hxxps://drive[.]google[.]com/file/d/1ylSw1pvV-PPZ5pFYY5F8EGwStwPNdPUc/view

Analysis

max time kernel
125s
max time network
130s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1ylSw1pvV-PPZ5pFYY5F8EGwStwPNdPUc/view

Score

7^/10

discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: EA76ADE95776D2EC7F000101@AdobeOrg
phishing

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
13	drive.google.com
14	drive.google.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b925869e-c170-4af1-83af-0812ff0ef64d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124013357.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5844	ONENOTE.EXE
5844	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
4792	msedge.exe
4792	msedge.exe
1292	identity_helper.exe
1292	identity_helper.exe
392	msedge.exe
392	msedge.exe
5844	ONENOTE.EXE
5844	ONENOTE.EXE
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe
4584	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5276	OpenWith.exe
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE
5844	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3152	4792	msedge.exe	81
PID 4792 wrote to memory of 3152	4792	msedge.exe	81
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 2456	4792	msedge.exe	82
PID 4792 wrote to memory of 1284	4792	msedge.exe	83
PID 4792 wrote to memory of 1284	4792	msedge.exe	83
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84
PID 4792 wrote to memory of 2128	4792	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1ylSw1pvV-PPZ5pFYY5F8EGwStwPNdPUc/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd61f046f8,0x7ffd61f04708,0x7ffd61f04718
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff661575460,0x7ff661575470,0x7ff661575480
    3⤵
    PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7420 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,15227433914505568489,13129904793961160667,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7556 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5276

C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
"C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
de6163936a47d8ea523929b3dba0d107

SHA1
34607224b0bd4357364f81c87e824b65fc6b26a5

SHA256
83c2a40cce91510d3b5b46a020c57991e876a1b62529fd590b515995ed433a36

SHA512
e5a626bb8d874ed65267c876a696a9d50eadb6efb224a28f58172ecd79d6ba77f0a2db56256462a475562b7acca9530d6ef13fc5a2fa2279a760b4d20e09f80c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
afe0c80c0429fc1bfd088ca9181f6b09

SHA1
5c931e2e1a826cf7f83e46ba961af4163fa98456

SHA256
8bcd790c76716fbdfbc532d6415d55a41bd242b27d7115a43a74c42d9fcccd5a

SHA512
71c2452ecddb13b9ccd953f0570bd128aa8e874361199e7850f8a9e0f2c010b6873b713812a339ab866c8e53e9310772740bd197b3b2630636985f3001399f0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
4c0d28c70b84f9a0e06b2c45aba8b9b5

SHA1
cce249e7d53c49cb7f4af1d08bbc9b0a5710bc8e

SHA256
c0e48e3423b7f191c0c206a017dc1cca9098c235d38e0b9af5ff8cbf7536e2e4

SHA512
167254215e57a092af51309a3d5c60803edd130bf375574174903044ee8ef67956b6c0e05099d384a8a4b131cfa418b3daa764ab398bf6600f9f748eec20f90c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
403ddc2b15cf3dd166c267c397dfdf7b

SHA1
da6374770f5d706f06bb9cf70a867a1ae82ad6c7

SHA256
ad98c5b5ce68aba668d849977fbad4aa6694904d6e645274dd46d748fb0683a5

SHA512
d5a71f04d35952b5d70c06df1b32ea4a069be3d8a3c5f57670716800e2831d1cc97d2fd1700131a543c6f88213bcbc6f84ba99c2d4e4eb3e4985ba9544ee67a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccff51f965f8f4176e4ad112c34c86a7

SHA1
eab249ca0f58ed7a8afbca30bdae123136463cd8

SHA256
3eb00cf1bd645d308d0385a95a30737679be58dcc5433bc66216aac762d9da33

SHA512
8c68f146152045c2a78c9e52198b8180b261edf61a8c28364728eafb1cba1df0fa29906e5ede69b3c1e0b67cfcbeb7fde65b8d2edbc397c9a4b99ecfe8dea2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c29339188732b78d10f11d3fb23063cb

