formbook | e4bd5a51df8c1a437dda0ea6d067f61c897034f8e274e1cf1d1ffa5b931816c2

Resubmissions

04/10/2024, 13:00

241004-p8w92avgjp 10

04/10/2024, 12:56

241004-p6bwbayhqa 10

Analysis

max time kernel
102s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DF20230706CFW07L.exe
Size

1.1MB
MD5

41a8e104259af538bf7743d979f9fc32
SHA1

f69fc5cb7a6401e345a5570e9041ba180faeaad5
SHA256

e4bd5a51df8c1a437dda0ea6d067f61c897034f8e274e1cf1d1ffa5b931816c2
SHA512

1ea7c153b93f4b9607e3e046dcf0bd270b0bc769417287c8edd6f421590e41cd871492ae738947d8a3122a3185a8805eac738c0d80ee18b0aceef8b2ce3acff0
SSDEEP

12288:JLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QNJPiDGJE1kDHrtr7PDrfrxolemd6vNB:NfmMv6Ckr7Mny5QNJK6JWEL1TOleme

Score

10^/10

formbook e62s google microsoft discovery phishing rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e62s

Decoy

ellinksa.shop

uckyspinph.xyz

owdark.net

arriage-therapy-72241.bond

w7ijko4rv4p97b.top

heirbuzzwords.buzz

aspart.shop

ctivemail5-kagoya-com.info

shacertification9.shop

zitcd65k3.buzz

llkosoi.info

ru8.info

rhgtrdjdjykyetrdjftd.buzz

yschoollist.kiwi

oftfolio.online

rograma-de-almacen-2.online

oudoarms.top

mwquas.xyz

orjagaucha.website

nlinechat-mh.online

Signatures

Detected google phishing page
phishing google
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3220-3-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3220-6-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3508-25-0x00000000009B0000-0x00000000009DF000-memory.dmp	formbook

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 3220	3016	DF20230706CFW07L.exe	82
PID 3220 set thread context of 3448	3220	svchost.exe	56
PID 3508 set thread context of 3448	3508	ipconfig.exe	56

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DF20230706CFW07L.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3508	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3220	svchost.exe
3220	svchost.exe
3220	svchost.exe
3220	svchost.exe
2024	taskmgr.exe
2024	taskmgr.exe
3508	ipconfig.exe
3508	ipconfig.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3508	ipconfig.exe
3508	ipconfig.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3392	msedge.exe
3392	msedge.exe
3280	msedge.exe
3280	msedge.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3668	identity_helper.exe
3668	identity_helper.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe
3508	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3448	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3016	DF20230706CFW07L.exe
3220	svchost.exe
3220	svchost.exe
3220	svchost.exe
3508	ipconfig.exe
3508	ipconfig.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	3220	svchost.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeDebugPrivilege	2024	taskmgr.exe
Token: SeSystemProfilePrivilege	2024	taskmgr.exe
Token: SeCreateGlobalPrivilege	2024	taskmgr.exe
Token: SeDebugPrivilege	3508	ipconfig.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: 33	2024	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2024	taskmgr.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: 33	5068	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5068	AUDIODG.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3448	Explorer.EXE
3448	Explorer.EXE
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3448	Explorer.EXE
3448	Explorer.EXE
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
2024	taskmgr.exe
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE
3448	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3220	3016	DF20230706CFW07L.exe	82
PID 3016 wrote to memory of 3220	3016	DF20230706CFW07L.exe	82
PID 3016 wrote to memory of 3220	3016	DF20230706CFW07L.exe	82
PID 3016 wrote to memory of 3220	3016	DF20230706CFW07L.exe	82
PID 3448 wrote to memory of 3508	3448	Explorer.EXE	83
PID 3448 wrote to memory of 3508	3448	Explorer.EXE	83
PID 3448 wrote to memory of 3508	3448	Explorer.EXE	83
PID 3448 wrote to memory of 2024	3448	Explorer.EXE	84
PID 3448 wrote to memory of 2024	3448	Explorer.EXE	84
PID 3508 wrote to memory of 1716	3508	ipconfig.exe	85
PID 3508 wrote to memory of 1716	3508	ipconfig.exe	85
PID 3508 wrote to memory of 1716	3508	ipconfig.exe	85
PID 3448 wrote to memory of 3280	3448	Explorer.EXE	94
PID 3448 wrote to memory of 3280	3448	Explorer.EXE	94
PID 3280 wrote to memory of 3940	3280	msedge.exe	96
PID 3280 wrote to memory of 3940	3280	msedge.exe	96
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 2772	3280	msedge.exe	97
PID 3280 wrote to memory of 3392	3280	msedge.exe	98
PID 3280 wrote to memory of 3392	3280	msedge.exe	98
PID 3280 wrote to memory of 2152	3280	msedge.exe	99
PID 3280 wrote to memory of 2152	3280	msedge.exe	99
PID 3280 wrote to memory of 2152	3280	msedge.exe	99
PID 3280 wrote to memory of 2152	3280	msedge.exe	99
PID 3280 wrote to memory of 2152	3280	msedge.exe	99
PID 3280 wrote to memory of 2152	3280	msedge.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\DF20230706CFW07L.exe
  "C:\Users\Admin\AppData\Local\Temp\DF20230706CFW07L.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\DF20230706CFW07L.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa20fa46f8,0x7ffa20fa4708,0x7ffa20fa4718
    3⤵
    PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
    3⤵
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
    3⤵
    PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
    3⤵
    PID:4504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
    3⤵
    PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5052 /prefetch:8
    3⤵
    PID:4140
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
    3⤵
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5644 /prefetch:8
    3⤵
    PID:1336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:4528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
    3⤵
    PID:940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
    3⤵
    PID:2188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
    3⤵
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
    3⤵
    PID:2716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
    3⤵
    PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,4616899325570009880,1582755650279232803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:5684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x24c 0x2e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fd3b1bbd5206869046e43202e65b696e

