meduza | ab1fbdebc66bbaf48985716fea2b4caf054e830384e931b6b25c92c3e302510c

Analysis

max time kernel
487s
max time network
504s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-01-2025 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WhatsApp Image 2024-08-25 at 19.33.05_3d55e667.jpg
Size

221KB
MD5

79976d94b495f6411cbf279c69773703
SHA1

4280f5d6228b8450e5809b34087b05c182e0a364
SHA256

ab1fbdebc66bbaf48985716fea2b4caf054e830384e931b6b25c92c3e302510c
SHA512

6a786f3a40af4970360d6b13ade3177447e8a42c7562abc01073211305ecc336c9b1c3bbcbe69c8e5df4e22b6cef0e7354e1b35be34883dc6906a6b614f9adbe
SSDEEP

6144:tnCIxNub72WbVl+jvkrQ7iXXOBE0vmhBmfCVj05:tnhmb72WbDyvBOXXOBE0vmhwKlI

Score

10^/10

meduza discovery motw phishing stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/6036-1909-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/6036-1910-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4720-1912-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4824-1920-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
152	camo.githubusercontent.com
151	camo.githubusercontent.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
428	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4664 set thread context of 6036	4664	setup7.0.exe	184
PID 5728 set thread context of 4720	5728	setup7.0.exe	186
PID 5200 set thread context of 4824	5200	setup7.0.exe	189

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3498d475-82db-41fe-9d96-56a00d244831.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250102114056.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4836	mspaint.exe
4836	mspaint.exe
4248	msedge.exe
4248	msedge.exe
4804	msedge.exe
4804	msedge.exe
4412	identity_helper.exe
4412	identity_helper.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
6080	msedge.exe
6080	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	firefox.exe
Token: SeDebugPrivilege	1264	firefox.exe
Token: SeDebugPrivilege	6036	setup7.0.exe
Token: SeImpersonatePrivilege	6036	setup7.0.exe
Token: SeDebugPrivilege	4720	setup7.0.exe
Token: SeImpersonatePrivilege	4720	setup7.0.exe
Token: SeDebugPrivilege	4824	setup7.0.exe
Token: SeImpersonatePrivilege	4824	setup7.0.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
1264	firefox.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4836	mspaint.exe
4836	mspaint.exe
4836	mspaint.exe
4836	mspaint.exe
1264	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 4836	2116	cmd.exe	83
PID 2116 wrote to memory of 4836	2116	cmd.exe	83
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 2480 wrote to memory of 1264	2480	firefox.exe	98
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 1764	1264	firefox.exe	99
PID 1264 wrote to memory of 5024	1264	firefox.exe	100
PID 1264 wrote to memory of 5024	1264	firefox.exe	100
PID 1264 wrote to memory of 5024	1264	firefox.exe	100
PID 1264 wrote to memory of 5024	1264	firefox.exe	100
PID 1264 wrote to memory of 5024	1264	firefox.exe	100
PID 1264 wrote to memory of 5024	1264	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\WhatsApp Image 2024-08-25 at 19.33.05_3d55e667.jpg"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\WhatsApp Image 2024-08-25 at 19.33.05_3d55e667.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eaf3c48a-262b-46d5-aecd-760d0ca140b3} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" gpu
    3⤵
    PID:1764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75c5e856-3a9f-46bd-85de-9ed8364f667b} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" socket
    3⤵
    - Checks processor information in registry
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1440 -childID 1 -isForBrowser -prefsHandle 2816 -prefMapHandle 2948 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e14a04e5-ed6e-484f-9188-457932383f23} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" tab
    3⤵
    PID:3804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3644 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {924d19bf-ccdd-4d83-88d5-5d4d3d11f89e} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" tab
    3⤵
    PID:4640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b0b76e7-06bd-4887-b591-803a0b9a689f} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" utility
    3⤵
    - Checks processor information in registry
    PID:5292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5532 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e572b43-009a-4575-b131-482233028056} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" tab
    3⤵
    PID:3908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5748 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a512a3fb-63fd-448a-9344-2314c273858f} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" tab
    3⤵
    PID:5160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5964 -prefMapHandle 5960 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87e29b70-11b6-4fbe-a090-10646fe28192} 1264 "\\.\pipe\gecko-crash-server-pipe.1264" tab
    3⤵
    PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7fff69be46f8,0x7fff69be4708,0x7fff69be4718
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:748
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x7ff6041f5460,0x7ff6041f5470,0x7ff6041f5480
    3⤵
    PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7724 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8324 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8196 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8268 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8788 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8920 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8312 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
  2⤵
  PID:188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7980 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9584 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,1450306592017759229,8870627615805143572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5624

