hxxp://oss[.]jodi[.]org/ss4d[.]html

Resubmissions

14/09/2024, 13:59

240914-raq2gaxglg 3

14/09/2024, 13:55

240914-q8krnsxfma 7

14/09/2024, 13:52

240914-q6lwysxbjm 7

Analysis

max time kernel
203s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://oss.jodi.org/ss4d.html

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
3176	#Reset.exe
3176	#Reset.exe
3176	#Reset.exe
3176	#Reset.exe
3176	#Reset.exe
3176	#Reset.exe
3176	#Reset.exe
3176	#Reset.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	#Reset.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4240	WINWORD.EXE
4240	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2256	msedge.exe
2256	msedge.exe
3624	msedge.exe
3624	msedge.exe
2180	identity_helper.exe
2180	identity_helper.exe
1968	msedge.exe
1968	msedge.exe
3132	msedge.exe
3132	msedge.exe
3744	msedge.exe
3744	msedge.exe
3812	identity_helper.exe
3812	identity_helper.exe
1940	sdiagnhost.exe
1940	sdiagnhost.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe
2828	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4708	svchost.exe
Token: SeRestorePrivilege	4708	svchost.exe
Token: SeSecurityPrivilege	4708	svchost.exe
Token: SeTakeOwnershipPrivilege	4708	svchost.exe
Token: 35	4708	svchost.exe
Token: SeDebugPrivilege	1940	sdiagnhost.exe
Token: 33	2912	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2912	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
4496	msdt.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE
4240	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 2096	3624	msedge.exe	86
PID 3624 wrote to memory of 2096	3624	msedge.exe	86
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2456	3624	msedge.exe	87
PID 3624 wrote to memory of 2256	3624	msedge.exe	88
PID 3624 wrote to memory of 2256	3624	msedge.exe	88
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89
PID 3624 wrote to memory of 4828	3624	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://oss.jodi.org/ss4d.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb979446f8,0x7ffb97944708,0x7ffb97944718
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17809684685476620031,2184968585668966253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ShowSuspend.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb979446f8,0x7ffb97944708,0x7ffb97944718
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3808 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6728380034715614021,17969281718244805009,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1076 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\#Reset.exe" ContextMenu
1⤵
PID:1532
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW4F.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:4496

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5gbfffxw\5gbfffxw.cmdline"
  2⤵
  PID:4380
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CA.tmp" "c:\Users\Admin\AppData\Local\Temp\5gbfffxw\CSCBB35383CD8E34B659B7716AD89567A5B.TMP"
    3⤵
    PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0lpt4t12\0lpt4t12.cmdline"
  2⤵
  PID:1540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES447.tmp" "c:\Users\Admin\AppData\Local\Temp\0lpt4t12\CSCCB801F2C8E764F758A12458181DD4D1.TMP"
    3⤵
    PID:3432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2npvag1n\2npvag1n.cmdline"
  2⤵
  PID:4140
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D.tmp" "c:\Users\Admin\AppData\Local\Temp\2npvag1n\CSC4B51C1633C98421C8A5E744DF778D630.TMP"
    3⤵
    PID:2772

C:\Users\Admin\Desktop\#Reset.exe
"C:\Users\Admin\Desktop\#Reset.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3176
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024091413.000\PCW.debugreport.xml

Filesize
3KB

MD5
896e1c0a7f9ae796a284caafa030f50c

SHA1
d81e884b77cbd084fa348e99b861030f5b6fd83f

SHA256
b0052f12bbf6875c40f81bd15e2adc367e51b2a5cc5d9a2750802ab0cf0eb443

SHA512
b6f621c4e63a4cdc5bcb07214abdc746eba0c5bafddb8824c49215c90828fbba06d0e0283f4806f972fad3a3af5ddd9f90aeb312cca66f0a36c82808b1320d14

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024091413.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f64e29fc43a54931c75e07e2271474cf

SHA1
1355fab6a603178b633d003423a9a9692e75cca0

SHA256
a6ad6d838f4bff52421c61bba55125b584e0d1128d6007538d7aa7ee60456bfb

SHA512
61f1dd0e5c5349f0b60e017b5e58a346480d0f8ad6fb27f2afa5af7a4eb5f58ffd7c56eccd5807fe6a159855067a8430512d244364a1a9eb8b9645c127f862c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
5c19cf2127f5f19949d8aff94b4bfd14