SHA1
0fc9d6c359f9849d2954d775b0e8e648532765fe

SHA256
4a8176b585670caba5f7ffebdc5a17181b531db92908ecdc5733aaa7e7e2bc92

SHA512
5802b4be59e87be315631516da9d353036927edfda71d6a4937a9eb984615136e317d8c181c8a3b590a33982499686ab476fd23820a68be23ba4ad1aa70fa73f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.office.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.office.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
899d4c297e77839fb2300edd2140c90c

SHA1
ace95c84761fc1f8ee9fa45fb5cf4f561bb73d31

SHA256
620e583d9cc86b729980e00b1e8d977ae091ae22be0ea1c5f27d5bcf47993d2d

SHA512
75bb69e56584c3613a67746cb72552aa66a22b05b09786993dd345f9db067719f572ac900f5ce30bcfdc89e94c25dfcd2b8bf28f45605b1a75580e912c7a6bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09310031ce8e70e9f4f73cc740a7c0e3

SHA1
c2e2c07b7ba043c32a54075fa96afb08c6a075c9

SHA256
430a4bcda3a825c442ad8430f0e446111efef248421ebde37567b4bbd91f6e58

SHA512
6c3b009eb0f033d5b353a1d9f175a5f25f4d2302d0acf48780f6687a955bb6ebe95f1e5669b94164449cff1d824595b5705a095dd8cb65851372e204701e6cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0cfc97435570dc4b6c4a25378e0fcf50

SHA1
5859c248ca15c58663605a7c97699da2a2dba0d9

SHA256
b3194331dfbc828b2eb1d1d8a9f7e0d2b58861efd88f5a12661f45706e6f07f8

SHA512
25f85b84c91eaa6758b0c523c0688129f234a3ce21614cc9f2a067a0161716647e66884f046cc43274cc20c1866342562b5cb66919b471b2cf7c87d414608e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6b8fdc2d1d65e4b40e6605fc08790a4e

SHA1
848cb43bda09122a6d6a57ad2d4beacb1055b7fa

SHA256
fc18ad01b928db4ae0e7a2a6d902b4d46d8a607528ee76cc3a10333162b8e15c

SHA512
76abd0af6d203c3e5074d23aa59f972a4b1ff5b27c89c8b3c1cfb6fd29fd4fdec43ce9f21b6ffe02cb89586b136645e063c0ca27e666a32f4bb958eabbf31095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6f50f52c9f47c0f029e87b1ab1ee4c4b

SHA1
6dc0ee2a4a8bd8511730ed8d1c319f721997e815

SHA256
bec800e7a78ad1369f54203f7056cc00ed01c0ea42ce6f6bdcb654350c3e1993

SHA512
15834869837fa4903760f4da33901699d573878e947fcfa66105865673b71536c9dff06e420aac4b49f0fc3886055326e2d2906bd979d8f6defcb1007fb27556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fad1db0c280233f6eba100f5f2f183ee

