asyncrat | 252828eefe357cb20bd6159c37595fd790ce356637582b378e6b60d4d6f1a644

Analysis

max time kernel
142s
max time network
146s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

client.html
Size

7KB
MD5

d98b35cd94808a75594fca3c11739c41
SHA1

99d79239a0ab3283dbe339ae0acca3ff89458d32
SHA256

252828eefe357cb20bd6159c37595fd790ce356637582b378e6b60d4d6f1a644
SHA512

cdfa3e3e389a5d5e497e48c3fbc9a27ab1586ce9a24b93ee0ea401bc3726a9ad8ea0573f98f03b057661444c0cf19e2e2867f18637dee122758f5ea46dd9b6de
SSDEEP

192:PN2x2B0PwwS680xtDQmhFuLg/28wyQlRJP28y/N:AxDPww580zDYe2nyQx2TN

Score

10^/10

asyncrat default discovery phishing rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

192.168.1.63:4444

Mutex

jyEVPUTS6MFo

Attributes

delay
3
install
false
install_file
update
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 886610.crdownload	family_asyncrat

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: sweetalert2@11
phishing
Executes dropped EXE 5 IoCs

Processes:

client.execlient.execlient.execlient.execlient.exe

pid process

5228 client.exe
5440 client.exe
3488 client.exe
1692 client.exe
3068 client.exe

pid	process
5228	client.exe
5440	client.exe
3488	client.exe
1692	client.exe
3068	client.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fbb1ce2e-2ad3-4be6-a76e-4927fec7269a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124100418.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

client.execlient.execlient.execlient.execlient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 886610.crdownload:SmartScreen msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 886610.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3936	msedge.exe
3936	msedge.exe
3284	msedge.exe
3284	msedge.exe
836	identity_helper.exe
836	identity_helper.exe
3092	msedge.exe
3092	msedge.exe
5468	msedge.exe
5468	msedge.exe
5468	msedge.exe
5468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3284 wrote to memory of 2472	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2472	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3628	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3936	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 3936	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe
PID 3284 wrote to memory of 2604	3284	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\client.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff927e746f8,0x7ff927e74708,0x7ff927e74718
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7cbf95460,0x7ff7cbf95470,0x7ff7cbf95480
    3⤵
    PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7584 /prefetch:8
  2⤵
  PID:4016
- C:\Users\Admin\Downloads\client.exe
  "C:\Users\Admin\Downloads\client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5228
- C:\Users\Admin\Downloads\client.exe
  "C:\Users\Admin\Downloads\client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7853271857474248119,17128096845716457517,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5492

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3488

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692

C:\Users\Admin\Downloads\client.exe
"C:\Users\Admin\Downloads\client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\client.exe.log

Filesize
425B

MD5
8c7889bde41724ce3db7c67e730677f6

SHA1
485891cc9120cb2203a2483754dbd5e6ea24f28e

SHA256
83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad

SHA512
b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5d9c9a841c4d3c390d06a3cc8d508ae6

SHA1
052145bf6c75ab8d907fc83b33ef0af2173a313f

SHA256
915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d

SHA512
8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e87625b4a77de67df5a963bf1f1b9f24

SHA1
727c79941debbd77b12d0a016164bae1dd3f127c

SHA256
07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e

SHA512
000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
49KB

MD5
8991c3ec80ec8fbc41382a55679e3911

SHA1
8cc8cee91d671038acd9e3ae611517d6801b0909

SHA256
f55bacd4a20fef96f5c736a912d1947be85c268df18003395e511c1e860e8800

SHA512
4968a21d8cb9821282d10ba2d19f549a07f996b9fa2cdbcc677ac9901627c71578b1fc65db3ca78e56a47da382e89e52ac16fee8437caa879ece2cfba48c5a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
102KB

MD5
fd5edda93e7a102ee9a87bc3e0357452

SHA1
ce49ab1bd1d77e6397d9b668872a31754b18fef7

SHA256
4ff93846c9b93d37a9cfa5398821378da1ee43beea4f83ede8f4e58278ccb759

SHA512
844a64e15812c1053dd79d81b54a80a566aa3274b3cd5798b5156b60976fe636b18659e77e29c8b730b07319c04d85b137e09e0917a331eb580fdb00837142d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
99KB

MD5
1775a2de8e864d834c3a0a0cfcb3dd25

SHA1
7ceaff40e292d8dff5ae8d231d885fbb88ce13ec

SHA256
5f857b6788f0c32bf13967765923fd0fb962fb2aefae2efdc6385041d3067041

SHA512
f49c834a7deb5c3ba6e9c872911f24875e5f2d0874ff47a17f6764c874482369a835632580f57ca822c1bcdd73a701d0c2ecaeafcee2c81fece618b39971138a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
42KB