SHA1
49a843932d4e4288e26ed9d560f575986e92650b

SHA256
7b856864528e65e44e1bc99c9409c6c1425cca5fe2159deb0e19824878ce9221

SHA512
a6f43bade65d364851cfcb94cfe8ab69876ecaf382e38246f112b313001b9948f94e20850f91f5e45b9b430d40a30979730f3daeaa5c404c7d350c5c83384017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
96956badaea62492cca540ccf3eb1509

SHA1
5679fc0a19624a61534e03c21952515ae161e086

SHA256
5c803c0f80d648967d6e75e6d38fa5b92876c0ee826a3fb57ffa512fdd50209c

SHA512
4f39bb27ea44b64714d3876c02231f280d6445791471d639d0a5c37760f6b752e0b4597f78dc32fbb629af0ef40e46b9d283b9b1b91ca213a97aeaf01b8f7fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Collections\collectionsSQLite

Filesize
64KB

MD5
2b65c5d1ab0aa3f3f57c635932c12a5d

SHA1
b532c837537438e591d5d6adbf96a5dfe5c40eba

SHA256
c111777e9b9a42cf62b06900b847283238af63d15033c40577cb10aaa58c084a

SHA512
7d75089fb928c23c0166a74bb2baa3c1245bb23012d30ec2cf1fe71f8412700d354d4b9b8070309b23a5b003e37727ecd00f9ffaa018ffa5bb67ad1bed58e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
ec10cd08fb70d583683690f16eb52f83

SHA1
ebe005da9d45626044a88d1af42b4fd2ed01fad4

SHA256
d77d13de8b7ecf437c65344a174d9ed229f730f2e95a7d097be145f3a1cb1fc2

SHA512
d719ea3178d17db0cc5cf97fa84fcea57f5a70d64c08b2184c959e8f2dd522347bb91d34430482a78b7fb1edf2943e653631bc70fd0050b59f1e238446c964af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
67379453749cb2a24accfe22b0d4684c

SHA1
fb729db12c7eda6fc2cf639aa2ac4deac49e5b91

SHA256
1a30650ee0a9c8d02fadee21b97feef30e4c902c816f53db6a9629fdc31d034e

SHA512
e5bcb51302d8b60969c44b98a80cf66a9720e27aa6513a8096f2a3be45dc5d9d6afe52ead3c9bc477d522b6555a4fff6f5c530d0d0586dd5c8a162fb9143d540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
1af78eee2f39c33b170b7b9be4b49617

SHA1
bf1abe76865476d91f6abcd4271bd598d9558d6a

SHA256
89ebb6efda2845d0225cb2f958e54b1f512da3b01e8a264b5192f67f5a5afd26

SHA512
ce18dd59aad39d0606dc0bc1a8bc3275656d7086915a67e61ead7d5fc866299ecef655853367c8f3b61348c08d5c3aee9943066c00c80245a7e832a9594eb10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
379B

MD5
13c766d64b52b4b9191d66da6d6a2f5f

SHA1
1fba455cfd89c85794a063ff95274398fa3a0dd0

SHA256
9e6b1fe23a2f9ae006153d9c6386bc953cf96194c92b501f732e3e81209c935b

SHA512
2b46d36cee081ffb65f4dee0f88842c33bce9bf5ebf8c39aee1650240d95c47b6905ed5f23ba3501653c7a922598f2b55f0776204061977f6b86412f16d450a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
8KB

MD5
74731b2a377e5c7638f398683c057231

SHA1
11abb575d6ecb9f4b82524431bf692c5219c5390

SHA256
7556e460c32c3db5fb3d96df3fccba6d1fb5b68690353ca9c8bcd334b52fd891

SHA512
f2f95db9496fcd1c8ed07836d46c9c764dceb9693e1cb82cb115b03b2f5cfd06f3f9c4e5d3c2f4d50430c57e8d451c7bc4a7bdafc4eca167fccc1e19abe36865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
abbdf7da12a20a19f2fcc42f61d15e5e

