hxxps://drive[.]google[.]com/uc?id=1OiHzSjSy1M4WQt3nvWAHlvT-pO-sSSxK&export=downZOOM7

Analysis

max time kernel
299s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2024 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1OiHzSjSy1M4WQt3nvWAHlvT-pO-sSSxK&export=downZOOM7

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
9	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 59 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f9e9b8759918db01def0bc949f18db0182583322ef22db0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4176	msedge.exe
4176	msedge.exe
4400	msedge.exe
4400	msedge.exe
3924	msedge.exe
3924	msedge.exe
604	identity_helper.exe
604	identity_helper.exe
6072	msedge.exe
6072	msedge.exe
4240	msedge.exe
4240	msedge.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5400	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	powershell.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
5400	OpenWith.exe
4240	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1396	4400	msedge.exe	86
PID 4400 wrote to memory of 1396	4400	msedge.exe	86
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 3140	4400	msedge.exe	87
PID 4400 wrote to memory of 4176	4400	msedge.exe	88
PID 4400 wrote to memory of 4176	4400	msedge.exe	88
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89
PID 4400 wrote to memory of 4248	4400	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1OiHzSjSy1M4WQt3nvWAHlvT-pO-sSSxK&export=downZOOM7
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe67f346f8,0x7ffe67f34708,0x7ffe67f34718
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7004 /prefetch:8
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10722841561982167795,10539113681541619415,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\FACTURA GRUPO ZOOM.HTML
1⤵
PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe67f346f8,0x7ffe67f34708,0x7ffe67f34718
  2⤵
  PID:5604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5400
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\FACTURACION ENCOMINEDA_000145.REV
  2⤵
  PID:5524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
29a1214697ed77f556d30dd034652d73

SHA1
dc8a0bf4d1dd603f929549640832d0e6d5af5670

SHA256
da1afbd9e742950186acda7ee0c795aae17dbff24cca4f5a36dc1e98aad1b7a0

SHA512
27f96c37876438652cf8301b463d9270f188f1548ba670b87ce25a13f662d58fb8f3da927ca380c12d1d2a258f0a8277a097bdd92588e5cb4367e27f92d88b05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8a8ddc12e61123892bc3d26d250ce4e8

SHA1
e54c2ee12e465f126d0d7212dbc39c39d5d5779c

SHA256
a272a509126e5313c4b1683ea65d3a80a3b21cae12b11c1ef32c2f15e2de6059

SHA512
e5ecc61c186694288742f6608f1e1ccb71bda6ff365f35cc22e9366f6571bdf6fabc9f89e7db991115ac75a3800deb6e6dd738eb349c1e6baeca7d187e619c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bc7c49eedb61502e1c12f4dd59cbcecd

SHA1
3bb675d5a9ef19de9fd0dbf292047144ca06e8c8

SHA256
9c75211c286f5199ace32bc0273596a281cea264e531c10d00663305b8d0bc9d

SHA512
a0b59e1597f15c120ca332411f29ffd93909d6a4401808c43f761a41a433670ed68a02ab7bfc95d8bdd1e6634e247312efd850c7187a73821e6d2f85edde5f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a0ce89de8714c21bf4252f7c98f094e8

SHA1
95994255c4ad2ea700352f387a13013a91cefca8

SHA256
9f9c241a3f489bd5483f36d96060c41ab800d60cd9180ed0126f864f13750a3d

SHA512
cc79e5214a6eb718d2dad9222060c796baefa281565b48d631c7b4909e63e2d023c3d5740d96608efacf1c6e40e9cb1a80c7194726fcf187805f155e46728848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d03b92eaca127c73c0a0dc35e65c7988

SHA1
7cb2bb9d36cb2627cfe9946435a066366b3037f1

SHA256
1aa23cf640f4516ec3e615bf9798ad22b4a3117221a1e0084cacc94b72bbcb57

SHA512
1fc7e171ed096edf5b3f583241d07b5ac1f80d81b494766d2fd214e73935fa5bbf7ca2ffe00d1387096e40a5646d58a8401ce1526c12ea5e0fda401ace68582e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
50fc5cc6275e1d75cc1e5319a26f7f2d

