0f6df162c48b5fe2550e39ac4bfdb76594597baebc7d9bba4cf0c00afa36f236

Analysis

max time kernel
288s
max time network
290s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-12-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SmartSelect_20241211_115832_BurlingtonEnglish.jpg
Size

361KB
MD5

dfee581b4951f9447a5f11b25827e46a
SHA1

3329fb92129843edb8b2e7ccb0d85f79878fa428
SHA256

0f6df162c48b5fe2550e39ac4bfdb76594597baebc7d9bba4cf0c00afa36f236
SHA512

0a7c091539a6754c680d970fce1f849af314be874aaf275c040f1b7816582eda6688550b5d62be5310e7a0f0a8c0da3c8e7a6c334100ebbc92c7f88464edf08e
SSDEEP

6144:9W8Zn4nyE6x6fffffffffffffffffff6358VPAC1Fl+ZXyfffffffIffffffffxR:ouk66fffffffffffffffffff6358VYCs

Score

7^/10

microsoft discovery phishing

Malware Config

Signatures

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	cmd.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\825921ec-32fe-4bea-a873-2f19d13b8011.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241219105821.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2328	mspaint.exe
2328	mspaint.exe
5204	msedge.exe
5204	msedge.exe
5408	msedge.exe
5408	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe
556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	firefox.exe
Token: SeDebugPrivilege	1644	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe
5408	msedge.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
5408	msedge.exe
5408	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2328	mspaint.exe
2328	mspaint.exe
2328	mspaint.exe
2328	mspaint.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe
1644	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2328	4560	cmd.exe	82
PID 4560 wrote to memory of 2328	4560	cmd.exe	82
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 2348 wrote to memory of 1644	2348	firefox.exe	96
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3272	1644	firefox.exe	97
PID 1644 wrote to memory of 3980	1644	firefox.exe	98
PID 1644 wrote to memory of 3980	1644	firefox.exe	98
PID 1644 wrote to memory of 3980	1644	firefox.exe	98
PID 1644 wrote to memory of 3980	1644	firefox.exe	98
PID 1644 wrote to memory of 3980	1644	firefox.exe	98
PID 1644 wrote to memory of 3980	1644	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SmartSelect_20241211_115832_BurlingtonEnglish.jpg
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\SmartSelect_20241211_115832_BurlingtonEnglish.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3336982d-3683-4200-b12d-01cc8c103859} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" gpu
    3⤵
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a4075b-05fa-48b8-8f25-d61ad53696ca} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" socket
    3⤵
    - Checks processor information in registry
    PID:3980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59839013-c233-468e-994d-19c3d825ac7d} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {618ee7bf-a1eb-489e-a828-dc16a3fa68fb} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4400 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4408 -prefMapHandle 4412 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34bddd11-2bee-4681-a384-5d86cd733733} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" utility
    3⤵
    - Checks processor information in registry
    PID:5424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5356 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70c1399a-989d-4d8c-9138-f6f0af9d1eed} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5552 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3043b686-a96a-45b7-869a-11a8d4c97728} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {080d02ab-674a-4d8f-a032-5196e9656601} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:3960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6072 -prefsLen 29279 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {067b4d32-4f94-4afd-9044-7f4409fb9a98} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3920 -childID 7 -isForBrowser -prefsHandle 3568 -prefMapHandle 2568 -prefsLen 27180 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ae3ce96-cdbb-46d5-94ea-4e2c5475260e} 1644 "\\.\pipe\gecko-crash-server-pipe.1644" tab
    3⤵
    PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffbc4f946f8,0x7ffbc4f94708,0x7ffbc4f94718
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4936
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7b4df5460,0x7ff7b4df5470,0x7ff7b4df5480
    3⤵
    PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1148 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1420 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4620 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,8612852386374053992,13629960824368292342,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:2644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ba19ad910e6550118ddc44fb5ddcda8

SHA1
9242e1a78437953867d56a03ec7f61affbd4a193

SHA256
b65829904bf25b0d7ddba4e313adf82e7ee536748106a430758bfcb71ff1a505

SHA512
f963d0e56496f0d0078e429cb52f23a7046d78e830a79a2e086cd7c8d397d92118c4082b055b78433e75631c12ba85e69a6d52c73b9dbc5a3a8b55e0ba3f73a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
165b9ab5b6100e149d42942970795741