SHA1
6569b90fddd8097b3e67c9431989241e70acba70

SHA256
a26eb1f1f49ac719127a1b0a1287493b4d28b40c6b50e0fa737916e3057afc14

SHA512
09a6cccb4dc69b8065d233cf6df58523685eb9be1c9c217d9f2e6c4016c46c661f1d4a3f0d8262c09ff4b2c569151c5e2a4b29667691b3134721a5afc290846b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
648a2f6962fd020c8286414722ba6a2c

SHA1
5d47e3fc4407b076e3aa0822bdccb612143965e1

SHA256
29c6ae8244e1ec76457fa60e1c473f1c6633b0cb2daa994e6f27e533d380d926

SHA512
90ae9055d15b56c0807e2b5bf2cd3d388d750ba0ba75d13cde60cb94f46e4793725d8e3d8f9e402b7c938bf646d0c2c62604776383fe2a7c5f70a03fbefaf6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9b24373f0f07ed99e2f7c4231b24aa3

SHA1
168d2cced5d4c8a6fbcd4839180ccf8e66300ea4

SHA256
9431120f962f0b66a76a86d07cae85d1324c9fae83eed1217132262ec4111ac4

SHA512
d7791dd111d3ac066b29badc51de0e2205172ea5bd940f966dd8585d631d47eea5ef32e681801fa7ec09573935629d41d195d61105705d4c531049a95ea07b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fec768ae43d73f84a59f2ce0d02ba061

SHA1
82a25d3d6d0141bc961247bf1d061b0b23214fb3

SHA256
efef8c570b5b9e574e8d74655d635c00e5dd3a037bf2ff0f99a665c3abc5072d

SHA512
63339e742c6db1b995fe95c70208be13a6e51401d5e11993376d8f32633c81802626ad93d3590eb6e24b39c379c24d114c03a6d3c99b76e3649486d8466af30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29d7a197824681559dae11a6efd18970

SHA1
184588c7b0a66af0ca1806364c5970011af17b9a

SHA256
1889b7dd6b7450b52faceeddc196f28d5c4341beb194681a671e0cf7b0e6c926

SHA512
7deaa7c7051fd43ccf62a775a136985ccfe07ea8057c408426875a74904551abc3814fa71bb103032d03640b27205c3ba361f3b4d4e4b4a80324adf0932f9f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4b566f881b6d37d3bd9a18fd94c86f8

SHA1
fcd7649d1c72a0474a5631403251f4fe029233d7

SHA256
4325df75e420d0c4a0c02ac133ed19be98f236efd1325aad4a0fc9cbc65fd143

SHA512
8b06a312c1eea184d5557eb5ec5c7b1c8396268a966ab491e7d618b3ed49fe34ba60c393b66502c96d0ece5fe3a8f3fe148bff0583b9727499364044c9c8254f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed56ee8b1953f8e80ff53f9296eef5d4

SHA1
4af2d3d7f7616eedca6b97fa616bfcd085d83704

SHA256
9b21f7fe7f0befac9f905c2692e5ad27ae3c1735ec5a6f34a28cc6af9ca9918a

SHA512
54e0c948c6c80e01af826a9f9f2b93c22bbe7824e89f9252ad07acfec79c498af5c04b5be64d4f46144516d19b25b53852bc321def551acfdc9141f1b64c8192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
2be41033af6eb7468a32bfebff8230b9

SHA1
1c9fd035f522824b4a0ca6f076be9997bb7cf0c8

SHA256
7518daa2dcb283452a72bc8a5a581d4eee619982ec2502bb86ac5a0f36f5ed7e

SHA512
308420cd6d668f1850278c2e0d59d826203a5b13f74c745932ba0769b4c73cee11994e0b969cc3858484eec83b9d1adbd2a1297400101bc3f33c0700ec1b41f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13370795769076947