SHA1
2db38f26fbc92417888251d9e31be37c9380136f

SHA256
0a61fa9e17b9ae7812cdeda5e890b22b14e53fa14a90db334f721252a9c874c2

SHA512
77f1f5f78e73f4fc01151e7e2a553dc4ed9bf35dd3a9565501f698be373640f153c6d7fc83450b9d2f29aeaa72387dd627d56f287a46635c2da07c60bc3d6e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
40KB

MD5
b786554392ab690a37b2fc6c5af02b05

SHA1
e7347fa27240868174f080d1c5ab177feca6bd84

SHA256
ebe47cc89c62447316148809bda9095bd07bd5392a99ab4b8ac8b9f6764cda51

SHA512
b71cdb76464a775fca909cabd0a7435c34de3ee4e19c40f5bebba6415295f0be2f82532a2ecda043c787ea4e8c23fd4e582a4d4322923fdf603a56e3fcb8b567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
52KB

MD5
bda2a0473abd410d22ab7b41a8612201

SHA1
b1bacd1d3a42d5007db5aae1b9e2461b4b8c9aa2

SHA256
ea655b522e0136e3abba4295bb06ff03233dce6fbe9dc2081eabd73c31cbd1cb

SHA512
c209cc890c824a8403dd279ff0564cf4741d1fb42e2a7bd5edfe9014f1586baedf5ec69e2bd7c3163edb785bbef5c6a42b179e665e91d9fbe44e4946e30e167b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
21KB

MD5
942e2ba31d132bbe2486ff1e36883a86

SHA1
bcf42c590a69f66c3a2dfad64842e44913b69778

SHA256
c592232c7a1dc346f52af20881107d4f337fc6ebb50cf671c03a3fd01f64da83

SHA512
5f52f31e1882e074500897243b4ba1413758fdcf535f47fe9ecafa15436c68195477f51cd3469dad4d8ffc391c30e6e966280c088d4b7a5c50736ce85b157caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1780888970f11fa7225deff7c175c99a

SHA1
a557dcd00407429e4c5d74dbbd892ffb6a387bcf

SHA256
52e1b38aac7ca458119a55c131149a67f468cf8975e6353ac87dd2c75789398d

SHA512
a893a8bef24f28d29621d19dae142c009f7815af3cf4e023334a1aaedd3d156a1a2415480cc4e174c88453e276103e1e13140c9948cb1c49e6690011359f89a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8bc96fd0de65d0e9121daee3eb085108

SHA1
a42f9df7095d23bf299b0cf6be73ea07fcc4e10b

SHA256
4f668e20069537d3ee97613b67243f07e040094fd05f6ac1f4539bf340829194

SHA512
eed4896587f9a13fe9e049c04e720ce71748245423677b0110c4714a91a9751802ff61d286486b1364f58347c71b0f1481044926d83d9f2c0bbbadf7dff9ee58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
ee62019eafb7ca64bcde1af2619d9382

SHA1
cfc62086ffdb3f961dd9461d0b56c32f93fa6bc9

SHA256
c188c30e528296739046ae10412806f9800ad01df3fe351d4fc934b1428006e7

SHA512
108d45bc4edde92893e9a7b6a81dc371a40d201f444b5f75319a8c1a5c916824bd12b287eb9defe99229b5e4ae3728d63ee3ad1128616e09d32e88184ffe72a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
06d8caea9a9cbbd448ae0ec878043bd6

SHA1
095adc78fa639c607e29274d0a2f4dbd35c30e72

SHA256
34314b1bac8921bf4b91fbd3928346d82bc186fe1c33673e372260732fa1df18

SHA512
595d1c866bc124b22b27364186478ba38f895f42b15d68a20a9381695db8762f523c8cf9626d5291477cea47ff7b2ca96a9da3fa7db07016c041d1732422b832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
26653662cdf47ff89f033906e0a7abd7

