hxxps://bingwallpaper[.]microsoft[.]com/mac/en/bing/bing-wallpaper/?brand=bing&var=1&m=1&pc=mw011

Analysis

max time kernel
124s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bingwallpaper.microsoft.com/mac/en/bing/bing-wallpaper/?brand=bing&var=1&m=1&pc=mw011

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d7a21610d418db01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{96CBC653-0A22-4AC5-838A-8CB56731ED2A}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{67E60C90-B1DA-11EF-BEF1-FAA11E730504} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3908BFF2-B1DA-11EF-BEF1-FAA11E730504} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff07010000790000008703000059020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{483C8154-B1DA-11EF-BEF1-FAA11E730504} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.pkg\ = "pkg_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file\shell\open\CommandId = "IE.File"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.pkg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\pkg_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
3824	msedge.exe
3824	msedge.exe
4360	msedge.exe
4360	msedge.exe
3952	identity_helper.exe
3952	identity_helper.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2272	OpenWith.exe
5580	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
5772	iexplore.exe
5772	iexplore.exe
4312	iexplore.exe
4312	iexplore.exe
4312	iexplore.exe
4312	iexplore.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
5832	iexplore.exe
5832	iexplore.exe
5832	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe
3824	msedge.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2272	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5580	OpenWith.exe
5772	iexplore.exe
5772	iexplore.exe
5892	IEXPLORE.EXE
5892	IEXPLORE.EXE
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
3484	OpenWith.exe
4312	iexplore.exe
4312	iexplore.exe
5528	IEXPLORE.EXE
5528	IEXPLORE.EXE
4312	iexplore.exe
4312	iexplore.exe
5628	IEXPLORE.EXE
5628	IEXPLORE.EXE
5832	iexplore.exe
5832	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 244	3824	msedge.exe	82
PID 3824 wrote to memory of 244	3824	msedge.exe	82
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 3904	3824	msedge.exe	83
PID 3824 wrote to memory of 4712	3824	msedge.exe	84
PID 3824 wrote to memory of 4712	3824	msedge.exe	84
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85
PID 3824 wrote to memory of 3936	3824	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bingwallpaper.microsoft.com/mac/en/bing/bing-wallpaper/?brand=bing&var=1&m=1&pc=mw011
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8236046f8,0x7ff823604708,0x7ff823604718
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12108184945692233053,1105306445813997677,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:536

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5580
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Bing Wallpaper.pkg
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5772
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5772 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3484
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Bing Wallpaper.pkg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4312
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4312 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Bing Wallpaper.pkg
    3⤵
    - Modifies Internet Explorer settings
    PID:4940
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4312 CREDAT:82948 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\Bing Wallpaper.pkg
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5832
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5832 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
a64410842d8420149942a5d470b6d5be

SHA1
1103c3b1d71819723b30937a6e8d3105e3a12f32

SHA256
6f441a75ef18130ff2530cae843e2e45d4bff24a22138ebded21c667060db74a

SHA512
161a96739600547b2ef4175910199eabc4d8587ee3dcd3b6b6dafcb45299efcd3af58a146ae558d3c9553229816b7d2f05c462ffdbf2254284816b81641629eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
981b3013278025c5cf39e5675bb43e1d

SHA1
9031ee58e28e3c2d182c5f0c228492f702c68d3b

SHA256
7483cc31ab254cfe06bba5af1978b1c0ed7ad4af10aac79e2fb305346a7d18a5

SHA512
ab0438fa63a9eb69bb14c1665fef557593d1c42b48dc08c34d44ad29e774491260052a00d2b3de614dcefe295772591370adc473aab1df0bb21f988882b6e506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c22f0cf99f3a5b1f650df44766b3fbbe

SHA1
9397d16364aad1bb3312c3b79046a5a39cd12051

SHA256
3f7a7eaabc8daa31344a649a200eb3f745f8e181038ce8ec6b0e605d57beb1ee

SHA512
20c4276cd26a227a20592f4ed797d28265f3d490439f59119e10566f5675eaca90ef88258b180668d2d1940a217f3f790715ce9388ba2720b384d4f2d7313dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4591798e4ce041cd8abe68f33f0cc90f

SHA1
0bd83924ed6af5c1726bf37f00462bdd5966cb70

SHA256
3d8b186f098ac157f92ecdc8d36b3e5b0902907587e1c6c09b867eba26476147

SHA512
aad9c1416d273cee8f582b4616a9f6320e1fd9e0d78f5dd8aa17b1d8ed625d73cbed2847ed8c3ef9de4fd6dccd5063b737b8e7111c85c9880083957319bdb505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b652f39bcb98b17c1f1120e43dad1898

SHA1
99c75ec140a57b2744d2ee2c0dd633f5a08527cf

SHA256
4dfcc369363b7e7b971e196ff72386c5240cc5738138d024e9a52fd5bcd4c290

SHA512
a0db9cac3315e5312cb062683e22927913d79db88e1a8cd74106560395f8d25758c36b70ec04ac11df6dfe80f227326f7773f73c9bfa8236f2aed9dc161d8a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
917724a7da00e03fdfca0beec5a41c6a