MD5
164be23d7264175ad016a13a0bcaf957

SHA1
c35ce3510b46a12a5ad3f73edc9ac18eb1e8018c

SHA256
4bb1ef87d7b93cb72976e936bca7f607d5dee5517dfa739fcf403a2cd130f6d7

SHA512
7dcfeb8007467dec38af535e1240cbd15e951735720e66e5887d7c69404edc2b2737fce054a369726b46b5a2038bc296b136615dc981d56cad7a8d674cb88aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
29KB

MD5
24b7febceabe22846d8a553396b172c5

SHA1
678a0160e54254e918e44754ac1f60c91d202ed3

SHA256
60443cd90688dbe05437ae37062a761097cec2d17373cca62913c2abedc02190

SHA512
d5b79d81290a0d0f55952217cc9b0846b92e64762361af79ab1acf0674456e576b748b7b810a31f83f5b7b9fea7bfc5a3e222d7ee6a7b72c4fa32c4b624624e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
31KB

MD5
6d2e861e5abfe019d20acfbee1e8b693

SHA1
7303a071b36007b343108fa6b6c3da959bcf67e7

SHA256
e2acb73f603e9917333c81ce9735620f435d73daa8459d347624b4762d4097fb

SHA512
212fb6eefc98aabe0eb222f0d2870258239913aea5a35d2bdcba9a127453ec037ffcb75d3921cf9b573d4fc05978b2419f494bdb92e366d7cb545bd0c0915126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
16KB

MD5
7d73f18dce766411b8ff2e59d1ca52f3

SHA1
0c9f4fbb70cdf2c277cf89fde5bf2e614673d43c

SHA256
7bc425e067df800599ed529bb14e8335f675e585678913dcae0e84417229a549

SHA512
6f6a156e316a128d79ea06b5777585daf4c1c2e001520caa38f686fd20203f9547e740b339e3a7112f7c1f498e8cb67d471ad4d0beb45e92593d95ce3e99b831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6ddb7bf9cabc487a8e320aee1f4540b3

SHA1
743a84bc0745ca1c9562efa73012eb5df35726a8

SHA256
45ef0453d569dd7984482d720871466b748017c1e0cf052d41e7b16fc8107989

SHA512
e0046c66d8feb0fe63971626ebbb74e8324a8fbcb3cbf313b6e87b6b67198ace8186101ee31a34eef3a9dab6194e27aac5eecd4d23fa03f6bd4d0e23764f9b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
be15964e96ef2b51314a61d02344e4b9

SHA1
3da8abd36b8fdf55e86151a1daf91750db38c501

SHA256
984316a863e4c018e21fcae8f537a8592bdff01a535d60bf923780e63c97d1bd

SHA512
1fbb1de00112054d556b10b9b0898eee3749143cf3bfa5c9c3f54cb5b0a586fdbc26e59368c69c840847620dc3c0fce0e61f2a2beb3b1f14774065d65dcefbe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
df6e704768fd2a3226e433faab0a2c2f

SHA1
90a6c4809261f2b52c8712ffd9db77aa844a42f2

SHA256
2317d0e9650b2058f233d1012f91160f558ae52849e1adf5ce12997e898aa567

SHA512
f51d474862bb10ab9f2fbb6ed6fb77e55c969709713665f4f8ed3925f48756f67833da8e19439a5982a3bf5af3fc9ba9ba416be4cd86cf1e8c4b1830d7053669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fdf9c2bb5b9ee2cd81c4639abe8541cf

SHA1
5ed9614c932db4e79a4466808308f229b49fdf9c

SHA256
6e538d33d43356eddcf540131411b0b0f61d5bdacccd4072357fc1467d326229

SHA512
1b5a708bd47784f35045e3c5c0c9fbab5deba480f54b8fcb8df71f8cfaddcb2b3aac56b1cefb8aa884080f8ab768f4593009035172008c580cbd847d648c0826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
06103fa4e91be6ef7803d2e0ce6ece67

SHA1
06bbc2fda297decda89565e1bc2dc1faa7541908

SHA256
6d5263f0337183d3ab24134dfc21410933552198e6b778861da62bd3df232c28

SHA512
91ab14b2b55528222910488ff109e6abe8e183a22ecc89806e35c95c4ab100cdf44cab26d913182f35daa91c8be0aecbc5f0f19316318db17554c70728d46044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
13edc93fa079c2fd03185c5693d2a83e