SHA1
f5f031dcb65517b697e6d9c055c52dfe658502bb

SHA256
ce94db52acfb3e5cce2f7a8be90309dc903bb97db95c93930fd72405ad84c092

SHA512
9a279eed19df9ca4e029af6fa67dae46766572fc49843fca7e588444772c6ac3e0465de2055e9530aed6fc558cd3d3bef2dcf77e1fc12276f458a184df12a435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
883e07bb1124c1b63b774119e68d0be1

SHA1
2da9da70687e2e177789a1e96c61c1b107c01e77

SHA256
101ee81577a059a5a59baa852635b574a73b968a566dbd01ed42410744c9bffc

SHA512
9f484d92452e818acfd3bbee5dd47553ff66115ef67ca07ca8bd87370134aaf7eb36dc37779d8f14a5e5e0493572d3b1dd35a0eeb58c06ea0bae280645dbe09a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
43adc0b2481a18f79422556c07186e8a

SHA1
0dcaa432a0e5f4fd639373759aff684bff8599a9

SHA256
cc91a87a25a964f74a728462e6a3563b79ea9e79bdb04286fa3cbb89f84a1dce

SHA512
2fc2c65038f77914c33b87d554b4a21bf894317a06cfe4b8c908dd9b76f411f4092f472acd0187aa875a10eb44396922bec601ec09b74e93360faa2f236259a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58b735.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b3426edf0c87fbb4a033503364343aa7

SHA1
a61ed1d657e2d5a89018a90cd600298c1b2d42ad

SHA256
9c209b33914970b145c426ff36fc9eaf9e1d188a17537793c5babc340980125f

SHA512
0093d2fab4192b6d761aa7081d603bcbfd59db1bcfa220477e3f85865f1f0b0190e3f491afc8b6c573816fd278c4bad02f8056ff1a5622fa53df14d755ea1116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c4356ddabfd752949f94ac89d12a900

SHA1
262bc8456afe21bee9105f553ee1c49017491dcb

SHA256
24fd843dda77fbba42a64d7da554a66a56e5141c669488afcf30ede58f16f28e

SHA512
f1b304c2bf70a1b4d9cfd70fc6a71ae7385dead77dd90189be983ca1f1d849d06e4a7a1c8a1e7dc12a7eae306905ce6f4caaabc8410a4c5627ea646cf65f9284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7a730ccec5dfdc21f636f382177d63ae

SHA1
94e11bb56f6104c36f8d8d81d51f47373021c6b7

SHA256
ed1ab903bc30076044b809619af84f8691491b7b1fa186edb370697a63425bd8

SHA512
cb966983fdb9a8d8829f61210dc268092ad10ae9870b4622aba90c2ae852f663d1fe61b569631af00c5911e72214389b9f2165391af9ede655543dd9e9f23662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6de8f98b84dc706735e56284dae79a40

SHA1
f326fc1027fef4ad93062dc49beffc66a2307b97

SHA256
3cf3ed46da324712c80a9582a1398ac8f8b2b5ae03b7602bc5921bdc06133967

SHA512
5d2305f7bd75d687c496decff4dab5b6bf302fe8a3654a3fdf9e741cc419e802e6ab9363d8dd0a1dd4e19f345a6999b6fb4f16f94a71ba7bcc5fa72f5057a076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
c569a481ed437d0e60fc3e7d563ee38f

SHA1
1dcbb4cb1a8cbaa32465531a85d3f769da80e2a4

SHA256
b52371bdb4bdf0e75fba9fb34cd1fb6d36a4c90a66a2f660fef3ee8ffe29df28

SHA512
a7df0249034047addcc4bdec271beaca8f54e332b0770618898e439ef679395af5e8201de9220e188abd69f46dbb8db0023854232d3a0949ccd32eed08a6695e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8f1e6426cdbe6a14ea8a717459c7f32c

SHA1
6aede3c04e9a889fd1bcf738cd0f4f9ce708441f

SHA256
0a8704bd91c1d8da8f02b59906b5f6abbdf40333c30a5de3fca871527e77d353

SHA512
49a8dbe7b47f03558a7f1f29ed1042b44d50a0b07f21a251790a9431ff66b4a11cc5ceb3c0a2845292e9cc30597b4acbd4bd9ae90072296b10749aead932ccd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
57dd74bcab4195358d691ab49ebf2f7c