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4664
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6036

C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
"C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5728
- C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  C:\Users\Admin\Downloads\Setup5.0\setup7.0\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4720

C:\Users\Admin\Desktop\setup7.0.exe
"C:\Users\Admin\Desktop\setup7.0.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5200
- C:\Users\Admin\Desktop\setup7.0.exe
  C:\Users\Admin\Desktop\setup7.0.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b712a4c83dfb3c522d032cf900e863a

SHA1
4f5bec4be6f4ebfa959e899ceafc62309bb1f141

SHA256
31da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493

SHA512
03b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24dada8956438ead89d9727022bac03a

SHA1
09b4fb1dba48ec8e47350131ae6113edd0fdecf0

SHA256
bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1

SHA512
03f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
64cca523c2b795e5e914209046695bce

SHA1
9dbefb3f44b4341531cd17046fbc772a1c23bd5b

SHA256
fa683c754eb33cbf2e8205b933b63aaf46c57645b3629bdd37f905c9f9048a5f

SHA512
050a40d6c613535bb27215f6f6f2eb9fb33bd81a6e997c158ad8a6caca6fc49cf28f18b65193a5d0384ffc1083d3c71156d84cf8c4a86e7c901cd85f52632816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1bad71c0c38365f5dbdc8b03a86bb821

SHA1
f70d5c9904ce0b51c11072d46e629642a0e26304

SHA256
864bc1d36eb12f9a30d277c29da80cf3b4d4bac8e83307c0036020a553e56cda

SHA512
3ac2bc2e4857817d3bd700e9046999f48cd2b15639544611818b548bc98a283122f10acab8e8cc80d6051e56668917443ec4f47f63006cb43bfcfad81f3a2901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b3d0b1e4768d60f2d4678cc088ad00f0

SHA1
1dfda336cbc97733347f7eca47a2e91b06fb3bfd

SHA256
7081baa8f4cc5cd227764ac1e2e57e9c532802393b9ebea86aea7ba808cb8be0

SHA512
9e5de1e8c78db643007ca0ee404f98470ab3a607561ed1612c298f323d3c85e0cca62e4026655c289ee947d503ba3393b538cf603c4db0da5d75f222f19f71d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
356f99bf94f1d0b3148bb76b5da93e94

SHA1
1052ded7815ae05f21b363c2961cbca6604beeaa

SHA256
a352b560e1ed5d00ca316c1cb8239d594412a5f26ccf75159225f5a9c427265e

SHA512
0b42cb12ed60814307684f952d93fb578dbe3aec61c6b61a84b8a17a65517d0e5bc975c4d3d0f820432444734fead17281bd386fb4f2ac92da3604c7eb7dc9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
012f600b65b416d20dd86f680b432acb

SHA1
af8f57600fbdac385fd1162f13640858dc1398f8

SHA256
c44c403ae2f35c0a8138e50a0006b6b4a734b084ef8cc7dc1cd1eb3e7482f6fd

SHA512
85bace123f3d6cd492eaedcd688510144a3150269f97cba4fe32fb501ba6366e6d567c8e222ff90b917661e53ac065d5af761f2dc1e9807b631c887f8ab11306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
941B

MD5
b47ee6b64ebf1ada6cd078fc76572b56

SHA1
6d087bde9da6cff354bede9297b549d676f498d3

SHA256
36a746b670e72c6fa94e1285e15642dccd806d5c62f139825a337359134fae3e

SHA512
b9937606775deb5583ebe8e04f9cb9306ce65b24fd3c2ac39038bb0e3b8c2361b0e9401076f9f6a9fd32690d25d45aeffc3b0be7276e86db481580202b754ea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
077a0ec14557ea271cf8d8087aa8a878

SHA1
bb55e83bc4ba4c315f46bf155ec41600eb7d61f1

SHA256
eb9c688e5cfc23e3c9114a4b2e6c2557bd48106ad01d62b972eb61105f0c65c7

SHA512
ca35337e8154f6443b87938dac6ad7fec3af2f1946f63849b85953a888ffd7eaa798897567ca6d588bc1fbe6da6e30aa13e57ef7f8a29e24aa97c8814c3678f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe59aa40.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7f703965bcdbb711a430ed9e633a85dd