SHA1
6f65009f738f037880d84a8cab4e2fb87af8e1df

SHA256
5755e77f7ff56da0c22a605358be247d4f5a6f2dc4b4f6424ebb27bd6ba84cd5

SHA512
99625fca6169a77072e6874cf2bdec1342d797c428167bb8713a7661a9d4211c4277fb2386bc4ea44b2e4d0fca54e3d968e365e8ce61bccb96f93e9234061f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
596b1f071a183b98732293dc655fedfe

SHA1
5a5d39bfb47da3c224eec723ce1273a2c23e86d4

SHA256
311c81612e11b5e869cea13927e1bb7c5c20efd3f66cd99a7a743155e11d8dee

SHA512
2dfea35a826abac9bd24bbfefbd04a6f0ee7febae217f11e573340e6b1eb91f8f75496126b805abb0513ad22c882a63b10de1a19aab7c7430278b4137823a021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4b144b730b3a4b6c1e4b5281dc3a283a

SHA1
88fa2bba2f7f7bd2e529babdae547e0f4e8d00d4

SHA256
8e067607f0ad2e81153fc2339c775e7e584ddbf4bbc642c0f47563b8b0b19753

SHA512
c622e28b12af8dbaba7767a1679ff08bfa8da89fbcf723623d49dc73d7216c97f0f94678daaddb5a80fc7246d97a2b80ee47a9278747a539f20b8c93a7e9a450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2dc532721ba132a0ff431e26eda7f113

SHA1
cce45109d0c81da403e5b5c30541571d4ca6e5ed

SHA256
ec3937b865d493370ac1b4bfc418375c794ac7ce3f119b761b90ba155bb5c417

SHA512
f377db66b4e0246458ea86ae5c25d41cbed810a7018386aa131970d18d8103de32313089b82279597b66845f017cdedfc0f6ca3004943237f361ae69edcb7373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
90ab0e09f002d1038b9601592af8fbcc

SHA1
ca90583a47d5b67babe1933bc13e162150dc7f3f

SHA256
4d695663df4867c733cde7c246dfe84818db570be3d99007258f5882180dcd55

SHA512
4b82af996e32ea801c161f1b880d11ee24f1f240bf98d9c1dd32c9d4124e093692b02141e4f44fe7cfeb318ec95e87bc54f91a4ccab5265a170047ba754a8ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3eecb06aac7e777630fac90f4131117

SHA1
e456e011e19b5663b0c8835e074069d93a790c67

SHA256
c78b109e78fc0c786c9ec9354e380537632ca763fc6c07a0bebc6ebbf68f3ccb

SHA512
b3b6f4adb79a454dcf64391dff453a5342a5420920524fa25e58d00dc04f376d67e3e7d96e96353674881ffa8c6b7cde5b6f5f93abaf619df32bb54e55c268e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b8d9771ff69eda0cf54cb396e4c93613

SHA1
bdbb113b53d293c619dc4a3108fa09f00586a076

SHA256
1b49daeab61df7b349201ad1f0cf20da0db9887e54698bbff5f248b3b89510a9

SHA512
0c7fc1d56f92de3996dd65596e432669dfee969b0f8ec52f525d51c7204fb59e2223a94d323efc1c8d7ce75232b7386de4d9824b7d6dbcd2b8532cfb0956a35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bd40.TMP

Filesize
48B

MD5
0351f013c072982039b0b1edfe898e95

SHA1
8926b102dafb5e108673575cf51a380046bdb9db

SHA256
0c9905ab88869f507be430876dd2e06b16e0435816d68950b7fefe52497ac534

SHA512
a0a8c8112afd28b2ee3305bb8f2280fa4dc5e53fd41117788037bf388a1440d2d87d35f3276c84978488404cd770602539155ab0b6d957a5f26c75ffee6e214b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
309d785d3fc62c6b503fd6ea165edd03