SHA1
72372e3d4f03af42f40549267f0a7702950d265c

SHA256
388661374efb13ca4f620549560b97f21d0deb2a0bf1aed886eaf2acaf96770e

SHA512
6d6b6d78283231445837e8e1e021c0b09b40ef255de8e79baffd69453a0f5dc2c74d9568278eba22cd047b225d4a75e0cc625e1621786d756328406c6a3b6430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\29eb5eacb05363703a494bbad16a2cdd1da1fb81\7ec33d21-ef0f-4c7d-a2f5-2c4da4344748\index-dir\the-real-index

Filesize
12KB

MD5
155a603e7d67893826ecc0e6e10428d2

SHA1
d17c72e2b8009fab511f8b7cb7952246e62497b7

SHA256
1df36fcad2ac73895db33d599b18af396ebb7e870f0c7bc79c04ad7956a083dd

SHA512
bbec1babdd92df3b321a059ec6fb99172c50a2b7d8766d33a9a5ac2adfee685e2d33fb5ab478f46423ff8e524883c9a44fd4e1a82b852c9852973eb82e8539f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\29eb5eacb05363703a494bbad16a2cdd1da1fb81\7ec33d21-ef0f-4c7d-a2f5-2c4da4344748\index-dir\the-real-index~RFe58ad81.TMP

Filesize
48B

MD5
004182acb913adef87adc8a02c94a7e8

SHA1
2c9e92e43382cf0bfe083dd8e163fc5903e487f3

SHA256
8e2d533ce57b6077ce76e6ef4e4e75a05fd66c62809b6ec92eb37cada211ae64

SHA512
68603560a8262a8f7c9b31f5e770b9ac09c7cb6bbf27fb59d26f6ede449318eb89f47ed0642a3a8385157596d24df617dc17422dcfdfff0c47f7d7ebd907fc92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\29eb5eacb05363703a494bbad16a2cdd1da1fb81\index.txt

Filesize
235B

MD5
5cb0f8aca69a0f1144706cbf1ed0a636

SHA1
a280659f44cbcd77cbe690dbe09d122357718316

SHA256
2edefbaf79e8a26fba6c80a9a8ff919fde1c2b5e6ec70a0395d54148abffbb17

SHA512
c220fedb70c154e37997f9b730fad20b6c6104a31c8100c23b6cc6f3cc9fa575e61f6214b658b9e2f97d1ca10a18e1aa616fe4dcee5624182f4f2ef4c79e163d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\29eb5eacb05363703a494bbad16a2cdd1da1fb81\index.txt

Filesize
231B

MD5
581b30f7bf859004914590889c9644c3

SHA1
d55a40e2c47e555b60e7b981503d6180b3924216

SHA256
7b86777f64eee8078aab01b02d8837dab9b7a2b57fb0e74552d4f89fca7c68b1

SHA512
d202c059cb50354b7c25ce5ebe138448d0f40f824ec39af9e890003b0cf3f59c87558f1104fd56f72eaf7d1f3b178611351859a8152cb6d024cfa37e0701b145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
240B

MD5
0322cde83e82ce484d1e3ba086ed149f

SHA1
5ff2c5f31bfd1607cfa5ac47388c8c42fd911fd6

SHA256
79c594bacf168abf9b4c7e1251411578ee1f219e4685a47893ef7515de6efa4b

SHA512
528cf51dc04f21ec31bd20c6764b7332c260d0529991fd2fba728c86606ad6426a79fe82c12c5b01299f2aeec15ffd9d3fffed6c5c45b22d74c920ee88d179a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ad91.TMP

Filesize
48B

MD5
d233b5fb7d8a4b9dccb165bafd21eea0

SHA1
08df76b1cd0ff33519299609fa7a972afc6d728b

SHA256
98c2fda3a7823ce6c037e6d91d604e0bd62622bfda2755f3aa3aad0788e6d1fb

SHA512
be88c2172c5f6504f1d06b2b92725a23ce3bc6077ec5b8674caa31478fe5250d37a87d84d7e7cb21cee04b237dd89f95f3eb0243a611275473af267cdd130fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e94d6c688b10e7533a63f16ce2abc94a