SHA1
ccfb866df440bac4b8412b0325349457ba822a18

SHA256
efba912876e6d897756b9922f45de3cc25cf24d1342b180899eb3d2925811218

SHA512
188eec66c47ec2ad61adde6c7dda97978d3dc89a9bd1798dc2dd5b12a88e36b6aca7cc156e7a078f711a1db1a1561b8bc6fe2eb031da3f623207757a09089e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
86aa28ffd286b08415aa197216684874

SHA1
d99924976c73e3220108817ad6bc1d8b1795ca2d

SHA256
a6dc4bc6ade3039e57b538f2620b91602199f1908b23c4a2beb3fd3aa721579d

SHA512
a51fbd1af778d32f2f95a9a863a59f42a7eb804dbb8ce85459297959eea21fbfe9625d74c3f91ad65016031d4b3e26eeb748c1c59e09ac68778fc670d408d0fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
26978f38b0bce48572b90b762b7d937c

SHA1
8b8b88012fab1d37fca79575a5db81674b424867

SHA256
b38f05e2e63a1f87026aed06f5b85354570c6f91d28947466f0555276bab6afa

SHA512
501e0de5f46bfaac901cde5c39a321edc411426fd91c83427f36710fa56d20b5f6ab8f2219d963f7ab495c2df7def879652381db3876b7e2a7080921cce78379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f56bfb986dc43b7d725c421f76f49d3c8fb9acfd\index.txt

Filesize
94B

MD5
fb89e9e34f7ce183045459b3d98a2731

SHA1
aef050e8c78343da6f5b711661be22e21fffe2bb

SHA256
20a32a94a623e625ff45ff7120017ade96850bbec445e7f25a05725451628bd9

SHA512
35bfca8faeb9b4bb9835e35e0cc0c7f57f0daa5b8fef930d6045e21269923e6a0666c701c5713488f55128929512bac7833c4a3c176e5b214c8862e73992f96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f56bfb986dc43b7d725c421f76f49d3c8fb9acfd\index.txt

Filesize
160B

MD5
a24272cca8c691e7cd85ead52db01310

SHA1
100e0af22279dd36fc8cf0a28e50d75c0f821546

SHA256
bf55b8736d057e423d4e9e7416d281ec44b0e51a04a5f64698186195f7139de9

SHA512
e803d62b3aa181b85482ba4c3e4765caaa83c49cb4f27fa76e5eabc80ec7d21805025da34943743ec8cde8b5bb4cf355c94cc2d0a9d70b4d350dcf09c49e3909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\f56bfb986dc43b7d725c421f76f49d3c8fb9acfd\index.txt

Filesize
153B

MD5
44a62f5da04ea91e5226aa7076a2cddf

SHA1
f2feeb9ea9d6c04556371c5c1de5fe55cfb03122

SHA256
de11968abd4bf2613e51a14a632c5011d9d309df06f9de78bc99fea7a6cd1964

SHA512
97d1fa77bed9f4be0cb6dd46275e5c900a6e0e545934dd22e7317dc06bca0476378e4cedc498c4f9bba0c58dd366559ab44f2e42bea3992a11d9126160203b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0b75093bd897906df3dcd6432f936be3

SHA1
85df7679a04028d1a0753e32ace99da238905741

SHA256
922cad8aef8c11ce4e0fa348eea0e57ff68f8b9397a3cec89ead0977f362c807

SHA512
29762f1238d63f5ae4499185875a31f4d98304635a1ffe7f430e142e6f67bfe1139eeab15ec277db8d6599c57931cd6deee0c1cd88b979e1895a14a905218ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
dc53066a0024e41b6bf0fedf49023fe4

SHA1
25b2c5bafb569231424d7df5093e483ace1ca510

SHA256
cf2d1a394358ad5c886a73f3289f10a6fd65ed17de9b0e944c742ab61bb2d748

SHA512
0bb383465f326e244526507673b34b3bc8d2e7159e0f4405e840d771f6a78521a73a71b6b096f3ad4e035e004ce04cc3ee1232c3e3880729aa912c10085428fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
90fac262404e013ab56768a5bdcd754c