SHA1
873ef2b7bb080cee1f9eb80920edb54a235fc326

SHA256
fd01e423cf1b8c61bbc4e1c63f3cd70a81586a9d03a88eebd6ec3a16a1910364

SHA512
5ba31ba647b158325e7282ff6dc83e683b62895a1e3ebd5445a1f121d6d5fdee4b39164514f7c442bf67dbefcc7965c3ee946333e77047ced40df144aebef9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3b681f1b553061b1d406dca73509e1

SHA1
1d0902a780b041766c456dca466ed6dd88db979a

SHA256
45099d50c298e321f628997d58aff82c1f91aa302cb6a46f5c8a2819a53685d2

SHA512
b6e59b2da8bce61cdb2f0bdbe6dd0486c68bb583a1066cafb979314c4c1baeab4136d9d958e9e9ef3a36b1d7988ae8518080b8aff9748c102d05646aea914283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
fe0551a096cb83e4c1a36a7eca37d6c8

SHA1
eb999d4733ec5828658eb08bd38f859d3b552ba8

SHA256
ee51b1753e987522f00be615b71f6f12dade11f23cf01a38fe959d2018bdd17e

SHA512
01a4dcf32d61dfd35e1e0bba271e97d4506fc6405d4d570236f4f1cd178ce59c24ae35def4a579e3742ed4b7ebfd776ad6e8518fe49d8acea8c335be97adc63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1ff84b547f51983ebf70b57c3eb28bc6

SHA1
73e50d567282a249a31db098d8bd7d5b659df5fb

SHA256
d32e8090927444a94435ba7d35aaa68baa94444fe92da4a5f95f92f4c1588942

SHA512
4d5615427f7411ce8378ff064fbe2454710d47269975b49481a3db3ea452301a79b6c17a48311454b947562ce4070b4e70f7a9fcafab47d478679c9bf3781c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
df73d74a786c96c4ab46dc3aac534ee8

SHA1
19cdafd39d6541568a9c0efbc5942b9579caa112

SHA256
4e83a4de35da44f0ef897daa33360b2e7025c03070cc980d68b4b1e1d0363e02

SHA512
5084b0c0ce2ad7380a14765e2b7f6be771e3b18ad2c807e00f0f2f735c131f4c9ec8ca636adc983315cba0561cc827c472e894654bd208ae18f969a22e124f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
950B

MD5
fa653a6f02f94d0c778ec9af9bcebd4f

SHA1
16b0a9ca03a860b5bfc4f416ec3d247dc00ee2ab

SHA256
1c7569a046528572e441a430376f1267c1ae8bac1a11f0aea94eb5ed819ba2d9

SHA512
ed9fba5f76a45eeec5b1b64f1d86789bb9421593f96a9558bb58a663ccd5acedb79099094652d00dd3629cabed7584a1595ca4e8a25d063256d3f3cbd1cb89f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
950B

MD5
c08455a9d92c4198125eb8d92fcf2d01

SHA1
8085172e0f7ca8987b779b564ff47d26f55f55ac

SHA256
3aa59c89740bff114dc9a5b0cd20971d98db764bb32caa268aae427d6477dc7f

SHA512
c90a362592416b277ff3cf1f3fe901ef1134fd8091173d1ad760ead359b4b5a651094a754fee6b517fad2145a4fa632bd726e8033822e1f1f06c05e226cc44fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
891b9f945be3e1a8b259fb9821e643b0

SHA1
44fe9565e4b499da9b4a81fcf3a260e6d614ade4

SHA256
6eb0ec61c4fcdd2c972128032e9faf087acc0c4d270fc50672e91adac2d5ad1e

SHA512
92bfff09d3265e68b4f885a8a3189cc1419c3ad50f498c724438fc1aeb821789be7f31fbc154ced32cdcb25d6105884875f51407be0b678f4f4c8fc8bc6243c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f394a8ba4861506528f285ff5c78297

SHA1
889379fa15d7bbe140faff145e23e00008ff9f04

SHA256
691c7d16e22b5b0752d7dab4a8de6189c678597755ae5fbcdaf36088795e2cb1

SHA512
05eeb72553dabe43f1b0f7b8fc0e59561df46157f3b49b2166ad0db0491089431abd8ad673236a95bf68262a54a400493852ee2682f9d520ca48ea6e29f20d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6a3847522682e6bfc323777384a5308c

SHA1
51e45a4e4fa2f7caef3488369ad825c074146740

SHA256
63dc4d0118d46e8a30c9ab1458c47df41be3abb4bc69e6de60ab21e655416aa5

SHA512
6a8cda14d0e53d9890fd9f92208b9598059dd92a07e0be66797682f5e967bbf6f014bc6dc3ed1404f22410f26fa4f59361677c04d860f31a58c4e5d3b652f300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc745f7cbbb44e8217b7a0830e9a2954