SHA1
164c2c01331d06a972c266f70cb462bb18536461

SHA256
67b1d7455757de2e1a3027eaf7c5d6441e4544225ed4215b5e660317549499fe

SHA512
91fb572209e10dfdd2d73e6781df505a6bd758d3ecd2920f51de7fdec9d381b7884d4a0485a6f7ab1d4e8d5b261af2073f8da72600e975bec62c2249974b63bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3161f55fc881f07451ace6a8e1350f87

SHA1
8c33104f9a4359dcd005c1cc5e8bae2e2734b3a6

SHA256
0359b3ecc1f5118ee24fe558eba9fe15e6538b81dd918ca6162db9acbc75068a

SHA512
c368779c0246ff21bce4bd1f05d2eb0de46f7e77ed19f78bf76714cafda9b78164b798e18f17dae0d747c4222c23e3fe99fad42da586a85bb2a989caa604abcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f30b.TMP

Filesize
48B

MD5
a4c7c081c5274afff2c4f8ea9c39b833

SHA1
b63d6d6c591c6ce61449c4fe23488ab8fc9f6c3e

SHA256
d8e242b405d63e1a5379c88746101efcd6228b24044997a8b1cf3e6a1913697b

SHA512
a0fab1e3da020b3fe5bbef780a6d6f6037861d27838ebf6da3708231ebb3ad3a2919fb255a0a0215eff0b5f9a41aaf58cc921380fdff7a35afde78c1efd37c88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
093ec44545762ac00fda0db9a83c8fe6

SHA1
bcef20c4469e0ea4d9de9f1443fcc37f25a5b5e6

SHA256
3884b9bd665a5a8a12f3d9a318c76d4ca2d20e8956d3184c44f8530eb28969fd

SHA512
5a29606ebff82978dcd81ee97081cb479c8b530cc00885add108eaf62f44f32c863e39ef06c1422666b844106ebb26649f5437771c6dab3746fa8d90c5acc197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1024B

MD5
924ef902c130d8f7d4ba7e43b115daac

SHA1
15ac5bf632a9d5498f6c182cd85f8d19121338d2

SHA256
7d64ee9099959b7121424e286524c80f6ee607e86cea31bac8cf65f85c60e4da

SHA512
beb9247bb4d8373b7c4f2db0586e8514e0481a51a4ec901dc86ce2c41a48a52cf514709f4ee8e381639550ba4b3da1fc230ef46bf241078ca5fba6de28906ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe65.TMP

Filesize
860B

MD5
357dd7e0a819526801882b679d7f9fa0

SHA1
c3f35a41320216be046c2a55ed615950cedcfe54

SHA256
13ea845423d7fbac960f7f67b5d8f5a3cc0dadd5fe552a52a84215f22e4a8e85

SHA512
3baa6e3118c6fb44b67289b76b1d57e1c6f54623d5cdaae18295d6dde76d72df1f14e5c70eea6671540b78e392712a3f40d24f0befcc6ceca0e5007555b8a243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24aae6575af5cd831b34615b056a5827

SHA1
ea8e92b66402a8c02cc64e8886d9884a0d487c4f

SHA256
4736f57d557b7f7a7603f3c076f003902d468281067a95b12586a0c06d2730ab

SHA512
82396aaee6d941f2d85c303ff128138d5e7580c3e8c0f7c315e97ea60724a9102fefaa705aa42128da5e4bd9fe4552768b1ce7bee944ba34d0eced66a500903f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d92a9755d0ca717e076ba76752740c78

SHA1
5427b917b75e8486166074bacc2bb038cb874407

SHA256
0a1dee3d87ccbdf979706685ef2c03b6ab0ffce20e12f8fd536007fd2e35e7ae

SHA512
1559bd2515fd4cbc067253adbd7df524c994c63a80a8e757e1007b28ec9fc33bb97aea703051217cba2b1a7ae5c8517d9cf73bda97298675fdb348baa41476c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d34c6e06c609cbd6e2be82b09c7cc71

SHA1
8511898de539cbf752beffd6bac79a19ce3859b2

SHA256
d27d9b800e8c1e3eee2ddc6783efb56e6ef02a53fa73c1477fa0937e4c791431

SHA512
e462399f56ef9fa5507707981c2413021db291a88430d639ec84712fa5530a4c0c52aeb881ac38d9be3297f796c70a97d24212826eabe42304b11739ea9f4d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF2D4842CC6E5062DD.TMP

Filesize
16KB

MD5
4dbcf37ead0627771c7669dacc4474bb

SHA1
41315fa2a4365a5929c435915f24acd7cab0512c

SHA256
f4e8a9971ebc9774ec46a7916eb5af39daef826eb741f9cdd6f668337a843132

SHA512
e34baa46a4afdb4e29eeb438b94e81da3130cd7ecb65d76c2e5fec6c6fb7dc7085aa777ef4da736d3782746272bd53a018a61769f85b9bda2f4db5c42673751a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 436772.crdownload

Filesize
11.4MB

MD5
05a392bfdee600a5461d670255c17edc

SHA1
b2e420a9bb00cdc18ab457a066fa1a6125928418

SHA256
c3e9d7ccccabb58df1c2f9671241198bdb5b3b2038b23898d6550ae41f98d8f8

SHA512
f280c6f95ac65fa29fd634ac0b6ac342b37b19f73f995e23dc256d78ee7e4d636b86b694b21416a2b9ae3c3e7ad7d0feb78ef848f97dc0fdf74a4f1dd363726b

Download Submit