SHA1
4509a07760d675afc0f4f72e409b6db3a2ad4cea

SHA256
7eccc6cd64766da38b52cf7f12ea5fcc38f6e93aece1ef5daac279e3711aa0c4

SHA512
a6b43bca14ea3622304cbcdd2fbefe87c575245b405633b1cb7f5a3d951a4f086450ab2763cc055958e171828513234fd1c412b4b0e7b93e1379ee95abb01ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ba1d6460bf2e60932447a2b287e7713b

SHA1
986dc9b08c07e823118fd97b86131db626162762

SHA256
b7bea87ea20ca5906cd25fdd2cb3fc3ab88ee706faf0e93b2be024a719b7bbe9

SHA512
d3cb4066a3150120d95659b487ccb8c68572e20ba368af448d97ac117097722cedbd4b84c0280e026bf59becf4b7394a3612914f93b6dc8087045dbd3a83cb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
ecfecc774a5e49b24dbb31430efbbdc4

SHA1
66001b9da5e975c044194b1794d36d3e8b0271d5

SHA256
4bcd609de30f36bc20376ef27ec1a91f307aa6d8be8b9fa45c7669b633c9d1f3

SHA512
78c37eac226926a57c7f9e90ebbd70be43ac9b09a623723e1395652d7512f6bf0c13fc9af8a7bb0febde9760028847860fd68f6bef2d0ef2d7d2edcd102331cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
09dfb151965ae2d6545daa86cac5249f

SHA1
04d11c5a3b9d61c5bb521e94a22e5f0f9a08c2cd

SHA256
b753767881e98808de202791e24b0f97e46420cca12f39819fb6f90f2c3957e8

SHA512
2a32baf127c42a51c62bbc7230e5fc7d937322cad8d162777384fb3af030018b91bd97c717828a590e13e23f559acb4a3b0146f952abc7ed2bedf24dd292ec52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58abcb.TMP

Filesize
1KB

MD5
3a4bf219e5ae6a98f954fc61a744cb04

SHA1
afec720fa9ff1117bca132e8a0fde5c7be96fce4

SHA256
b26b05d7c4b5cec2e782d0d6bd9634dc354e72f2fe02fa71490cca5ec06895d7

SHA512
fb69d27f99a8739567b0d1efb988ff22f581f0e2a70ed816c0379260b7088c5e4d3cb65b8a8cd35256154faa2a0269060bbeb034a39955a783290712c44ad538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c1991781-4a80-4eb5-8d5d-05b1f404069e.tmp

Filesize
6KB

MD5
f8688b9487bf55235d317049d430f05e

SHA1
1410939cc4d935c8f886f31398f3d72ea993a781

SHA256
39b7cddb4273a11639bdf1a01b5ecf89ad771e2956a74234f8dd1c6906b304eb

SHA512
a36bcb3ab7f7459bbf58d7ff9397d34192c2504430ee58419680862bb9e5966f2be0602ea5860ee2c04cd1741816cc3ba5d6702362920a5fde5e79ced79cb26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
90938e6ec4c10403577e84f792552ca3

SHA1
90032a39764a7fe8382c077f9adfb2750e20e6e6

SHA256
0b1d125d43b149010b3979cdf21de107e00d78525e71a1481671a25c368e2084

SHA512
f1f06feafbd36071c7a1fff1788bd06e8649acc71abbffa52b49a3081d44171574f7b2f2247ac77e999dd95781a7c187aa9b5107b9a54c9e46fc8ac33b539816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e2706aaaf4a2c894ee12814dfa9f9a95

SHA1
401143c125f89b8cbb4f1ca56b8dbbc0576a13e0

SHA256
a0fbd7d7796ccf5855f3f636087c38366aff4b126382ac561fa924df2a10758c

SHA512
8c47f13948aa48911ae152a712557a3f677f7bd8bd08319021c3b09be8ea2ff8ad680df3860fd6728cab01cd0cc32fd83fcb6405d0391494238ea4ec4e34830c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b61230e80fc2b0b24e625dad1c4b6110

