910716461ccde7774e637f214bc1de262dce0c371751a585ed1dcf84ee748faf

Analysis

max time kernel
300s
max time network
293s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
23-10-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cxapis.dll
Size

10KB
MD5

4ae4a4a268ccd36acffa1674ebbf910e
SHA1

b3737ff0d2296a6e5b652af1a4a519f2b336295b
SHA256

910716461ccde7774e637f214bc1de262dce0c371751a585ed1dcf84ee748faf
SHA512

5c80f85cdeb634be6986131c974b7a400a6cbac4b33e0a9c0523b679df2fea821322d32c8cb1870d6ad07bb5d1e9c35123cd89724de1a6b359b252ecced567be
SSDEEP

192:UL7yBcpRmejh/vFDXtLwZgCw5c4uvFMURQDWVVUF6:UHyBcpRjjh/NtLwZJwNsMUV46

Score

8^/10

defense_evasion discovery upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

winrar-x64-701.exewinrar-x64-701.exewinrar-x64-701.exe

pid process

4168 winrar-x64-701.exe
4588 winrar-x64-701.exe
2856 winrar-x64-701.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

39 drive.google.com
34 drive.google.com
38 drive.google.com

flow	ioc
39	drive.google.com
34	drive.google.com
38	drive.google.com

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 124482.crdownload	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 124482.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinXP Horror Edition.7z:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 227759.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
3504	msedge.exe
3504	msedge.exe
4820	msedge.exe
4820	msedge.exe
4024	msedge.exe
4024	msedge.exe
2616	identity_helper.exe
2616	identity_helper.exe
764	msedge.exe
764	msedge.exe
4408	msedge.exe
4408	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
3108	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

msedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

winrar-x64-701.exewinrar-x64-701.exewinrar-x64-701.exe

pid	process
4168	winrar-x64-701.exe
4168	winrar-x64-701.exe
4168	winrar-x64-701.exe
4588	winrar-x64-701.exe
4588	winrar-x64-701.exe
4588	winrar-x64-701.exe
2856	winrar-x64-701.exe
2856	winrar-x64-701.exe
2856	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4820 wrote to memory of 3480	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3480	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 4696	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3504	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3504	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe
PID 4820 wrote to memory of 3484	4820	msedge.exe	msedge.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cxapis.dll,#1
1⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd9173cb8,0x7ffdd9173cc8,0x7ffdd9173cd8
2⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
2⤵
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
2⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
2⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
2⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6052 /prefetch:8
2⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
2⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
2⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
2⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
2⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
2⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
2⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
2⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
2⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7412 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6488 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6828 /prefetch:8
2⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
2⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,9101002824858626283,11788208882705774823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
2⤵
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000047C
1⤵
PID:2700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:972

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ed5ed0658aea4b39a07cba51fa65e837 /t 3084 /p 4168
1⤵
PID:552

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\faf4ff53cd6f4f39bf88a75c7fda24f5 /t 4636 /p 2856
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
2858579ad88ce0ac41fe7cb86d0b64a6

SHA1
607e133c6168bf97018adc994a67436058982170

SHA256
bc9fd3c75959a703df4c6435fae6f671bc8a2a48c7991a7b2e20a1c86a640691

SHA512
e719b991027670ccc95551dc77cce2204d31b336b39bb1ee0cc77700b83e2bba057836a847a8d990cd0a528b653e59dfc3fc3a08ac7722bc4585e6b07fb97e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
fb2f02c107cee2b4f2286d528d23b94e

SHA1
d76d6b684b7cfbe340e61734a7c197cc672b1af3

SHA256
925dd883d5a2eb44cf1f75e8d71346b98f14c4412a0ea0c350672384a0e83e7a

SHA512
be51d371b79f4cc1f860706207d5978d18660bf1dc0ca6706d43ca0375843ec924aa4a8ed44867661a77e3ec85e278c559ab6f6946cba4f43daf3854b838bb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
27KB

MD5
7153c0e56f2bd0b9d61cbe3c697e3bf1

SHA1
59c1a4ba00584dd66c94113e7d38b8fec194da14

SHA256
ecf4f22780a8de18840ba98100130e64734d0406893841ac7361a3d73903a2ae

SHA512
33a20aa2217b42b59bda70bde70681fb75c0e615c651a799849b71afa276114e77e15087f97b2db231e2dc66cd842f367355fb268f74714de51ff15d2112a37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
8ea9adab2edbfb535c9dd7c9a5fffbd0

SHA1
392230a4f85bfc68baddcdb84f7df8bfa028328f

SHA256
4887128e49a2a2d4051409c897430b7b912a45e8c6f4347d9733be8cc679672e

SHA512
baf289939eff9cfcd9ea5d4020534c3444493d26165aad0ef571c7a4dc1773c0af10e9b0566c2363a21cd76048141f47004ab6e1afa5727fdb9195aadea1e788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ecff18173b5a7a8626d73bc7065f00b2