SHA1
df4ecc3fd237a9a6a1b34f2d14c3e2479028f7ab

SHA256
649248c829fab5c811636fbb67150efa04ac69ff59b1503e54aa9dc095e7a308

SHA512
296ad7c39c231fb4a44e6b955f51f7ef3e16e4db5e99d312e4bc2faf7398325839bb7a0d1b40cfb768bd97ef65842b5369f18fd4810ed6cfb91bc1617be67a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3b8173b3e24989c2ab54e483913ba940

SHA1
dc08ceff13c4a6f6e565d5100fc73ad4ea681abe

SHA256
1771e811bc1d713db8b7ebfffe99ed263d5ab9a991473d614d94bdb7dd1b65e2

SHA512
5856b1cfb50cd89e42710a006468d3d7ded012e6b83e96425aa84b0e222dfdb073e6f1e8cc3b253bab54927008586ef123514213d51c79a8bc34e4d270c533b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f16ee7097fb9cf50003fdb4153bae848

SHA1
04f881b040cb94c03e8db94a918de8e2824865f6

SHA256
ff0422bbefff10ae3bd08791dd62af58c6463c3f3d9a7f1cafea0c90b3393938

SHA512
99f3eaa027a5e505e6f1d4b76a9d104970199a4f8c23f855baf6478e4ecc56d8839d692cbd31045c2ec593405742f43920b55dcdb55ecde4823fa19aa1180adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07a4a2c8f16e417f604de0538d921879

SHA1
6f1a3ad3c9d875d73d5e2f89dcd7da2559ef9243

SHA256
0c1b800e1b840c72e51892e91869c292a44069cdb723145780a8d54bae8e0641

SHA512
427b7ef040a2ad0320a7c717c1195f78c886bedbcb8d60573a7b6383914eac1902f8fb61e4916267ebf1b016ed140f63319f9ed8de80a546bf26ce6f886c4683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584282.TMP

Filesize
1KB

MD5
5661a77c6313981e90f15dd5950ddf6c

SHA1
2fac149a514d4919e2a22ff9cf4807af1890d75e

SHA256
c9555e716ff560e845d68e6d38d7b899961adfad357b750dc474ba4fa2ee0bc8

SHA512
184f31335a04182508e95db1c1ed236576633e10ac13cb20df8d11348a8cc590716c2b2fa42db4949d9e7b2c7faa2c0027d2f618b915d111200c7f5c4033e4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
21abe1b8acff482e34e172d5efb2f12b

SHA1
32da6e7f75a3431a93216d6adff6549bfd86967c

SHA256
fc109b46d6b14f126049519b239477f0b1a0d65b91ff789d24e937a078624785

SHA512
36d4c15d0987c5a47e653b9829a2142c566e7382170be301b3e9d5501e657f89dd0174dc7b0d3425c482eba83225d551ecd103c08894c4ea721e75bf9f1188f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2dbd324615cdd0766c71de2f709c39e2

SHA1
ae81711dbefce88af7a8480f4e8e0d4781d0c5ae

SHA256
c34e0b27f36e6cb41cbfca04b9374041577c5431eb5e6112f1052de77f18b252

SHA512
d92d771403e9432deb404942093f1425b54018e59a371293d13228032a4bd43af72e69afd3f8c4030f504827b747607255e243aa0e70ce4184ba07f509517d54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2024-23-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-18-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-21-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-19-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-14-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-22-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-20-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-24-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-12-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/2024-13-0x0000027894C10000-0x0000027894C11000-memory.dmp

Filesize
4KB

Download
memory/3016-2-0x0000000003FE0000-0x00000000041E0000-memory.dmp

Filesize
2.0MB

Download
memory/3220-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-4-0x0000000001600000-0x000000000194A000-memory.dmp

Filesize
3.3MB

Download
memory/3220-7-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

Filesize
84KB

Download
memory/3448-26-0x0000000002C90000-0x0000000002E3A000-memory.dmp

Filesize
1.7MB

Download
memory/3448-8-0x0000000002C90000-0x0000000002E3A000-memory.dmp

Filesize
1.7MB

Download
memory/3448-45-0x0000000008B70000-0x0000000008CC0000-memory.dmp

Filesize
1.3MB

Download
memory/3508-10-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download
memory/3508-25-0x00000000009B0000-0x00000000009DF000-memory.dmp

Filesize
188KB

Download
memory/3508-11-0x0000000000480000-0x000000000048B000-memory.dmp

Filesize
44KB

Download