SHA1
57fb87bad214b08220e56bb8c7edbb7096f767af

SHA256
d483a52e227e2cc06a160e2076a484d02717906cf77c4c5303e9b5a81cecafef

SHA512
4d9435ef11b90ebecdaec28452844d9631dd56161bec8d1d6940d004c34c99fcb38509e1d164a0ca88872b030a93c13512bdb327b75d14306e8dbbbb60f9a625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38aa454802f202c21be3d5b5d4c9c301

SHA1
516365cf4e78ffb5336579fd43741553ec9f82b8

SHA256
88ffa964440a236d2e0233324ba0b6e2987c4fb2b48d4f5769eb2de9921505fc

SHA512
2e37d17013de8b9112877fdd04de55362be7ec85a3fe09f0d25dcc966d5c912b1b83b88bed302792b764c7b3927250845324614c09a4cb71e3d4370988c5d76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
434f35f8592067cdb0eee7c1add20fe5

SHA1
bae0344ae2a2111a3d04664066274b3c19edac47

SHA256
2a7bcaea5325cdc107d12ead1658035877011ffb3bfbd6f23e109dcc07154465

SHA512
17e18ac68ce2dea7a8beb037acc2bc3a8d5aaa12cfda0875a487f51a5938c0379cb5ae3ce438425e9331153e1d8bd2b37e6e1b058154d12741ad79575bfcaf87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
aca5bd01f34848a3f10ad0e29a98897f

SHA1
14343cde04d6e22ed879091218c4b580ed01fd81

SHA256
548e2b4f9d827843a6b4b58b62fd2ea46a27812a3087a7b3c7b93d2043302435

SHA512
483262652358f091c59891c3fc674d594a86b31296a1b4ba86574869d104e0119d7d348361927ef3ce26adb9de962fed658a6799c480fd8a780eee811442c06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
f428f271ddb91cf8c1c2795e12f0200b

SHA1
31fcc46db8f81c659a9b46d2bdc262ec6108c833

SHA256
f0c292e9d7fd2427310cfa1563758bf32b56ffa5ab28e6a21fa3065646d7dab1

SHA512
f5fe87be35a4f1f03958cce8fea7d8ade178c905967e5eb5f936e0defdbf1bd7d2dbcc95600143bf1857080ed0ca3e48ccda8dd243986a140b6767ee03889821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9800a0a1cecd2f1b2b293634f72b8738

SHA1
e645f3221056123bd1634268f17e02fe22c7693e

SHA256
8cdc8a5679b30ab160d2a3f5a71c43126b089c923f1f3fc110956188b4e9155a

SHA512
517bececbe0399c385024dcf7724160d732871eeca840ecbe622ad6b4ddcfd2fb25c0de103602c29b0f7be283d379cb8f9d29b8bf58ba9ae5b68daf94383fd6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
69a862ad4e02815c037afbc9fa994025

SHA1
fb95ec7dce198625713cffd4e960f20bcbfe607c

SHA256
97105db0b306c86f6c2bfc26331482cbae05cf4b3daa94e7905820f75e55a6cd

SHA512
88e76868b54075168d62f6aebe959081aecc6984f540d4bad0ab5660dabfe14f22f1a010e21af5cab7730c673d32a6d1abc5ff194c88af59d01ca6828aa50966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
7478f052e5f37e1e220ea35fdd1c0682

SHA1
25e2150634a08b891d0ddcf0a6af2da7cbfb80c2

SHA256
5e73ea3c390b9e0bc54c4a8fa2b119a281561ff6643009f45f2392ac57d2176f

SHA512
e917121190a53114bc2575b99a567648cd28fa71a3aa047032e59439c94eae784c30257aefc90bba3484efa31fc5a663d7e2f93b01bcbcb257564ea0f77b4663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
db81d73cbe2342392177d4838d532411

SHA1
4d71fa5b0d63fb9097af0831e2f075a214e71e15

SHA256
d5f5d3a880791abd3f6bd4ef19f71dea4503aecde6e8c062b4f90044fe82cbe6

SHA512
bd9fa3adaa94ca5ae3f2269650abf9e7a99665b0bfd5a33b90ef8370acd91d5892e9a0115c4395ea4dcc7eb12ce1af3bcb04cf200b8fc4f7e0618b86bb3b0ec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85eca930a791cbcb1373f5fdaf17857b

