stormkitty | 714b920e2e9691e98d269641f49a958a9324ed6bec404620c4fa2db5624a7e27

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1538f2496409067d29289d9223e22a39.exe
Size

843KB
MD5

1538f2496409067d29289d9223e22a39
SHA1

a5b76c1277270fc2644399fe9ada46fcf7c20489
SHA256

714b920e2e9691e98d269641f49a958a9324ed6bec404620c4fa2db5624a7e27
SHA512

04b94808d1f79c526cb673b47f75064bffaa28b6b44ca2efc669fa43ddbc7091d51722a8781d6b29bee46eaec3567d1f80400678df3410d3a05bd828d90ad4d1
SSDEEP

12288:lGWGDHK/4O4v9tIr8aVwDTadGRmNQ51038WcqhVTnvJkxmwH4E6:lGTX9tIr8gw/wPS638QhVN84

Score

10^/10

stormkitty discovery stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023a3a-7.dat	family_stormkitty

Stormkitty family
stormkitty

Executes dropped EXE 3 IoCs

pid	Process
4308	svchost‌.exe
3684	svchost‌.exe
5072	svchost‌.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\svchost‌.exe	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe
File opened for modification	C:\Windows\System32\svchost‌.exe	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost‌.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost‌.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost‌.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
372	msedge.exe
372	msedge.exe
2264	identity_helper.exe
2264	identity_helper.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 4600	4448	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe	85
PID 4448 wrote to memory of 4600	4448	JaffaCakes118_1538f2496409067d29289d9223e22a39.exe	85
PID 4308 wrote to memory of 684	4308	svchost‌.exe	89
PID 4308 wrote to memory of 684	4308	svchost‌.exe	89
PID 684 wrote to memory of 1472	684	msedge.exe	90
PID 684 wrote to memory of 1472	684	msedge.exe	90
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 4792	684	msedge.exe	91
PID 684 wrote to memory of 372	684	msedge.exe	92
PID 684 wrote to memory of 372	684	msedge.exe	92
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93
PID 684 wrote to memory of 4724	684	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1538f2496409067d29289d9223e22a39.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1538f2496409067d29289d9223e22a39.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /run /TN Update
  2⤵
  PID:4600

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef18246f8,0x7ffef1824708,0x7ffef1824718
    3⤵
    PID:1472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:3864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
    3⤵
    PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
    3⤵
    PID:964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
    3⤵
    PID:4144
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:2628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
    3⤵
    PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
    3⤵
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:3236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
    3⤵
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
    3⤵
    PID:1260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6184 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11886358717536883466,17782230561556597289,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
    3⤵
    PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:2560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef18246f8,0x7ffef1824708,0x7ffef1824718
    3⤵
    PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef18246f8,0x7ffef1824708,0x7ffef1824718
    3⤵
    PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:3952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef18246f8,0x7ffef1824708,0x7ffef1824718
    3⤵
    PID:1352

C:\Windows\System32\svchost‌.exe
C:\Windows\System32\svchost‌.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:4964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef18246f8,0x7ffef1824708,0x7ffef1824718
    3⤵
    PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost‌.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef18246f8,0x7ffef1824708,0x7ffef1824718
    3⤵
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
68KB

MD5
0cccccd82d68d5ff076e1bd047436ec8

SHA1
0b9d6ebef9ac1c03f8138e9fc9203f9cd69d2a73

SHA256
0e9d24e58133fdae2fe766ece9358afdc57da1568485bf36182851b6c1291246

SHA512
84c357d75e1b7c25249ef826bf5ea9ef4445f2d4f985ae7128363421ac28f1cf438256cb40cdfd2fcf9ad439900dfc7796f9ab850e0445dbbfab5c23f29575eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
487KB

MD5
831a0aa25af2c60a7380ea75c321d930

SHA1
140ec306c24ab6f348c4dde5900b219d817e2026

SHA256
8cdde5daa52335c0a4e416f6fc22aa80744207a38fc276bd65341c2d2e903557

SHA512
0147937b2b2cf9bbf7e8dbee2d598e156c6ce4ddff224b3dc48caed96e89038ecdff1ace743b82fdf6155c40b674f4b1983693dbe45c39898487d3b7be258161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
8ccb0248b7f2abeead74c057232df42a

SHA1
c02bd92fea2df7ed12c8013b161670b39e1ec52f

SHA256
0a9fd0c7f32eabbb2834854c655b958ec72a321f3c1cf50035dd87816591cdcc

SHA512
6d6e3c858886c9d6186ad13b94dbc2d67918aa477fb7d70a7140223fab435cf109537c51ca7f4b2a0db00eead806bbe8c6b29b947b0be7044358d2823f5057ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\26f1a435530e3442_0

Filesize
1KB

MD5
2240d438484af071bf17d314005562ef

SHA1
fa8fcead17d20e0077dbeeac05f4ae1fbd500971

SHA256
fbf8f507437fc82a78771900c7c7e9986d803da24e33e9751bb7951ad234e8c5

SHA512
bb6a217c7cd7737432d08d43666ef5173cc78f3795e62712b37db133f71f77524e9d4b13b1729a197925e45e838c0796717d9dc52481d03262af6fa2ab9cea2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
9a8f8eb1f1fa030ecc2bffd9258d3a2d