SHA1
ff6fe180d723e7df1c9eba4a1a9789cbdd9e5b7a

SHA256
b19d199b6e83488f48658eb1e2d453bf55c82a2884412bdad2da2dfeb114e185

SHA512
80999a57d5261fa62ee023d999816c07bbebab66c34869e8f05eca88047f3ea0c7e4c5ad966a5f8f84baccbcb5287b32010a97b0dcb9d729e0ba83af7d350ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
20c0474624a6f1ec62330e80e716c2a2

SHA1
d579f26846845852fbaff31a4a3b8debe3ff20e2

SHA256
767dba3b5175b5fd6ba8b84af42d2fa1947a3a72600b250d334e1c98600bcf8c

SHA512
2f39702a980186f6cb8709821bcf4194c4854d8849c8de47a0f1b338ba313268bfa04de138844f9dbfc4e86a21d3b934e6428004c3bdee65ce68b092a9392a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b472d71d08338de49a2ff3640969f87a

SHA1
350e22a76d0566d9e6a6549cd025e7a6c7c1fa51

SHA256
03c14e867e9a95f1adc8e39a64d80d4fe3b53447bc38f58b37bb0636fbc96671

SHA512
e1079575e66446c7bc86c2cb99d835fe1d7dacb436e69a26682480bca25fe22b73fb969538032ed5fcb0f8724c06069025a50d38d7a73608a0c4bd1a2d329910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c630bfa0f5071ddbe4cda1f2defeaddd

SHA1
b7e2e193d5fb13b3950f40ea32b5f662f5c41c5c

SHA256
ff9f4d8abab0febac9e092e6c55d362b06a49f1411078302dfe4a1a209afa07b

SHA512
e717f8f074e5f07210de28da4769e3b1d1d6808c993d9189fdd5f17c3d52875da87de9cde9c945a201abe1136aed056cc4709f53f100c90b7ac2c9c9d238a19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5e5247218ce4ea3bc4e3fcc4165d5f73

SHA1
84a8e1dd888238cbbfbacd9b8c644e8718217446

SHA256
2dbc06d44d143260a44521ba802827f8f6d91bd8a9a2ea2d5f13974cbc0e1279

SHA512
d4832f3851ac013db3b324c5c00b9d35cbcbf921f3cbe9336846ded901a3d65bde1024c7d3be831ca5545d8f0d2619845aa031d01f9497c202df2adf1ed2cca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91194c200bad8dff36721a0db76dfcc0

SHA1
108a55437d93975032c434bc22c4a2e964ee361e

SHA256
8e6a4eb65f272f90e618b44dd8d51b1baebba3940bc1ad7816dd24ab4d3b4ca6

SHA512
5fce526c3df43e440eb35557ab684fd3566577f950d205039fa5aefb59326e281e7ebfe2c7b4808ed8021e97648859ecb0a0644470f2bf8b0620a473292872dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b75419543b6e52733247cfae8360877c

SHA1
434147cea352050a97695616da8bb64305d35f9a

SHA256
5c9cc2a3bb7a143b780c11bfe587899131bac2970e4c41017b5a90be91acc829

SHA512
5cc9aca19056a989c73b72fbd9c62b2065682f61d5323a7eaa1bfe293bcedacc3dc7bd35028ff34695d3b836596b1c01ea3f16710022e73d4c7a044da8fc2ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
137094a3453899bc0bc86df52edd9186

SHA1
66bc2c2b45b63826bb233156bab8ce31c593ba99

SHA256
72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44

SHA512
f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
364592d2cc18adf665987584bf528cba

SHA1
d1225b2b8ee4038b0c42229833acc543deeab0f6

SHA256
bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c

SHA512
0e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3dd6830c7b86525fbff89bea15b01ea

SHA1
9795651476107d2dd2ec0157e0d9627549b02242

SHA256
5c154f8a6b81eedafcba55677c0d65784218e234c421c31b9cce7d2a8d7799fb

SHA512
84a82ba3feedbfe91ae47b9fc6c73d15404695528f8b3e101d4f3b15bc062ce211845254000c07ab6f31dd1ea3544291eeb8583889009bb5a679b065b2f76b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63d6a73babfb6d1b80ffd4f632c0f76d

SHA1
c973f63896cf1ee5c64abc571111673417577df4

SHA256
fe3208ff8952bc2d6ed4a59d823f8871af26c439b2bbc8c671ba203fcba13acb

SHA512
27017922534adddd69907f7ad13f88bf6685c35e4451eced4b763374d119310e7065b63ca16eaa63309006f5ee773d4f30ec4f204fb0ce543cb51be51a4f692f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
380084a589aaca7a61a642cafec50291

SHA1
29e4b7d240450fa821c81b62fa10d518c175546c

SHA256
df5f43f7a98871685392001917159fd07af5ba4003b6ec84add5c9e32d61c7bd

SHA512
f9039b85d20dacc8752cb35afe63429c792b3302493d4a391a2b502f594a2b99d9ca7af1aaedfe4b22663bc78b3f320f4cc0183a2528210d9341d1f1af0fc6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588102.TMP