SHA1
e38e3a57d9d85937b1e6c54a2d9bdc171750115e

SHA256
f89df842d3736ebbd58e9b7a3a88b030f0b3b8883b04cdcc20dcc7d5239d0030

SHA512
805e83691299f7395f6275346a8b58504bb06c026f156e221c35f754afb2ed341ad5e5d7e29008aea2629e0136f2935d6cf68997daa15fb390e46114f9d31176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
507989b40f8e3999894b643f51ab9fce

SHA1
dedb40b610a770b66ee81bed4ebb1ae10c1c0b1b

SHA256
b59becbbfab2ecf5c3b1bb7e89390d8f047e20c07515ab332d6dfeed2be41e00

SHA512
a9645e902e1233bb70350af8766edc3f5e92be5f8e938d5c80886ef60a043cb4bbb0153dd5fc6b083d39a6a8a63c4313ef7a200131f75390d8799a94d35a1122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7e9ba5f5c639f5ac7c0dbeaa439b245e

SHA1
04f69c8c65ec3767ee1d4a7fc1acc7acb71d6a49

SHA256
ea11af22355fb594a3b86a5cb5950e035055e5284cfce58d07769ae6168e23d6

SHA512
4574753b95b8554c6f179e2cc9f8f026fa1d036ee2c884227aaaa21718515f36b80347e53fd20ee50fb281109d9aaf1f039ada620c2df0bfcf53879658ba33b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bef167726c0ae244afcc6bb1173d5c4c

SHA1
6f20ffcf27b47e99bbac3355a26b2b4e2c084fad

SHA256
ea9632bd32ecfbb62013fea23b27a47c1dca19e01f3386aaafdcb0fa20813bf0

SHA512
4a37bcef12042b2aed86266045ef0db002365dba491ce24c3c45ce9497703e6bce973924d0508151d77643baef18161488b0f6dd55cf67fa514b4e84410dcae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d43670e0cc553b44a65d78ee68659bcc

SHA1
3e4d087c3556bbf1f71cfb267e30dae47d5067b1

SHA256
44517d8d08f1884f7c82103826fe4ba56a798ac7f4c1eea7ec3cbf050ca7d0a1

SHA512
d842e66db2b1d5f42f3c2202d3d2ae15be678c27405657ae04a864f23c2b251f1946e007e0df0b2c90333c37fe2289f99264f4e16f92d4dfe9c6e50ca79542ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d5feb05abb9df250f76e69d55e7e95de

SHA1
679ab6a507258e1fc6ecd88cd7c9cd28c7b6f741

SHA256
3880eee25b395c331fe19901fb08a96c70537507125ef90b1d50144a54d87662

SHA512
0d2b637011f772a9bb17f977b6ad6e39a260e692e694fa5261bfbf3b9120dbfcace5e8aad51c36883be3a021e5d87f8a5b56e2454a904462a3b100d2749b295d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
be24b5b50c01a16ce9ce7bc276f60a43

SHA1
e6bc9498144520a893fd05a350cdb8f4ccb9283e

SHA256
1c4c2564ab8bc961fab5da1c7f4ce0027e7bd7c5260076437dbb807f6cf2570c

SHA512
960d656fed634802dcd21df9c5f84547b2e43fd871b41f565f9c7366d99b357f4a14050dd15c13265f674e080ccd4340a07d682ba1082fb94f56047eac320df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f0e0ad173aad5d73b4fb1f4f36e56346

SHA1
5c397db2456dfb421fe9dacaddc865b219bf7ea7

SHA256
0643bf28ea7c3bc060be41874b0b88d55f2f152b32452770b16bd83812661927

SHA512
630a017da5ee8490f433034bff0d5c74d196a47b147c4ebf8181080af0be00a85d5a6440f283e81a63427e849c73e4a2e21909aff4e2992b4b22f3222efcca61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53df710ee5dc3289d5dbe3306528223c

SHA1
2c44b636c6878beffdbfe5bf39b58c4c2e68722c

SHA256
b3c124dd728e8b0cb8024fa885ed09c9ec8838900e11fafa45d6aa19115bf55c

SHA512
cd7dd4b44ed10d55beabc157ea63f33e10f44c2fee332364e0f9d22127ae2dec432456275ab65925b036d6d48e26186f944adb387dfc30425c243f0ae485f939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd6006a1d2248b390ea759025502e4b3