Filesize
1KB

MD5
f82a563ced45dc6d7af4fdd4c72f0f9d

SHA1
7ea0b7874ca51a28da17801f452f69c14d1ecd1a

SHA256
1d5bb8df05d9d6ba7c53962d018949cbff43ce76b8aeda358d506f666aed611c

SHA512
4c77ccbd652b7e0279b4c8d61d739c15629c7af62399d3fd56797ad551a279ea77abed946ed4fda97ed396b4c93bc08699950f85518a2d3359f8b2cc579efb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13370795769247947

Filesize
1KB

MD5
a55efc6af495661bc0e95c31ac62acb6

SHA1
bfe99371d356d9f6875d297f3b542ba8a8b282aa

SHA256
cc0b902c43b5fd472a77892caac985ee8ace66488da7d0bd53695f84f6075452

SHA512
462e1108b372386ae9615d17249ec4ed147abdbd0f7a326540c6a944ab4c0d0969a631d7e1b4cd0890f53ad68e2ea1e7a66d854c9337e5ac6de8438b733a1844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
6126f971a56894999b54d6657b9a0a2a

SHA1
28f877d4bfd16b968a372dfa24c619363f318b8d

SHA256
0f56dac69487f5fde37a3077e26ba3920904407131bdd7e20e4c60779c20754c

SHA512
e4bf3f67fe98690b41388488d3e01b76f892aaef555e236e0d26cd4d1d62ca481f0495e69f5936d6c6b255455d7448731145c175ff92c5ad15b0878e58f1bc07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0ccec868edf947e4ee3b87d1632b8eee

SHA1
6fa4f33e0fe8e3ed543785e0822b71c37329bf37

SHA256
8ce7e2ef5fd1d1ac985cabb1273cbee0cf604f5d988a6b96abcc0a9600c20e7b

SHA512
74247afa5702b0a3f41e4989ba77a0b071e779fb23dd5f0280ac0a79abfed5b703cbcf4f285df51f4656bf14ddfe8a253e940e20f4c9136e1e9ec77791c5b282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f76ad9b101a6dea033e526f97b264cfd

SHA1
52246394019c22479d2e30b43a3cda6c0195e98d

SHA256
811a859427825d02eaa8b16574814a8f5408e1149a747a514aa89a097f47cb8c

SHA512
66bcb3333bfedffb2fd7412f27e17fdb3c8282a744532bf3dbf910fd14809b6721de5b223238ea7406b1b591b4f65500ec03de23c760d1a0893b603c824281e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
043fde2efb1579c1f595e6120fa63097

SHA1
e7b8755e35dabbb7b49468c5325c06268ec7e0a0

SHA256
8dc4c6bccf018edbc3550d4edce566a3d5c6ba8abaee24de9283ef4ad666781b

SHA512
dbb7a51d956ddb90e7a87bfb288470e42b02d13a0cff4856f4b567828cef0643477333002d472e0d654fea2f8c4cc7fd25bf0e0259cc78e06deb1a7054013420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

Filesize
10KB

MD5
6b702b398c1c369b6d482a4498e801ea

SHA1
1858bd8f1314ce81c9a1a71e79b2f595a11b629c

SHA256
8642d2b1989a6b6a9cfbc97bbbd038b32681402c0bc4528bdd14d0e785575e34

SHA512
403650882c9d329716bcb03ad17b0540d1c7cb7b2a5a0568988f54d588f688eb88b50d486d7449750e2e5449fb613a1c2d5022157761cb0ad2d4aff7e585451b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
63c4a4292fe8e866ae10e4dfc310e006

SHA1
488033dd978f82626f8159c3dbbbf0edad0e7e32

SHA256
6fc90d0c11a1d9b438973101be24ae9e5abd40337572d82f02a8fd1e0c2f6b99

SHA512
793b9686a2c4acfbb55f6717eadc59b05170a84b3f21cff2e7fda13302d76aeab0b57bc3a31166180a73a7d0e4d9dc84189ea47bfa346518a11a728ee3505719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
00828770ff5c924a1462757f866dbde4

SHA1
0df574491f47bf6c0879a052b58e823cb3afc1d7

SHA256
f9c85dc13b7248cd3e2087c84e224407c9dcbb4e2f9c26b49660ccbb97ea8ece

SHA512
28e5019367521ec92d58159287c900c673b9caffe2e9576ddaa364cf3278589963e58a732d6a9a74c63b7e7023727b3a2530f79d9ec309b96adef06a835fbcad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
bb0910eddbfe45510be2126c357bcda2