SHA1
f6664d587f33921f76395cc4bea757cb65460fb6

SHA256
8617d1845d0eda92bad9e8e4de90f59190aa6483a257a678fa6dfa9122c86737

SHA512
0ee14cf078fde8616dc08e015722efe643c21c8d9069551b777fb7de323b049d45e557ba37257d58695b7a8c09314e0f0c8b40c22ea5ea1fb12775d00f1f806e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4d4be19d05bd12a1_0

Filesize
188KB

MD5
e6e26cc5ea0558980d41d94366ab6842

SHA1
987c3e7b57042490f97a36fffbe3880e60b8c08f

SHA256
06a9be41d468afeecabbf917326cb3c91b035b840aebd05c025d822998718bf9

SHA512
bb4dcacccbf8fd611cc7a44f93f416cf1662279f81f44fcc08e856338da3872e92d80b9b7c2c37561804683a1ba022657965f5d1ffb533dab5dc0e6fa137899e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5cf765654b34ddf9_0

Filesize
295KB

MD5
de80bd4317c798980d18c44c91e9c87e

SHA1
e50295d7f193c2f792f469b31b3e0680727a2789

SHA256
4477f07e06c68d423b06da2621d10238b30987b91f64596827e8c393be804d10

SHA512
733a692f234d3ef539c532fc788a1026a69919d9bf8554a8101d3dfc3b4d37b7b22f15bd1d31e23d94e6d7c4b963d6324189f3996d814f3e9a47b85846c28af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\64c9123404e57725_0

Filesize
1.3MB

MD5
5402e8b1ecb438a0ceb17d3f7def0161

SHA1
ece5c5c2773eeaa0b29a9888f0cea1222b0cc2ea

SHA256
0c469300ff8456928ac24e2c0c1028f8c421223cf63ee55b7e461df6bc68c4fe

SHA512
ab8b0ee0390e300b4a4271197030c622c2eb68be0dd104e0d1f00c39ce2ce5cbfb97c940fa0f4fd5f3a1b8b2c2532984a9dcbea9d8f5b47b4248b95113df4802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
ba9f71447970a07032ab740154441618

SHA1
9489a4671e863cada9eb22b02d5944ea51e4fe74

SHA256
5b918a80468830a36a50571162888e2034925f4382bf7314940bc12eef9d5122

SHA512
48326bbe290db56d7344806904adf94e9d5a6478a02b4b655f37d303892fe7defb7058645bc5e7b6d6f7645d0c83ecd28c6ebdbb79d65118112f86d92785b859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b3fcb71d1f3ecf69_0

Filesize
1.2MB

MD5
a1f46101de4fcd58532553ce9129d0ae

SHA1
50d4e7112db06c5f46c6474ed28f15666b92a319

SHA256
0261333f8d129708bb1e95ad078ee5f1572556ba3f91f33fbbacc5b5a4f50c94

SHA512
a0b4417680a5f699c3dc411956388d66a285fc463bb3aa0d7ec36415b7ec407cd737ef0fe6c92d7d0b4d25847e0d444fda451d66c4e492e8c36236badf1a1f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e91da4b52bb26ef3_0

Filesize
297B

MD5
13c841ac7ab23b479e575a1f4f76d9cc

SHA1
b70219edab270e53c92e260ae99c46a5fa655f03

SHA256
62adafcca4864bb0890f85c2800f6138b58a031fd8659df6ad54748f337138e2

SHA512
e857fa87724ee4b985bf081a7f2b2a8b769f2997df44c0b37ccccfeed40d0989703c52c73a13846db175ff04398228b160036aee08ebe79b3390b35f4e5629a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
004188ca2d639dc4ef838c6f764e565c

SHA1
2e409442925ba034f95443d3ca04741c829f1dfc

SHA256
e5ca17fd4ba9f8bf29a3a33be8e32daae29e84698bfee4ffd5c56f3e06cf550f

SHA512
1aa7a276a810375d5f646c00f0979065c75893c7350d7608e96acf9a4d2a0fc804c838de85eb65c803d303af0631c8efcd47bb25340a122968558bf84585cf67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
e1809bee6af16b33960fe9ec3ec46247

SHA1
dce59dfc64910facec5619eb2ff9a70155b2a88d

SHA256
3a6a7160c78fca10907b766dc257b1f873bc764e53280eeec5d33c1fffee7967

SHA512
9776faff54737ba0b071f01992c55698bff7aef348c0376dc0bf39465d99cb4082c7701e0052fb3d8cb01280e617b1eb01db3cf088852d7137a8d45e2f6f8cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
c7ea35d6600b08a49a40cf54cc4d6be6

SHA1
da797c30b26b06c58793da647d62a2b9dbffc322

SHA256
2d13315607f455959a5f905e64af87b5ba04c52160d96eda29cf52a45735cf6c

SHA512
d5e82d3bcb74e4fe21c026d8d565afcc249e33aab360796a99ab2f8d109121f4753944ba245ec164c30df668dc4e69172fd3dc87d6fbe158862df4dc9ba9cc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2dfed2c10d94893bf40482b97f80e2b4