SHA1
e2e4bee7e07fa0e5079b60bd2bac972bb79903e9

SHA256
42a9eb099d1c51b08889fd094848ae3674398c389bb529e62c8bee318f492ea0

SHA512
1624ecf76a2a6f381753bf08f6111efad84cc4fbb1452b128802b07279428b1b536c31f8e4dcbe736d22516770357a24562ebdd8d2ba7b0ffec4861644479457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a76d751095b989f7162bf3448bb3aed3

SHA1
f749d721a47e864431faf5ccc1e39026782af4d0

SHA256
8ae709c52dd22726c8ef06ff04db8c1f8cd7f67b73ff12d8bbe5d88fa66e5d25

SHA512
a13e1cbe9476b0b6e8d20fe1c2f52697e0c5b108a05806aafab3e055ef6007081cc11c0f20971f5f16d5097692ccd30c9cecf9957b3db39eb2ffbec2ef17dc64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ad8e091d2ac1a0bac33a99de71bc317

SHA1
db6d3282b0243c0772b5e01514145fa6dd564ce9

SHA256
f7c0fba02d19b97b18a3db7f5d73306560a5546e0453f6563ca9dbc108f7ea0e

SHA512
7a0b589658144344934e9d4010177d73d5155374260732d885cb40db1a92c4f60c437589a6f9981fc9585f682d8781fb266d027c6722c0f9659c4042dfc6be68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
524c0eba78201e8faad29c29d0a611ff

SHA1
b8d23f3f70313f9f0f8c1e293e70a3f8173adea9

SHA256
693ac11a04057152b30e8d26dc646186c3e54bbe397122b457374d92620fde52

SHA512
5481d83540551f9999d6dbbe94c7ac200b53bb81e5d9a5a94761274332a0b4e4aad05a9689fed5b9ad6fb2c1d06f91e2730eaa4f53950f8e14cef5cf2af452ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
eeec2e8fdb3d10926be7f7f005a6add4

SHA1
ef91d915a57451a526ffde4634f1152c6a751104

SHA256
3a35c99ef359936c246b01412cf6c3bd0a7b190fbfefa584d62cc27e6f6522b1

SHA512
c2044601211d75abf5bea962e73760289ec660326f7e8fce5a588a6a7672923682fa45a0876f197ec75c943d780bd06649d1810edb8331a293365dcc415cb4c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed74bb7acbd7a0f676070e4f59f335b4

SHA1
48abd1fa22b836fa0dfabe1711ff2ebe110690a3

SHA256
c18c6d44369c7985cf58459b54026315eda7bb4d4b79a12afef3ef2a7f91e105

SHA512
3e127193cd8638e4165278bbb7b4d07c684aab4dd8a8e9721f74389e4f8ab5e00ca6249d1f4a5fcf999b8bd49c4ffbe5d8e74230a787c3ca0fbb2ca659c52245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e7b6.TMP

Filesize
1KB

MD5
1d84dbd3d72fb14219111482407fa4af

SHA1
4755b34188634a434e582a77c6a2e54b2fced175

SHA256
c1c62dc1a4c09f33423ce9d04815d038cdb98ad9f532cf7eb92f9e1bdb59547b

SHA512
bcce65ca7280189e2deb2dd50f2ca105592f8440e24529d0120c830f54af1187d286894575addacfbd15c5df0ab8e3d2ece4a33886067e38b8b8b9e6b346f3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eba5baadaa8cb48dc0c29755d845fe8c

SHA1
925b1538cf049e2e8a5b317604761cdfbc4fd6a7

SHA256
bc95837b3aa63acc3aea211e918efe2092ad1f4c028acca37c1a5a03de3ee3d1

SHA512
69a48bbab43d3af451cc99dd9a4d9b728c7714ff6d5297dc8817a6ccce38fe137f0e45e0115b7802b65fa047b3bc8f32656f7fb07f2f165e6bb48ee0b9b43243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
487619b27bd6576f498480e7e89eb308

SHA1
96d7dbd46a3ddf60aee8544b149a648dd75d0a48

SHA256
ee59dae26a92e70f695c839bc2e64b69d9ce4c60c32259b494865618201c314a

SHA512
4b63eae840b3818ad706da00e20011047394a0316f51b260c5c66e8bf012af17a4a10c70f0d37d592f46f55ff0df6653409da4f54d7a50ac8c33aab0b752dd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1eaa18508b37e1aac796106a8c88eb25