SHA1
688ef11c7abf34e8bb65cecca3ac0713cd07f5fb

SHA256
88592758f21a39fee90731332f56bfa14d3014944766190d43e44eb3cb24f474

SHA512
b9353be74f9d6336a436f7f9442a3161bc3d21a58ef79827b332c53aa7eceb48d2fb8528a6fa96ff2e1e9886ff20bd5c207dbf5972c177a08995664a2b66b27b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
d579a59838c98001453bd7e61a8c69e9

SHA1
dc65c3a5b1548fc641a1d765298811b814af22da

SHA256
33117378fd3a15b3c3a0e138bad8caf2ff94a06e4f45c7e911c02d609f3b5d39

SHA512
2eb044c0908420756b88645c844d8c33d8b928d1ac10fab666a47e0cf9737968999d6fa0f86a1e99ecd08abfcc482f142aaa9b18b6621f76798f43168a980e28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
20eadf8bf419c5160e2da0bdc7674455

SHA1
cd3bc6915e5acca439fb1e7bcc4056ecac22aadc

SHA256
b7d7cc80604aa74c6a2703cb0abae1959f9eaa6ff6bb9e04ccad88c9d994debd

SHA512
f9fc92c599e6c0c11886d82ad3ac24224cdc7f086b90d9327ce53b91a17a25eb17f28e4807c415d6aacbb1d5e1d12bf07cef541d89b8bc581f50195473ea3eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
974e7a4d1c4853e1c0e5b26014cf082f

SHA1
229c029d803707ee290edd807bbf4c34b334d100

SHA256
ceec01708a79919e9098c0ea5d5c10f55d422d97b665d783b81924e9c015d46a

SHA512
a74f8cfc10dc213016337cc0d1730314f437d1d2da326a372436516483bbe1e79bba8f7f7cf094037435168e89c0555cfe1fdec5b24b0df21047a3820ce15e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
5257ad2e5c13368cb9a57b40fcfc8660

SHA1
f4857418afe351eb39ad5500fb43c98c28ba9aa3

SHA256
dd3e7dc3ea68091f56fbf14a96364abbcf9fd35c9501661a2c6509ddcee823ae

SHA512
9d352609e9180b2093b974d75ecabe96c7d72734bd3b7826b701f2b1658f1c1c4eead55a2978afab6d9cf0ea7ba89eb671c2b0963222714d44afbd6f43dbb8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
fe582904e42be538231d2779a8a065d7

SHA1
840c5a96a2017ce4cb903151bd48961ecadabf76

SHA256
8fb1a0dafcfa2a6a0f7550f3a2976bac11010dd7bd8b584d7f7dc9aaf6ef4107

SHA512
120a1514430ab547a32d1881edcd4ededd5091220ff002cab825084e0d4b99561ecd1c211ae9767538fa41b64af4fc19bccec25dc6b6c406bf20eea514ea8cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
c0b7e08adcab2552ad4b93c43056c355

SHA1
6448fb4b4358c322a875e4707afeefeb1ba84d3e

SHA256
9b33764444994c2ee89dbcf141c7f0b63cc7e7dcbc431c7335ac2902ee5fcf91

SHA512
069768c0e745a4e82f224c3fc2979f2ceb9c99841b19e465ff3aa1606b2d5ae7a74f08f3d25de6ed542cf225efc78787b913010464a6fe2a07a0b8e67c274761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
01d93f4b69880e8f2a804759fd2478df

SHA1
b70b5e54b8cc03ad731c4e55942684c7bd29b1f1

SHA256
ffa05e743456ce17437650a02406f3ca7f00ad22eb60f257fb63e3f0c27451e4

SHA512
c1beaf02aa9385d586017bf5b54fba806d633ecae60393382164d67530603a2c32e78f34c99ad309d410d916d22b96fbca3b68b4a6f5a28cf02ad9a915602838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0adad0a176f7a2674ca0029bec5aed4b

