d7d99ab14a099b149b4e272c

SHA1
6be788017a22f0753877ceca042902a5c90d840f

SHA256
4e199de33d4468d20a90663757e670544daf91949aeb39fe776969765cc701cb

SHA512
404e7a25baa4693971113b90e4dbad5878847a12133bfefa873c8a3cdd359ef8d5598b1d6e1f5a39c7fed034507d93fffcfda2fe2ed84b6997b23798d744f430

Download Submit
C:\Users\Admin\Downloads\media_images_zimowyptoszek.jpeg:Zone.Identifier

Filesize
149B

MD5
cd2f44186f7874c37c05c5b09cf34efa

SHA1
b83e601c069144cc85060f547015762bd147f598

SHA256
68151de124c9979412ab8e730ff2025c19cab1e1d9c4cef2ecb01106b4c8ca29

SHA512
59ffc9a3c28eaa43eaab0f30bbc3d035420696be5d00d901cd7bcdda548cb35ae7ddc4762b1caceb6b49e06de7642cf399861ac87a7c2578586d2dc977df3c7a

Download Submit