SHA1
ffea7d54e9803374a484f1e4c124766e80024efc

SHA256
fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c

SHA512
2ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
99a7edf9124dba808b6d025b14aea278

SHA1
f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef

SHA256
9d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089

SHA512
fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
094f7dd5719281b01a18ca76e6b82cab

SHA1
4b2e1bc7c534d42384f84a26273d075fa0cc018b

SHA256
ae5033680a2a19fd715bce3bc64cc61418605b5bae9eac5776860a622843d05b

SHA512
a3dd97af0b32764c30b42c6714aec14280c6d49976a81f99df2ad53a95705047af295eca52a2a0ad64fe508d38bf00bfe47a644c8e028eb0249e520a63907a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ad301.TMP

Filesize
48B

MD5
202d427b6082f1326672f1b328e30644

SHA1
5acf62f870524cdcd5d6a46d427d0ca40b8df870

SHA256
f5e8c6a22b0bb24fee1184c11fc42963f712bf6843aa9714dc7775afe6a33b06

SHA512
ccb1455eec384159e3c75c24bde2ebeb7864805908775d7ddd4be5d5c464d099b4197016ae792134c3faaa48d0f21a0786db2930057878eed723346fdce20667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a2e309c7db8e71600c160e75460ec82d

SHA1
87bb4eae59a7883038c9f3b910e54f7d4039535d

SHA256
c07897c8fd5ca57356298fc55005cd775db6ef1968914401b86a834ab32b8ba3

SHA512
27763d349d859d097edd52727ddf693e9acff34f8b4309e56d4d019e046f2a0fcd61196fd1708ed6aef14002da2b42bbaeb06e856e295c3f267c728e6c8bc34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e27644e0428a70a44da417fe5b307f38

SHA1
f42f736c9968b198999bcaffd277c87f5f1063a8

SHA256
302d0ed2d77ef9430c65c6dd1f5e93e79a33e513327d04e9322e8f3e2fb60959

SHA512
3560aa1093e0bae96a91a4c0b995be293e3a46fe25242b7a3933460f609b00058c7aedab7bce1fd11e4f8e012f4940d2630d88a949b1d7c1622a6e4f5d212c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
aa424fc2085e75502340d4c7fa10d5a6

SHA1
d0984ce8e37b59afa9fb4dc264192c99952ad3b7

SHA256
00c5b1312c2238a0f9d1105ceae1938a064a3df324b47d66a347818c8be0485a

SHA512
1cb197b7a0de992a2d5f98c7d87a2ee5fe02018cc8662187dcdc082df9c0feb2f710801842288c9515a73d9dc471203884b23d6856128f86ba47c5ef967ec293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
676b4dcdf92451b41fa34388dda4e990

SHA1
57e15d4106ac7a0d7d9d52e4c5d7cc1f610edea9

SHA256
b18f90b1a288554e349cf08ca90e1eae529468845e44c6fc4584e73e419230bd

SHA512
357139339ebf94fef10e74611848e9a3fc84c28e2354124a3bd802977504aaaa10b9134cf61c84d0951c527d68213de2177219835aab2aa772512f70457c8a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a85a54d3404ab6daaa82bcfb6507acef

SHA1
f7e6db52aac941c0c740d3c9d5fc68f9eab70d34

SHA256
d09ff10ef8db6f426e30fb21e6f0f9911c7829cedd1f57cad4968f57303d8fb7

SHA512
c6d8cb387009674b157225847ecc46f23b23d97642e908f4c5c6ccf84158c023048b9d29813c7f7679adc989dfc8f599ebc733c18fe40a56b2891b8e91b1a56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
de9878b4e4793d8cf6c54065393a3927

SHA1
5cfcb96975651c9d1257f0d82f5b494af7220c2f

SHA256
183a3efdf268cae53fd29e99fcb1eaad4995577cc1461d79c19f3105c0ea7995

SHA512
5b1625929623c6a854a652b57312af2385618e508fa732aa33e346f3e92ada4e205c344cd89bec6a0be7c1d1259efa6dba825772e7aa73ff549877e871523dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
450936d07a49332c9042d0fd935472c5