SHA1
453adb3b4908fe7ff53a5dfaa86eb15c37ea7365

SHA256
cbb5c50b32c730b1de3190535b61f6c8d0c5b8a9085e01f156206ecf3796b200

SHA512
927ece759bac738ca61e3653c203d88cb20f613fec2fc87818d65b970799d45f6428fd5107e0dd92dd080a2104e0b091e7b0d5a911e0aea6ffe142effbbce548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ecfa0a1fb3461a7b48d1625e503d2d08

SHA1
c09f10bfbd2eb406a002d9423ef2adc08ff78048

SHA256
2dfe2d03aa69cb6203835a34f99d52b3f1fbf8bbbf23e5b3062ce345c3f26f00

SHA512
fa883e0c340f929b7b47cce7725edce4dea68bbf84e598aaa23b02955b2eec23b0819aa15daf48211e1b0b2fd9970dcd0406b3fd642ba7f3cebe7b4732122396

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\AlternateServices.bin

Filesize
8KB

MD5
81a39da2b3b25d3f0b22044ad7aae579

SHA1
fbc25f9ffa42fe3d5f88421ffe6637230e516651

SHA256
043b8634ae4aaa8f2ea880d351e0ea0a37846800497a55eee9fbb2f132ff1aab

SHA512
8a5235f7e012c90daab89d28cd4681b9731b6f4b4477670dcd27815f0c7915ea4b841f1ce302a03ee7717b48c18fb998d1c14d5ca07c48ddd0f9cd9e74d029dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
39KB

MD5
2720dd32545557a3913ff874f59fd084

SHA1
b955e5b34daa9916380a0fdb9e3c3efbcf15fdce

SHA256
4cf2675c017a96ddd250b530fbe8ca2fdee9f6999eaf04c5edf0f5831e269c07

SHA512
63283e60fa9ead3d6a55d1e6f79cc92eba01f885bc1571ebc19b4afb9f41bc0ec23c8c661ab3fb9d4a277b7aceb508f5d7db0bf702cffb2ccc96945e4af2140c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
29c04bd475a7a07c09883a56d373e59a

SHA1
e1a61f1d5824d5571a7e76d3d5f7090dcff1c63d

SHA256
ebc05d994323bcaa33188ca8e582b7630ee45fcf91226547d3042aef09fe37c5

SHA512
7d0eb561f82ff690fc5523fc40ed28199b797a72a8b13b8956962a8e1e86acbc96389f288a2aa97f8c825b1e64bc761ed12835c9a9163446300a1542d9abbf44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
a6194ed3275ff147c4f6bc776341e746

SHA1
2960ba32b60454d164c7faeabe81ba00812100d0

SHA256
965b7705617322fa0f908ca5a570e82a1ce6f6fb122dd860459a6959fda97c30

SHA512
81d146f28def7c70120139e38a798bfdf6a6a9829ecf7ab344691e8d2484c454103b4d22021d4b6528d0be5192f21a0cdfb780704ed937b79361c027f2ef5f44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
914aa455d6634485694ad8930d415d5d

SHA1
371644380b4f8d77504494d31ba7c36216186af0

SHA256
d8977849e173dc5641eea733931d1f65a1e90ad7f532786a33c70968c0632a40

SHA512
b11ea7051bdf7e689c616f0d82d195e497546aa6aab16dc3cd043dd799ff397eb3d73cb5456d89655f0506cd2f15e249fdde6cc3244ed5aad367e3f6828957ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
24356a8907fd532e8ba040614e62a900

SHA1
139813ccb898d381aecee6267bff60618fe09f97

SHA256
bf2f67716362fbcf16fd68f4a51551de9164e82778f8f77a03c98cb269786ec7

SHA512
750bd50114c056f2770ec3b21d54bd78249e9dd81eb69cd3a0387851b72cf24f30e3866c43fbbd4cc4370968d56aca7d770caa113582219c0cdf2c67a465127c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\pending_pings\9d8c604f-309f-4258-9a89-a8b2b9079758

Filesize
25KB

MD5
1516bd039826cfdb5afb875e9e6a0154

SHA1
314a60300f3cbb65c5fb4775cff892922923048d

SHA256
5926b6e749da2a031ab64345f86e67c5edc500dbe8204b8b2afc14c1da7ad31a

SHA512
9aee7b6746970c551799577b68f53046683238120837483ec870ccd99bb5d7d8b253ec17040a474cf265d9cdff4af00c9da73940ae299a7f0a5033f90d04d289