Filesize
1KB

MD5
1622f387af8db495d6724448db5c6584

SHA1
34178c6b78077ec80cf00c2e5d0e631f5313f187

SHA256
ef0ccb7d8ed0535b4bcf1cf92c109cfcc232cac47f82ed796861d27df8a10807

SHA512
83a8339164f223a9de8430e949aaa7bc7f30c597d21b1d01a2f45b92c2fbec055a4ee4622e335e2c9e8297e132875c2d43e41c13d7de65340955f2aebf02df6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9db37c3e809205b1c5cbc84e465744cf

SHA1
b4ee1539f8561659906c235267c1c2263dfb9c5c

SHA256
0301b699c0d06ebe411613f95283fcf3ed304373d4c4c267ed990c15554955e1

SHA512
f6ac4887138078c23e52992f2dd143bffc475efb82ccb369504cd8014009fb376ea9272a2adb5311063412d7d2103c6226e88320202098a82877d903ed5026ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ccfb34098cfd39773d520c5e4fea2cb8

SHA1
132fa8d2a81abf2e874ebdff8169f4e724f1b8d8

SHA256
e12cbb4bb9cb6a614e590c0fce2d9032502546f4a9d4ccc215ba7b9c3c4a6455

SHA512
20c3794394a0e43272244a9f3f8af5849bd61434e2e592610c84841486c2d645cc2e936be20043da93efcb28ee4a8dd06636cc606526d2b7c1c2a9e80b92eb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bbaf66b6add4e1dd076546ad04123e48

SHA1
7d4c9d5d9c6649dae9c121f6938d71587ba773dc

SHA256
408638f0b27582f66b551646bfeb0268357c61ebb94a990a843b0237a101f21d

SHA512
ed5f07dbbad3724bd7cf1a73f6e4fd9c7be2f29be77cfeece211382d45fb6a6487c4652e1303847c5cbdcc9b8ec378f5ec22fa4b3bcf07f4355d59495d4905d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c58e483b03ccd80883553da71adbff42

SHA1
d957334ea9cedccd085736a30c377e45a8b8ae66

SHA256
4aa5384da91100752c7b13d4002bb6e523556e15e331bf13920a2abb41894069

SHA512
cb7633c4afee056e0b302acf5af2910d31f1c70f868047cedd63b3f79505450dc529c1c7e28792a75e034f2cc6d71830941bca0c9062c75d145a7c29ebdfdc72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c063f3444273bf53e990527422550ce1

SHA1
56ff7a39c316a3d6c764045c291e37a4b75b2acb

SHA256
c26ba2cdc8802b506a920e571df65f54010d255ff4f2caea3dcd3b1c599b50a9

SHA512
a88a8aa4fb49817bcc664418dec10400b4f7de71edca0d0d9e7e330522607724cda2deaa7ee9ab868c3ca48c40194933699e5a262c9359139f5966f36ae7aa38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
237059ff990dac79f26ae2df66d6703c

SHA1
5bd5a3c154f26f786e04fe7b98412ba035d8f547

SHA256
ea43a699b12c0247c0596f0e8fa68886a15663db8a0f53a7eb4422b95263277f

SHA512
5c251954fb2347f82ebc940b553b9eb90f922e5c184b90879e2b9cc223ca009ff3513980e0e82b17a3ada6651a43596a444a56e0c7f4e1ea3350a2d5547fa7bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
86dfc23a98fa050c3c30c3285de87c49

SHA1
9effe9fdc0a0228c4fd077599cf489b695f5a154

SHA256
a6064b9213782bf3d4160bbf1ac5f98c5279e682ae40e330b1748400ad952fde

SHA512
e7460c8467a5a738e5a61ee281229920691197973e632d66712481565c96d70c9cc3a3a6ab8edc08da066cd3068b7eb433bf5213a7fd8b068ab804fa9f586441

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 886610.crdownload

Filesize
47KB

MD5
656505d22263b0451f08ef259be2fceb

SHA1
a044d94b6d8255517bcb6c836b20d78a3228318e

SHA256
5e53e555bd46d7c18cd7c81d0ec653fce3d6a143a4384639d3620dc48a84a719

SHA512
aa4654460561d724234a7f9ef30ce371f907b6c2681449e2dac997c48bfeaace8bbe33fa5f67495e75d4412fffc546e25326ab0fc830162caf8a6d19a189ba39

Download Submit
\??\pipe\LOCAL\crashpad_3284_ZCFQLALNFPKYQAZU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5228-490-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download