SHA1
aabff9b30037f46c77a12d9762159f85f3e8f37e

SHA256
1958cb72e51d157017f6c1f6c71e2ba7695ce1174262e055f4a8f5797392dea1

SHA512
53aa4c53d0267e4059575fdb09a7fa4d72007c2fea231328dd852615d456ae79cf411350d51091fcb37a492bd2961207e171dcbee1a400fc9eada6cba65eafba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d7e2027ed6474dd75ece5dc5f7834b85

SHA1
65600721a0b028065b4d30a60ee7ee3e4323c8bb

SHA256
7d34a897455d528bc33093b5d325cfd8c27ae44ee27c321f9de243ccb5e3f024

SHA512
cbcce4e89a860eccdf4c484ee9dc4900198cc31254e85265594fff8e10091e46b5e0a9a24a46d9bf42d5fb0ec4e42d76d186f40742b8295ed18479faca77ff6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
ee069548c192a05dc2967c616f9a8274

SHA1
3d9c99ff5f27024fb72652c2d6267e8c9cd19984

SHA256
fa0d87c2b7d0bb888a416f806fa5942c576fecb5d457f43760fd91eaf1816617

SHA512
bb3eefc6f5c35f0492e9968eaf91c8d9ce0913704628debabc37fed586b3b15df0fd65b6e8505b9452d89cac90f420fbbd14924ce13d21266c401331713778e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
d4b3c65d48c1a77684b6476e82f160dd

SHA1
6a0aaeff458eebba24ce4132541ac993c154a0a3

SHA256
c8ee0a9b6738a4e8441ff82d400c93d5ed05a4c4f4aa526464892f0269ba990d

SHA512
248235b82841c749faefcf947163971896a9c44b9f8b7a75b90652d8e54ba68ab34ee4a527875977eeea48d19a14f6e9cce169d152e8067e8371ddd0a62d918f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW4F.xml

Filesize
706B

MD5
762254940b12ad46775476e1e2efc858

SHA1
8f47f7e9390b23c5bda2ad3f409193235a8e064c

SHA256
e64fb955fed4ac85fedd3f80684b49108667af1af7201ce18a2004debc323947

SHA512
1a3e9ccfde0fdab5ef6a2a9a0fa874818d10fdce930c39657e4934b1ef089db847227e89a4934ab2288077bd0fc087ecfe2ccd385d138899e0a2302b2cf351a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilyfufgu.vl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\SCRRR.zip

Filesize
1.4MB

MD5
5bc7c996416e34cb5d23221dede5cc97

SHA1
afe2c6c0863039c11d7b791a91c3c809e1ed9071

SHA256
a2d54cc2559b87841250b25a7b3f72cfe5a6ef5cbd3e720d2782c2f3253f44af

SHA512
34ae27539395c3fbf577be19f0fad383ca862e4d129ebadb2e637e8b5e56dfd96619833050ac2b93d22193c72a8694c621b99a00d32eedf7f57bad7f5ca3f373

Download Submit
C:\Windows\TEMP\SDIAG_35913230-974c-4beb-98c5-2a8d0c014622\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_35913230-974c-4beb-98c5-2a8d0c014622\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_35913230-974c-4beb-98c5-2a8d0c014622\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_35913230-974c-4beb-98c5-2a8d0c014622\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
memory/1940-470-0x00000202E17B0000-0x00000202E17D2000-memory.dmp

Filesize
136KB

Download
memory/1940-480-0x00000202E17A0000-0x00000202E17A8000-memory.dmp

Filesize
32KB

Download
memory/1940-498-0x00000202E1840000-0x00000202E1848000-memory.dmp

Filesize
32KB

Download
memory/1940-489-0x00000202E17E0000-0x00000202E17E8000-memory.dmp

Filesize
32KB

Download
memory/4240-123-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-122-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-127-0x00007FFB633D0000-0x00007FFB633E0000-memory.dmp

Filesize
64KB

Download
memory/4240-128-0x00007FFB633D0000-0x00007FFB633E0000-memory.dmp

Filesize
64KB

Download
memory/4240-158-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-126-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-124-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-125-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-159-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-161-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download
memory/4240-160-0x00007FFB65A90000-0x00007FFB65AA0000-memory.dmp

Filesize
64KB

Download