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\pending_pings\f04519e9-4a47-4784-9058-2bb7b9be093d

Filesize
982B

MD5
61d7286407f79ac119f6f7e4266a057d

SHA1
cb8364165fa76e2d1a3baa1cca815554ed7b1b0f

SHA256
c5e83ca8da974509fc7b36108c45d2c42d02e8b8c0d9fc87b95d33bcce2c63d8

SHA512
3c5fb02e5118d45480895dd353ad3795c4d77cee2c10ea043dedfac9d0b27b514b831177ecd4b86eb399dfce49794bacafdd4594b871bf41f7fd9e0eba7f6ca7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\datareporting\glean\pending_pings\febb7a1f-fe90-4ee6-a642-80878a74c5df

Filesize
671B

MD5
8fd419f86414ed44f8a467719882e04a

SHA1
1e13792613ef3e4565d8faac696a34a1c8c5b4f6

SHA256
635334ce5e700707ea8261790bcdb557b6dbf032ba290b177a51ac111a396ec6

SHA512
9cba429e2521d9b0bf93862f72f482d4297decedefba28a4b938b84054181791af667b4f9b85a7e39a416abb014ca8cdcbb7af989c6a9e5c6f4336b86cf9c492

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\prefs-1.js

Filesize
10KB

MD5
6856dfcf52cc384cbfda102aef35d4c0

SHA1
b7f07abdaba7746219af53c0f357c2cf985a9c8d

SHA256
d36e5b2dcea1f0f11730d72dbcb4c0335271ec6c7f405e468e1f5935f620f78b

SHA512
82348dda7b31bd8f40cf5e2068aa876f7b22e5294e18e6829d5245383548f225176cfa6d60019948174e6a22de203cc8d7a14db65f43c9329022f8a486960fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\prefs-1.js

Filesize
11KB

MD5
06109e2cd11a72fd056ea107e9a036d4

SHA1
81e1724219fc2c07565aed5adcde0107c9395673

SHA256
44afc6fd1a72b4ac9320779688170ebf2bf94c09f2c3d3b1bd6e7fd9428ab65c

SHA512
505c9f3fd52c58fe1b0a4c98ba9b56c94731840368589c9ed182c77ecd74d5058c8d21cbe81cdc4dfce88102af863dc67127bbb205d20ea075f3e0bf2119ff16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\prefs-1.js

Filesize
12KB

MD5
5963bd9e201f655ab945b578816e399d

SHA1
eb94fef2a145a4485a7882db27d105d868a9c7c1

SHA256
9fa27ef7e1b7a290350b492c4f6541fbbc96712f06579114f1f14703622fd855

SHA512
0c1c7d9d25c4ea179c0dee565131eb4b5247a687e8b2039265e7e20c63cce1bdab3588a0bea1baaadde5b355c8c8445080c63956e100479ae009dd4a2a662b30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\prefs.js

Filesize
10KB

MD5
9f2f2ef0c1f295d8770f6905e7a9caa3

SHA1
581681c08f20a06fd860767711f72d56e97b4c95

SHA256
4b5f829376757c8050613d73441fff626d13bcb4e3751d3b9093eaaf9f66f7a7

SHA512
40bcee85787154b42453ef20ad179233b07b02d90a02d25148683009aaf9f1e7964522b253b58f08ddbf5e6b3058ee7d47bf6c14bbed743765092b69725bb1eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c05823ab347e0d18b13a85a2d97f313a

SHA1
e198ed80144357ccb6ca534b54b03c82cf70af43

SHA256
86c1a0516436ea8f3f44d8900480ec344f37cebba74cdaf5625a3556d7e95d1d

SHA512
5b6e6b9b019c8bab460109899fd332e39ac90fa27094c088d5860d863e1a29dab7f8a8c2a38a544b43153636229823eeefdc953e9016760b427df3f3d0df2cbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\otijbhkb.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
c9d211484aeacc277224bf859813bac4

SHA1
548298aaf3a3ade54e3c4d422c0eed352f944dee

SHA256
0f6868cead39dc57e5b28ce41073c48bcd7d35eae037fe6fe729a21ab2513520

SHA512
d531649a5b234277bf712d6f480655908473d9a9cdefe5d2683f7419ddfc85c4eccc2c44f257f3deff34c659eff8159f0989b0bef44e65b5329db8a8c8aeabe4

Download Submit