SHA1
37ffdf5d1c3f82d6528cfb92a1e309798bea0953

SHA256
375d970cfb339c590fe7c8d952d75cc26cbc4b7cff2ad632e0b5e411ba7f0a8f

SHA512
72111d6b0e735d6fce635351758a8d13cab5bb0108d5c75f67be2eab93d7aae890ff43f1a9d6fa07c976fb10b71293ef98bbc5fee54879ed7a368028f772ef8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e90d62f16f6370efcd55dfba90841aee

SHA1
de2efa8f61ab76b2dcccbf77202042667f2885bb

SHA256
2151725be4a9da5cc36854e38c8718d011884850dd0fdd7e77ed092d6e1af0b1

SHA512
68b0af2deb0fcabae12af13b8e21030c5044a4751a2fc63d73469971963bb7fdfa4676e003e2f773a8f68768ecb59762350d9d9afeb4be07d51575b06e549e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
84ccbd3a4e0ce00c10257383c09f48e0

SHA1
9b8d0ebb1cbaa9d6acf0407380739d04c2f6405f

SHA256
27d4759ec755ad24272e1c617912b4f9fb7443439dc18ef0d23d54046e8e806f

SHA512
da996c24cc98293c8ffadc7611c2fc8868727b12346654862be4a558367408625532f3f6577b4d728ca593dd50e10c5873be8f70ee212872534d39cfe2f14ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594c9f.TMP

Filesize
536B

MD5
e06c2298e514162916b7f0abd4a6bd96

SHA1
229e6b5ff295576ef1f33f84722a26999f3237e9

SHA256
fea85b7b087974c276521342bf91c93d5bb24ed32710e690f360a13b858fe489

SHA512
0e6503eaea927470945e153d5849e6938935331ef7ea1fa74c1821e80cf34dfed633fff76dd43c5e6cc9465717a0df0c4397ba4066ebc4ac4df76bcad5d921d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bf175e37-6e10-4d40-a07a-019a3cd8f53b.tmp

Filesize
15KB

MD5
2a79bcf124a446e03e434a1fe0374143

SHA1
6f356084e46be4b2753cd853e884aa021dae1af6

SHA256
8f3945ec1d8b5949063a3b47fec90bfb2edfca3ad2d8e01d92171927815a5077

SHA512
13d4df78a4c0e91b41d1166a343ddc5ac22b0e69cfaf135e2587dae11c6fed76471942302e925ea4437f7308991f7e98a8ec39dbd34e09df4267d066090f946b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f1b7e449db782c3441452fb417c98d2e

SHA1
42f76487dbd5445281470626b837a9ccf3af95e9

SHA256
8e754bd3817311cb5912d2ed37d39470712b12181e36216c167e542b60367e64

SHA512
58888cf4b638a3f4b483e1e2883eb3ca8e0c543a9b1566695458e5046bae923be6bab4fed07cb29773182e8b96b84491fda1f868210e3a45f16ea8e93cff8fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81c2803d0e6c21f6be83e4597a9510d7

SHA1
b07fe58b8c96fd59d016135177602c497c42a5bd

SHA256
11e97e773f79d2912edc86b011694e72512e57edfe40affa6dd93e96146213c5

SHA512
7c61954bdd5fa3b3f6cdbef36393ac12a9614714234c2b3a47f4b4f851452d488a32cee710bd53bbcc9a43e0c286fd6349fc54f4879205e6577191c8216de73c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
e6f08d5516c91b36b3cefa5afbe33d2f

SHA1
36c08d004651287022e0e9d99e917ea81b32f72d

SHA256
5d37ceff3212c56b18f1d2537fee32a4ac0c25276b9f0c9e133304390241e55f

SHA512
4b526cb6f3dec9c2e5ec2058fc767da4e4edae4c058260ff2ed66be70293173ffae90ca6c0833a0d9b57f531ca1ef2bcc75f052f4744f98582d15336155fe2cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d0aa88667a5efc989e63ebbab948c5e0

SHA1
148c158b0734c625df3e778bee336561772fde65

SHA256
4151f3dbd34632d51e8b3d62653b95f9d035d4ebb7589d50f59370656d41e216

SHA512
08f32773685ec5ba6f80c2c1488e2ea5a931681b84afa59c4f9a16201758d46a08f1f5832f34c9f5ec22e7f9affde6ec1553c25f41094167ffb8d15deaf0aad7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a50ff2228b30231cc7802954ebf35a65

