hxxps://drive[.]google[.]com/file/d/1M4fFTHnaB3l9KzrWPLbjafN4z4V-KmOz/view

Analysis

max time kernel
42s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 15:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1M4fFTHnaB3l9KzrWPLbjafN4z4V-KmOz/view

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
15	drive.google.com
17	drive.google.com
18	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4784	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
3596	msedge.exe
3596	msedge.exe
3044	identity_helper.exe
3044	identity_helper.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
4784	POWERPNT.EXE
4784	POWERPNT.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4784	POWERPNT.EXE
4784	POWERPNT.EXE
4784	POWERPNT.EXE
4784	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 396	3596	msedge.exe	84
PID 3596 wrote to memory of 396	3596	msedge.exe	84
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 2004	3596	msedge.exe	85
PID 3596 wrote to memory of 1172	3596	msedge.exe	86
PID 3596 wrote to memory of 1172	3596	msedge.exe	86
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87
PID 3596 wrote to memory of 1696	3596	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1M4fFTHnaB3l9KzrWPLbjafN4z4V-KmOz/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff84a846f8,0x7fff84a84708,0x7fff84a84718
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16430091270739778957,15340374985923034818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\Planets.pptx" /ou ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4784
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\Planets.pptx" /ou ""
  2⤵
  PID:1472
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\Planets.pptx" /ou ""
  2⤵
  PID:5144
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Downloads\Planets.pptx" /ou ""
  2⤵
  PID:5288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8cfcc830-f76b-4da6-9dbf-2adc07f1a618.tmp

Filesize
10KB

MD5
9787e99b1b814d4ca090bcdcb9970178

SHA1
232f9a1f671e101578e9572fe8a3c74e7b693209

SHA256
ae5ffba725824b6a2bdf456873600edae661e778374525fcdf1c19576de416a8

SHA512
74877587d3d56898ecf4be527da00bb110c60b0a729b34c1ce4b9dcbd17d68b2b729509a207d5c1c607ec8f993b81566acd17d541117b6872c506988dbb9b2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
48d41c40a5a32eca09207319d67f288b

SHA1
81beac90c70a529a6e26a8f5b1e6205bb7da72ec

SHA256
c8abbc2efacb0668bb9d8348f3010615ea012875757b25486554af67842ffd42

SHA512
963f6bdf74ce152f2596138a3f61769ce9402fa97066cdef9014bd28effd8ec409e8192ed106df99d83ce427e253e9b3aa0fd53ac1ff039467aa4f296c502fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f060eefc38924c6c063b945a04b1254

SHA1
bbd18d91c76aa77e93b4bf7d323da8a290cda04a

SHA256
d8a50523fcc2952de9bbfa0d63ea58999003c177da4323f56c782de2d06af784

SHA512
363a0f4b4a4549943b1539c01f658549c31975b682e77bc531c97b5975e7d1920caafebb66cced77f71d290672c10e33630532f6aae704c8a87b4527c4169f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7eef60de1089d1c70e23917af26872ee

SHA1
e3594c1595ebad6bb7f034aa5bbe6f539b246cca

SHA256
064a870523d7704b439a4e1ef38706a4ca1e6a62bf3d6b30a675c951b3fa44ee

SHA512
2ca49e2d5eb9bf9eb9d338a0f0fc048b0f4b3fc345440df9a7ccf7a908b61d37db05022e5554b42c33fa3e5bd25534b66aa8ac9498d9073c63bcb09a399c56ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7864964055fcf0cef83689725e7e3d3d

SHA1
35e2a33673bf0635dd6b9b386ee2204921bea031

SHA256
aa2e1823b2e55736c61e5b423e058e901d8310ef97a224a15788ba7e8764affa

SHA512
84f2e5068c509dec979362b88d94ff6d1f8ae06eb79b93f4ae1ecbb8fa1f924698cf9bad950e5a476291572a9ab98af10c1efbab1a4bdc3c121ab09086e6e62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
396e94339c51affbf7072b996b95f65e