SHA1
b58f79fc8eb24e63df538ec208d2f44d8ab62743

SHA256
d7417a0bf6972d06f8c7c1b5414940f642dafbdf5a80ef5a5caaa21ddd2f1389

SHA512
d82d5a11e0ad65e72bb011365f9ff9f74cbef7e52bfa287839c37f7f8484f61bbc83c9e96f34cd4201dda244ead37feb9c8aac4bf06e311ca6498010f5d834fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ac7747cf96dcaba5b0c927a7f9194286

SHA1
4fb0e683b4babcb68ff977487238215d58f225f0

SHA256
e9593555cc40b2bdc23b26831c65527a349be662a102e9faf464540766c57584

SHA512
fe4d0551f7c9c0e1c4d94c9dda9969e63022c7be3a358728c5dec753572b5a86d632cad1b54e234641cb1a000787a9f6e66fd9f9e98f74a065528ebfcd0f992e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
aadd76c260841711d28fb56135f6bbf2

SHA1
66ea935457d8b719fa4db5075ba5cb6cdeb0f233

SHA256
995291fc852fe9596ae78e8d74d1920ffe3caf845c52300b234f555772a9c920

SHA512
f9b35cad5ba3ba1e805745f3694aa5969f13d695f32783cfe6be912a6fa145f4e5587273e940d4cc6b2bd92e3f720c6df25336e4f1ee2c5cc976fe2323dc2a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\e8ddd4cbd9c0504aace6ef7a13fa20d04fd52408.tbres

Filesize
2KB

MD5
16dec5a69e5424c0c3424fc9beecf74a

SHA1
02bc1a94124464a02558c7420050deb581030230

SHA256
3854c24363defa14a7fa58df8f271b17bbc98c5cb89c8b3982f71e63d1409958

SHA512
411441081443cbe01d32e5664f8094808f4e5c90aafce02c67c476f7f5c00d0272fba09f9e3bdfc086cd621aef80e8c6314de833e2d40b3b2b5c03a9fcdd2086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
46ec6a971ea096cc6e69b5aee2f18291

SHA1
2dcf93fbfcbbdb48d5921a48c4adafc74da4f56f

SHA256
c006d5e7c6448fe4f19f666e30a00d0f24afd96e7e80d6f7fbc7e6edd31afdfc

SHA512
96eebd4d5fd77a99e901e32beb7262bbbc1e425c3c0be90f09b52b400c808c8a1c97819d9d608ec8dccdf0a517c257c05ffb273dfe24679e719ad615c5866e98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
8KB

MD5
6b3ee7298fdbb87c4c7ea6c83533222e

SHA1
32083abe82c5da321f5557f21ef498d67a53cb8c

SHA256
f66447a13c7f39b674fb4c27308258fad59763e50e888fd005d2609f25466466

SHA512
50bae5b905158ca5d1ae76fa9f78c5f3b9aef9bb28d8a0e91efb6735cf1388ecd0c8ae6f54ac7262f0759646763dd293e1c8115f94c6268ec6adc0858212c089

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
38785cf478b10765df2f4f3999514f10

SHA1
1a916b8467ca62cdaae3694eceaaf628c7be780f

SHA256
fd87191725233a6437fa7f7623d7e84468df136e11a042d5448b07c118c779c1

SHA512
7be8c6f42414d04bad723d013482fb5afca7177df7cad6a9bcc4d41521a6b46249491e173b22e4af544d5fb7669aa6bf5a3e4ba0ea9513ebeb9fb4a43fb63296

Download Submit
memory/5844-291-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-335-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-336-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-334-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-294-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-293-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-292-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-333-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-290-0x00007FFD30FF0000-0x00007FFD31000000-memory.dmp

Filesize
64KB

Download
memory/5844-295-0x00007FFD2E6E0000-0x00007FFD2E6F0000-memory.dmp

Filesize
64KB

Download
memory/5844-296-0x00007FFD2E6E0000-0x00007FFD2E6F0000-memory.dmp

Filesize
64KB

Download