SHA1
f09491b97eeef4130c25d67166bf62f0f655e75b

SHA256
e64a4b4571511bdff1abe9d4280fdbedcc08110ae66a58bddfb787ae357cbd90

SHA512
519ab6be76bc521a70b6788cbfc9bb8432ca4682ea2f6bb89bc44e07568e0ecf158106dcc0b7b8a5c251a1b98ce1c6c0e7b00bcb2c8684ce1078af08c9646317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58848d.TMP

Filesize
204B

MD5
a5cb116262358125544edf125b568698

SHA1
d8c318b370c6a700ad5d49461f8057609ac843de

SHA256
e46b53ac972a16b4af9735e62a34e2081e8c463e6be0070e0552dc1a3fac77ce

SHA512
9a8a969334eeb694a8a0d6452576facaece575a71eefbe39839c730c4e88f00f7e47e9b5ddc2ff2630043f72ae86d006ea11f161f987be864e8ff06011a52677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0de35b7ffa06fa5b3be42873e95b5525

SHA1
466c4f2eafdc67b531333ae1576e4a6a2e80c490

SHA256
284b07fde7b4145c81a8cfc8902adee389112d2240fb6028cbb50275ad0a7046

SHA512
84af29a04174efcead77a74ba14841aed2fdefde7b2fa7cfabb0d209d10d0e46c0208723da861452363283dbb77872449772cc8fecaf95819a247bd7cd5086b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf07edee52a7916bdd70dca771974914

SHA1
1c450940b4bab18e9829599557c37fe6a2ed5dae

SHA256
81604894e52c32b5499397a504e1a0184e45198968589020c3ae781fa0b752b2

SHA512
603c499d25e2e9e0b85915bf5b176bb050cd5f05ad2d60df7002b0188ebe7b95f0e904d1590f6044000d14478d02a4201e2088bf641f0a1975ceccd1ca784c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
992bf178396ca0fda551f010f3cedaa5

SHA1
402d45601103e756718d240d524bef4ef6109114

SHA256
e3843c5b9780346f34c2e9433896b89e15d21a747609391733ec7d182d58cbb5

SHA512
bcc7c176de1e5dac06834d3ad7fd53f982529b34ecff2665b85f506db600ee23ca245d5ed0a9a610143f2538e77cfe26fb0b1627387d796f7c3456d73792af87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
42183345e86eb4230cd66c9d20291684

SHA1
87b68a301562a4fce5d477103258be47a30b192a

SHA256
ad40a71ba96e10bf677d9e75feabf2b3c7bf1f90626d34781a5760d9cc186bcc

SHA512
c6c597e880ec1a9de705d5eed0ce110bfe01e153640012144a52feaada163ff71830c5c1c3907077ef8639705e08ba5e3678a3adbc1f7db15bea6b0dd775eeab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvxcjb0h.0fp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 223899.crdownload

Filesize
18.5MB

MD5
9b6be10aebb103991a954a6c56cdfdc0

SHA1
45173f9032650c0c8d0ef1322d643c8e074eb094

SHA256
5b0db6469e61be29091fb2d7c35c2bbaa1f89fd3e08b88b564ff597ae7367f96

SHA512
943e8a90f0fac9318ebb560be013557b60e98de3b9a856030eb342ccc507e5d03204e2c06faa00b4ce62964ac3cbf4f21b8e604897389cbca6d39f6fa8a1ae7a

Download Submit
memory/5112-407-0x000001F84F090000-0x000001F84F106000-memory.dmp

Filesize
472KB

Download
memory/5112-406-0x000001F84EFC0000-0x000001F84F004000-memory.dmp

Filesize
272KB

Download
memory/5112-400-0x000001F84EAE0000-0x000001F84EB02000-memory.dmp

Filesize
136KB

Download