SHA1
24e83cb1b5bf67dedfe75c2b0868a59471ae1395

SHA256
42fdb325d12d9d515551eec29bb4ddd58573d781b6a4f3f824662576f1ad3a42

SHA512
0449925aaf63eabfe01fd6a3edc4b97fb89977b15fea9b44b1ded81ab8ce06742816312c81e8fb892f50a97456c86e416d486350fce1d3cfb91b6143133f19c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7a76d8fb408b2bd88cc26a7ce2e43db

SHA1
2e5149e8e535ce12d993153bc1d33ce1280ac30f

SHA256
9c3c9f078d4eeed05892a0913d9321249ba6cb9ce569c3acdf011567ae17a6d2

SHA512
4ecb36b80658307cfd18ba10f46555980640b786b986558dcd77d60d3e38a1c0f448a172ed8c7b45e3f96d2e512e6b4bee4075e7dd4de6ab176ac6e82df3df9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95ea196ea16fa91fdc7f6715bdc519d7

SHA1
6194d72ec3a6dadf617da7522c7e1988a1439228

SHA256
8c01cab5fc938b434159d349b8f13751e388e6e091e63454615f4cffe482cf00

SHA512
b6d8350e0325be02464af1341c21e42cb3a209c1472274ea793cdca1055aca000fe942914bacdef891b65f8fc9af083b8e946e36ddd5af7a882c21494a8ba615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f20e4f0ea40db652058565a6b2bcb15a

SHA1
dfe786cf9911582df8a2ab49618322f8a8e92ccf

SHA256
d4bc802db483b9a0b600beeef4a739009d819e65fe080d6f85f041c923ef87ec

SHA512
932a520249c6e47883b3670a020f2ffa160b3b9d7383f8abd2cb02eafaa748feab438af22a9b86aa58bb576c8c9dfc6944cfc5170c2091bc3e5576cc4e8da765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
b0e9b251b74a09caa7718f943a2e2457

SHA1
55d37f4adc7b88bbb6388b1d6f0260bb68e879bc

SHA256
c4053f53fc227cbb12c7cd7e075dbdad78b27adda74f836f79ec2dafde18f8fe

SHA512
77528507f5bf60a8e8ebead41c59e76f37d1d6009a8e054325ae0bc7ab7da53350492f9927166bb4259a2bb843d374e4b66c8fba24eae657197d361945d8c967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
ea4227a917b3106930b80ba4f36a834d

SHA1
be0e350ab2b5218287fa1b2e953263481d20ebf3

SHA256
38269cd806f0af554c1417a0243e4c9cdc7e2986bbf4becf933e65b19f13101c

SHA512
6da48fad1fd5d2bbc4c7e84d913b5e9b2e38bc9172c7e3b6ac7f56d02e3f3efdacbc40b7aa7f13e3c28d6b954499ffbfdb40868a6e29747356101cda844caa0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588393.TMP

Filesize
371B

MD5
8a12c794971e31b8c826088ea43fbe9a

SHA1
5ce903c4d5376700d7a939428a128bd26505bb08

SHA256
79809204d17ed64d3195011e2609f4095a52421ff7f91082e359002b2a6f296f

SHA512
43d7177eba4faa4462f20ccd11b11fb51faad1a9910a6988a83ca4a14315e9ee6e62d02ade92ad3c855564bf2c1080866c48caa9912acad805d769851f969af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a6b1516e44894569ca74bed5bfb22cb5

SHA1
d1d7173884a42df95f9366cba3695d1926c07798

SHA256
149b03d74b42445e103c13617471a12b38ac1524c3b13ec5e6dafa6ff40fe6c3

SHA512
890589490c86c6073021c00669d0bc1b9a1185034e4d2daef4c7ae65b5e8a813193e32083045941a9a9a726b31822d5b568901d32c11bd805907a9931064ee01

Download Submit
C:\Windows\System32\svchost‌.exe

Filesize
660KB

MD5
5bec8d7c881f1ce48a094715ca77aab8

SHA1
d6152df4e0443293caef5efc9a89f046a0fb583d

SHA256
fd0ae8e49b453646c28a7b2b6ef4b77f17586d7192ca3c8d647a0bf8abf810c7

SHA512
255996257ad2e03d6f04e9f41df673ef7b314ac98de415c626e0d34a0da7d686e6e29ee0ba43f9d61f34a89512abd2746628256cb162e49fb7f20f596ed6b593

Download Submit
memory/4448-6-0x00007FFEF0D70000-0x00007FFEF1831000-memory.dmp

Filesize
10.8MB

Download
memory/4448-2-0x00007FFEF0D70000-0x00007FFEF1831000-memory.dmp

Filesize
10.8MB

Download
memory/4448-1-0x0000000000BB0000-0x0000000000C8A000-memory.dmp

Filesize
872KB

Download
memory/4448-0-0x00007FFEF0D73000-0x00007FFEF0D75000-memory.dmp

Filesize
8KB

Download