SHA1
769aadf1435156d8692321aad9960bd53bdae55c

SHA256
a86e52d9700a7288d959b16d401670c64e072bf952fc398fe01c49a3648e6e75

SHA512
9029e974c79a0fd39bba87e731e1d5b44a45752928793b34aa7564ca1000b0b02343af4a455a7453b60ca7e7f8423d905a0dabd8955c070ee1f0bc0263dfac25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
311f2b276fd18994e9a781721bf58d5f

SHA1
7409ee0fd921b518c1fbfcec9a9ee1a3ad71e8e6

SHA256
788630582d9dfede63a599d3ed7df121c8d11235e85f280df292e4363a9afab1

SHA512
4ecead92d595c7613bb1e71a5c93c873fcd802f695c75aaafdb69a3e008f2f4fb7a094c7dd0d59a012a6bfc89fa123cd5d283876ad87004ad9bee39e73189a18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\5a9bdbe1-9972-435c-80b3-d572db0497f4

Filesize
25KB

MD5
25ea617d3d5bf46f4f6101f254da46c5

SHA1
72c3b6c8791761212a4438b570c4e94193439acd

SHA256
af12ba707bff62559af163d70cfdf9062f62b5c00135b4839f0f56efe2839a20

SHA512
ab7f30a9080e8e888c9c86bc1fb18eaeb6aeb47752b302823dc907757c8cb430ff7d071bd210a501ffb59a9cd2a6761cec60b571291a09be6db0a3e9edff42b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\c27bc267-015e-44bb-9363-99547ca4232d

Filesize
982B

MD5
5944b8ae4a34fe520e0b083a62a3864b

SHA1
0cbfe307eb1455aa4cc90f9860c2f7d6ffb5036c

SHA256
99335f152873ab750fc91d655630debdc7ed3cd7aa16a889b16895648b02ba15

SHA512
61c0f64b330e91b0fac75046e647d50966ecd96a08f60848004df1e1ae3194ccb809ff869f2fd2ff3781ab1aeb2a619769d6145cda7bfba4ec84e965cc5b5896

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\c71b91f9-0c0c-49ff-8ec7-576d81303611

Filesize
671B

MD5
89e80a734aba83cd870dc43a0d18c836

SHA1
51a1f0e27bb4ef397c1ad9d705e099125e71d6a1

SHA256
e414f41605e79cb46ea07a1a3033bc5e5f7cb927c046f45dc36d010aadcb711d

SHA512
6873e1ec8d51c68e92b384b0611cea1c3af91d7e515435c3d390cf6de754a7191a6987c7e28ec73fb5c6c7ce654cb65514207868d274250dfced0657b9c0c04e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\prefs-1.js

Filesize
10KB

MD5
4ea257cf3dfe60776834539e4ad5c0e7

SHA1
96e4e4cbe01729861a0060197f2c733a3a4f7565

SHA256
4cd6a8e7c10b460710fbbedaede9884620305b45f79ec13b1da8841c7e121f2f

SHA512
3c34a64b7a02d193283b75437cd6ba3c2571d1a1dcf1054b2ebd883f1d3975cdbe81dc1c54fb1b863ff94f1afce911cd481204465fb8aa6ec357457aba3918f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\prefs.js

Filesize
10KB

MD5
20c27cea0a4f10f845375d057ba0c8ec

SHA1
cff4763baefab12e7e5f2a15b9021eb870a5f6af

SHA256
a015ca81322a6fee17b4d35ea3b57e5cefca244b3bfd0f19e5b784c3aabc06cb

SHA512
e31438c056936c97d9d0057e4d36ee37d233542b643581929a5f613545d4b4744b112bc2f97c857f7d108894ca3ec370f224813e004fb42827bf2591b73d0984

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f67b828e973de52be32c3fae07fb4299

SHA1
4d2842178eb5964575df5f931eec37874b131848

SHA256
91f0141bbd1991f77dbf2ec69170727c772971eda2efa20b04fc51012ca05a58

SHA512
795a999013b69af514e59bb5da7c3723bd8fe528e2b9b09bdd5c7bd35206348515276fafce6ef865e76e890bcfb18c17ec6e8d25bdbf1e16d529041362d4432d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 206619.crdownload

Filesize
2.3MB

MD5
d7d4d1c2aa4cbda1118cd1a9ba8c8092

SHA1
0935cb34d76369f11ec09c1af2f0320699687bec

SHA256
3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

SHA512
d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553

Download Submit
memory/4720-1912-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4824-1920-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/6036-1909-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/6036-1910-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download