SHA1
4ea1e0bbd423fba17ce52a0e700b8d69be7419c8

SHA256
bd5fe41b1c7394e8f21c3515725eb3377fa0f532c412b5e6da30dfbbb81415e1

SHA512
a2231367fc4deccb5bda6dff0c3beb954c14c1c66475283741548d709665315bf59861bd01ef701cba0cbe08ac6c9d4081dc5c203454def0a3a6e23603782ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58243c.TMP

Filesize
707B

MD5
00d976cbf290064dc8c7a9cd98fc4e3c

SHA1
f0a84eebaed6a2175ed21a8f9a8427e487f2c44e

SHA256
ae0b5aca8ea6a534f78dd035ba9a85b583ed21b90fff776c02c1eaaf65b0cdb1

SHA512
8f6dff038bbd91abeeac41d9d6f1185679135ed160935715a2a71683ee2384d21183dbf385c17f1b85768a839ac68a25faf46cedbcc770944cf33bca1f624a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
81ac1ae12eb553146e7e19c9b77a719c

SHA1
62a4c54ff79408fa60959f2f87216e1fb6ce6df8

SHA256
3eea5c92107a6428ed7b8542a590d13ced4a433a25928dc6a31c98327f0e5a72

SHA512
d62745794855dfb0ca48b73ebded05c433c0630e3379c2618c860c74e20776ecfe3aaf09ffac0a3ac009ecb67e3b6ee80c0c611efb87f0f65a7dd17072662fa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
6a828395d4c3c687afee5f830bfc5d6f

SHA1
f1ab16ad45383f3e65798a5da853eb6097673000

SHA256
ddb4afb5c5747868ac6272012e672db21f02185b14e8a4a5ab9fb9e09ae818fd

SHA512
9f80f8dfe3fa4290f82b44d63f06e5485181bdf7e10c8df435314aefe851599ff3328a0d07846c9ccc67765d859b3433dfd687c868d1b65ad9468097238b4a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\5C019EC.tmp

Filesize
77B

MD5
429cb79d6d9733c4f50090dbc52cf9a9

SHA1
1da5e142755689df2b6808ed291dd49d603bc93e

SHA256
84f0aea40b99cfe88a57f1a1f19ff2ec0a84eaf04e146706b93faf83f7c1fb01

SHA512
5663446bdd39b6cff2be45784885fe3d4e0209c761e98702842c4dded59805ff02b9bf4d6d4ed05ce35dcfc8188cdc78d73e76cfd563c8d7ea5f8cc8512c1844

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
409B

MD5
5f8e50401be78b809c027eff2c0ac79a

SHA1
b4fe86846fe2cd30097852cb7c250394bca46879

SHA256
8f5a461b3b54dbfae84eee3f2003364c33d620a56802804ff6e96d7096f05624

SHA512
bd3b00206dd6e6659fff2a5a92dd7a7d68ba5d1fe8bd46160fabf8266ed6111f472dc59533ab0f31ba3afec0479bdf739500a20692a7a7614f34ec8f228e7a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms

Filesize
669B

MD5
c43a71571ea739c1641b577152126403

SHA1
d082d9102e0626cc1b08ec7c6d408443302b4fee

SHA256
f034450d87a88c18b05d923b069a0109ab07c6131ee47433cb78b8735c92b111

SHA512
2025aab2eaa0514fe0982d3a90f16264ffdc7517fd39902907bccff22d106f4c2014cf7d8331e0f6ba590ae8e97e80a0a11b69b6914219b09c83c31bc2bbbaef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d00655d2aa12ff6d.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/1472-148-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/1472-149-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/1472-150-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/1472-151-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/4784-130-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/4784-136-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

Filesize
64KB

Download
memory/4784-135-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

Filesize
64KB

Download
memory/4784-134-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/4784-133-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/4784-132-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download
memory/4784-131-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

Filesize
64KB

Download