SHA1
5176a74966ed0896db845f606654ec386832caa7

SHA256
b7ca9edf8c280ce9d4ef3164824a028ae5bde209e10fbd0c853a72d51f4683a7

SHA512
1d96edcffbbaa5e2cec5b64a0c39a584e08e183e0f571fc4d78dab1d457fe7fd36aeba58bffed6f75c9bd221986130ad55452bce8cb9aae65648fc9bed796cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
426a63087f27326cc1cbecfa0323b3c5

SHA1
a8395de10c353c2f567e383ab7f2a7839181f687

SHA256
d10fe56deff17ab2abab99fa073ee63af51637651690f289fd7870e772cca127

SHA512
aff874cdeaab447394c543f43e6525f579045b3bafe623ccf30974e6e5a8626b2f7e14e290d34872c111d42c59a6efadee5525f5a3f9688b9e873f77f082bcc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
546a300b2d275afa9da3cdda90fc1cf2

SHA1
555ab655b9073099df7e9aa2f23a8977dc84cfa5

SHA256
696657cf495d59600e852a0b170738c82b0ca7aad6df5238bb2c17dbbee4b608

SHA512
b21a540b8a97992335cd3d9c1540565d1aca8cab93a87748b524b08027ec496fa0b58e4933c62a01e26e178b7502f23762cda29b053bcb9637affefae0fdf708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b048de10032598df445df58c5ae1589b

SHA1
4712c8ba3d5ddaea650debd84d38ec6401e14997

SHA256
237b9646a99339f4c124551850b940bf4f0a27b4da5f8737ee4c8a98b453edcc

SHA512
fe34f8a303b35ce72fe211be1698e52eea369e71bf0e19f18de6465a4946f131324b36932fc4a4686dcd3234312f1c153ef7f864b4825b92687df55def159144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
959ec2d103337f890d8085275bdb26f9

SHA1
242a8fac64b72bfa04afdb70df1399594c4cf4e3

SHA256
beec49fbf00935309a636f0ea021d3a0e78c4c06e1e467ba669c05b523bf5973

SHA512
f91d6c3a884bfeb1bceb828e8ad6344e381fdbc4cd07f00e9436f13b112d9c7e4348d63e2373279c33314e5039b61fa7f38b6b25a4e769a001cbc4a94a762151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e48b0537312a3513bc7d72b40032c6a1

SHA1
289a7398cbddbfdc5c2cfa73d9bf18f5db7f2fca

SHA256
dbda1dc526faf9ab544cfdb92f18167c7ec191dc1dcce9c50e1f312293c06412

SHA512
ea930aa1a3ca72d5ae1a7156078bbb441feb231fa7bbf5f2016477f91f0472332eed6dc9060653660c1b4da919edecef28d03efaa4fe300969144d2eededd029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ed5374a79899a14bf9d56f125465d0a

SHA1
911858a47d147cc63487a794015d2132a34061a3

SHA256
219ea5736f4a08c5e7ab27e8c9690022fbea67df26da645321e7b9c6b9786d99

SHA512
5d12f24455f15f00001b7ed3252f0d1109c7bab187f15b51de198c7a59e9a5e2e7dadf320c7671fbf36bd3ae2e2fc657e8c7511e42fe33a9c92c9a0fdfd391e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
dcc65ad77d92e7a1c97ecc35f2f33b28

SHA1
b5264a7d952d7dfd954ee7a4ec7001fc4d67d62d

SHA256
cb38164a509ebe058823645a5e429e8cd346b087fa8b5f0c1e1eacfc1396effb

SHA512
d7bca6b4218071ac8c1f4b58c64a710b5e8e4a1dcae7da5984e2d0df9f3745f67b62c84b05a15ffcdaca149da2039e449a53356cd29d3021efb6515f4bbd4556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6154b64deb2bd9cd80ed8dbd117a7a84

SHA1
4ce00a53e36cc89f1d0cc09572b7434e3535e485

SHA256
31a2b9a1414e5f2229394f7fce722aa80680f28f99e169fd3dfbdb00752eb2cf

SHA512
1ba76e7b4ec49df2a0d1165dfb7d01c76ed842dcb6db4cf302d70af64c54fe54f438cb4c41e5230c357c60007512300300b347f5764f645e322e22bd09c81597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4a43573f3595af251933dd8cf5b7ac6c

SHA1
8e953b67d2b886de2a610bf682df37479fafbc7f

SHA256
0e15fb08bfcc1ffc81be828d6b991a35816d233013b680792a3483f7040ccc87

SHA512
8c559a34f88d3d1d7fe62b1b08d1e345487f9c7d6d76b7af31c9a65822844979d7fbb0350cdca82758232a2df0e1726bb53444783544c78626b86f5e7a13ad96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
065d50b51f534c51b68e2669c4f6d1aa

SHA1
cfabe51e63d989f5fae546f3713550abe1a59a91

SHA256
4337b5cac4585ceca185838f01363867d4ba08fe6a2303107bf1adbd83463f3c

SHA512
d185255939a5a37c97fa9456d4ee6d58aaf400fd2e4126f52422c7700bfd6180f8d924796394d12c1644125254580ddc3bdf3060770bf93d6e4ac2d1584cf199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68ecb2c35c3ec5432891c83d9301267e

SHA1
f0ec5a3ecffe01dd57346762b9eb83784d88919d

SHA256
a1b272e21bbced5b863c4974e5ab04768fde438c1bcfff18618f4a7868656299

SHA512
a22faa937e020ebb1a2dc4da3bce65c8083d3a7e17cbfb96f278e05a33f533f14a5506be58c12a58c8c9008c197388b7f9456a42ddf7b22651bca07854cf167d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8fe1abac9c81ce10bd12c080daf84ce0

SHA1
30d1adcd157a9c14ded6113022737744d53bba4e

SHA256
afd463ce5305a8b969ff75d0fe1ea7eed3fcf141f65694515fa3b14f1a1fdbea

SHA512
e0fafe85989e1e408076c43b9d1b7673fc091059ff79b7a764c5d71f51b7af4baf9f52b845b2813185eff93a320f9397f7fd04757212815a2146fc2e05879856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a0fe.TMP

Filesize
538B

MD5
eff58decb96d5333efe1bc6cfa7ae44b

SHA1
5cd0b89ccb4a409d315d22c1994c00d72c44b4f6

SHA256
ece0e8f0a97cdcc948f551761e70f6fdbff2380dc4c5ef248bf6ed458dfa5fcf

SHA512
7a3d3d970e33c5e9f9debf65b20d64158a8ddc82ac96567826664088ff21639c178b461b39147a0e6d38478777ec8fcaa32b05c0534b4337db66dfae2385e1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20e6a97e1add7b0eb497e713823d62de

SHA1
0c0c045d5cf6e96d032b10ea358feb7f72f0dde6

SHA256
2a31455deaee873e152f32fa323fcb1b4a79977945c4f18183d083562c2b3393

SHA512
10471f07515fc4414471f7289675177eea714c88e38e8333c2f2ee2b46da9a009b3633a2fc60f04be2cc8134fe496ecde156c60facf4a9866133b1344aa1f5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
58bd0b1b00a715abd7ad40aa868b4da8

SHA1
b4316b0b40293c91f15e978d186ab2d3525c0c56

SHA256
cd82c726b9e073a9d9b5072473c4f8b5184814570a73c387ed95c7dc64244cdb

SHA512
dea7ed68247d01d1145fa5dffb6e703b8f1930597b1d60b2f17c371a7d668d24d20f626ffd49da06c26a7db9d68da34a007c3aa7b81ea1b28249a19598328db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1cfeaa0658262202181aedb51f1f111e

SHA1
e4b41699bb949f5d8bb4337927a74bde1f1ac36f

SHA256
d10fcfab68e459403a0e00ac2d1095a0c371748634c4e7b18e89f3e163470625

SHA512
1e9ab927236daa395bad7fe0490ea37b10db1df744f01f09ca284c735a73a642f8b767e4fc1babfedd981a514e14bfc9ee87a218d35995f9b67d554bbd79fe7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fa7dc18765f1bb8a3fb1bb75c6731f6

SHA1
795badabe813d4a52c14f312a3eb9d3d3756be83

SHA256
23e7c953dd820177d958f15ae99e7558f72a05e564155558c546f2323925138e

SHA512
61b8de9e10f629483ce1a609987cacd3d66122f3e7ff5868aa2dc11c2caa3f7599ce0bd070d76579984bcc732458078cddf96c018bafc506abc00355d471566e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 124482.crdownload

Filesize
9KB

MD5
f7349874043c175bee2d0ff66438cbf0

SHA1
da371495289e25e92ad5d73dff6f29beea422427

SHA256
f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b

SHA512
878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad

Download Submit
C:\Users\Admin\Downloads\WinXP Horror Edition.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
130B

MD5
2920729da1ffdf0a8af2d7170153f6d2

SHA1
2b5269271b4494e24abf9217204b13be59be4660

SHA256
cd2b4f422661fa94aa10a6cc8ec747573f554ce7c5f94a0767ab9985288d1fe6

SHA512
158c3aeb7f35b338eb61864c74d91d0acee3598f5c579606155a33ac320e784f7b54346e4ae5b594477b4eced967410a969af5d07fb32fbb0e5abbc393381d9c

Download Submit
\??\pipe\LOCAL\crashpad_4820_IGEFVQEYWMOONKCN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit