6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d

max time kernel
178s
max time network
178s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
Size

25KB
MD5

1d93e8597dd860cf81cd913c4b997818
SHA1

a7dacf6a32b194720a87130a16f2222c44f036eb
SHA256

6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d
SHA512

c35592acafe20b18914ba7ee31201faa7534136df292d7c14436fb3bcbdd5f07b96b3b63897509068b8263ec4e12f55e192de027996dac8e63e08712fb891e98
SSDEEP

384:PqlIcCtF4JVGTHyk9v1o99t5W9ISFaTGHx6QckT/gbpLOXguLZ:sZtSF5zg9ExLZ

Score

8^/10

steam discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 15 IoCs

pid	Process
5584	SteamSetup.exe
5676	SteamSetup.exe
5196	steamservice.exe
5572	steam.exe
3832	steam.exe
5768	steamwebhelper.exe
1296	steamwebhelper.exe
2716	steamwebhelper.exe
5124	steamwebhelper.exe
2244	gldriverquery64.exe
5064	steamwebhelper.exe
6020	steamwebhelper.exe
4708	gldriverquery.exe
1232	vulkandriverquery64.exe
5516	vulkandriverquery.exe

Loads dropped DLL 53 IoCs

pid	Process
5584	SteamSetup.exe
5676	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
1296	steamwebhelper.exe
1296	steamwebhelper.exe
1296	steamwebhelper.exe
3832	steam.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
2716	steamwebhelper.exe
3832	steam.exe
5124	steamwebhelper.exe
5124	steamwebhelper.exe
5124	steamwebhelper.exe
3832	steam.exe
5064	steamwebhelper.exe
5064	steamwebhelper.exe
5064	steamwebhelper.exe
6020	steamwebhelper.exe
6020	steamwebhelper.exe
6020	steamwebhelper.exe
6020	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_button_menu.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\subpaneloptionscompat.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_lstick_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_button_logo_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_expand_over_osx.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_latam.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\steamui_postlogon_japanese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_dpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_scroll_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_buttons_e_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\joyconpair_right_sr_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\chkSelDis.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_r_touch.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_rt_soft_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_button_l_arrow_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_scroll_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rb.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_l2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\bins_webhelpers_win32_win7-64.zip.vz.a38d399bdf8d956d6f720ca34f0c03a6b9f233e6_3157447	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_sc_schinese-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\icon_controller.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\listview_placeholder3.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\subpanelchoosedefaultcachedir.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\launcher_kbm.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_buttons_w.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_r1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_button_steam_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l4_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\th.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0306.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0327.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnOvrOnRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_stop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_lb_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0335.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\hp_m2_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_rfn_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\parentallockdialog.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\SteamOverlayVulkanLayer64.json_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0070.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_l2_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick_right_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_color_outlined_button_circle.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_touch_doubletap_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_110_social_0304.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0503.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\interstitial_controller_config.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_right.svg_	steam.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	steamwebhelper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 321878.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
1000	msedge.exe
1000	msedge.exe
3732	msedge.exe
3732	msedge.exe
2076	msedge.exe
2076	msedge.exe
2272	identity_helper.exe
2272	identity_helper.exe
5424	msedge.exe
5424	msedge.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
5584	SteamSetup.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe
3832	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3832	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5196	steamservice.exe
Token: SeSecurityPrivilege	5196	steamservice.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe
Token: SeShutdownPrivilege	5768	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	5768	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe
5768	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3832	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 1560	1000	msedge.exe	83
PID 1000 wrote to memory of 1560	1000	msedge.exe	83
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3604	1000	msedge.exe	84
PID 1000 wrote to memory of 3112	1000	msedge.exe	85
PID 1000 wrote to memory of 3112	1000	msedge.exe	85
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86
PID 1000 wrote to memory of 2348	1000	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff84cc546f8,0x7ff84cc54708,0x7ff84cc54718
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15364715440152386780,16451355942516132685,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15364715440152386780,16451355942516132685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15364715440152386780,16451355942516132685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15364715440152386780,16451355942516132685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15364715440152386780,16451355942516132685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15364715440152386780,16451355942516132685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\PopExit.mht
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff84cc546f8,0x7ff84cc54708,0x7ff84cc54718
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 /prefetch:2
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5424
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5584
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8817288857144856216,6672083901778100969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1188

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5572
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3832
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=3832" "-buildid=1733265492" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal,ValveFFmpegAllowLowDelayHEVC"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5768
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:4 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1733265492 --initial-client-data=0x298,0x29c,0x2a0,0x294,0x2a4,0x7ff83e7caf00,0x7ff83e7caf0c,0x7ff83e7caf18
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1296
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1568,i,2042987064389815718,7160693125817819415,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=1572 --mojo-platform-channel-handle=1560 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2716
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2244,i,2042987064389815718,7160693125817819415,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2248 --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5124
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --field-trial-handle=2556,i,2042987064389815718,7160693125817819415,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=2560 --mojo-platform-channel-handle=2720 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5064
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\htmlcache" --buildid=1733265492 --steamid=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,2042987064389815718,7160693125817819415,262144 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,DocumentPictureInPictureAPI,SpareRendererForSitePerProcess,ValveFFmpegAllowLowDelayHEVC --variations-seed-version --enable-logging=handle --log-file=3136 --mojo-platform-channel-handle=3128 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:6020
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x460 0x2f4
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
6e6a2b18264504cc084caa3ad0bfc6ae

SHA1
b177d719bd3c1bc547d5c97937a584b8b7d57196

SHA256
f3847b5e4a40d9cf76df35398bb555117dfe3626c00a91f2babdedb619d6ad53

SHA512
74199ff275400b451642cde0a13b56709735676959d65da11ac76dd645ab11dac5de048ff7ede0cb8adb3a3056b3ecbeb3dc7481bac3768d02051e564c74b679

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
17KB

MD5
2b227d98ed0d75136901847adbb53345

SHA1
1aaa7a9aee499228debcbba85ac40b576d15ca12

SHA256
67e1a8330cade761c41e04ec82a0703548afb4866d3e7a1cac33056593d73c65

SHA512
cd8e1114cd37f178de94b029b79c3af4100d25d0f26ffa6f658ee57939507e53b8cf1dde4beea59df1b14714b53c03572c840daa697eee772671eadd3ff87d78

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
1KB

MD5
a2ec2e91c3ef8c42e22c4887d032b333

SHA1
e2c738a2e9400535b74e2263c7e7d1ecefe575f2

SHA256
8f9f970835f133258a7f740126012439385bbaa5a1d6a9d0d967a390977441c3

SHA512
b069d241efb19e09ec8b5e60ef6c43e00d5cc0f774b9340127c2180356dd1964ac625c1afdfaee5f99e72b26f56046fc329aadbbc365b403af765a55e9c9aab3

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf~RFe59d7a9.TMP

Filesize
184B

MD5
3cdebc58a05cdd75f14e64fb0d971370

SHA1
edf2d4a8a5fc017e29bf9fb218db7dd8b2be84fe

SHA256
661f122934bbc692266940a1fe2e5e51d4d460efb29d75695b8d5241c6e11da7

SHA512
289c40fae5ec1d3dd8b5b00dd93cf9cada2cb5c12bcfefea8c862ddf0a16dced15d6814dad771af9103b3a5d3016d301ee40058edde3fdea30d9767146d11cd6

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8744dd6f0b750431cb882d4cc3f29661

SHA1
5985ca2812295a631d572af10ae836a5fbac9077

SHA256
c203906d7c794789b7aa24521ff6645aa15d3cf789370c08ce80a04cc0644359

SHA512
b957f36bcb438d669fba407150a81dc5d6da48930931ec03caefca8bc0cb666448582bbf5b80abaa97358bc183fc1aba82818983b2ed9ccde16911cc7c5b5ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b03d78ec6b6f6bfc8ce2f6e81cd88647

SHA1
014cb7dc4aa1bc5d2cb4ec25ec58470baf5b6741

SHA256
983928a84fcf0791614cc3d17d92d62ffbed0bf0f141d7544d0cc762977a3905

SHA512
4699916bdfa5776d72ad2643fad072a7a19783900608290bd1246a19624d61b58a1d80eceb74215b7198aaf04c526fa8703d38f3c5fdcc1add19b87508685ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f10a388edff6f19d2e4bbb3df29542ef

SHA1
e02e50fe7a1e87c846c92170de43bf2a0f513168

SHA256
c9c4fb15d48adfb9a07c120be34ae05f9625861f5d766c048dc034c304a6d118

SHA512
8c848629cabb2fab4790a9ac2599d91ac790af2add3705c933021e7d9cda956344b53a96b7224f950a40ec8e855eb6270d6faf0d20053009ba21e42cec90464c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
95ba0df0c4c417ae5a52c277e5f43b64

SHA1
7c3bf3447551678f742cc311cd4cf7b2a99ab3be

SHA256
fdaa82c65558793b81117a66acd5645d4072f6b71f164ed2717a17cab6e727ea

SHA512
fcb35a1949664f218ae40c25fd6eaefc4ba6417034a522f0800c50ee78e530c33080faa73ff9ea82f35749d404d6b9c94fc7e8e224689503e699a5ec2b0d5abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f6fb24437da8e00b23855e1ceeb99d71

SHA1
202eab89a14204c9b6655dc7e57267200bb54e52

SHA256
c13b5a71d0316f6033937d2dd1a620804ba26dfe0c277c7a898dc7367ae1d23f

SHA512
748499d4453997e52842274c0bd2e65abe07a264f7c02be233dd7bb98d180f4235da5d5721e7528ea0f428dc02d6ee8cd9f764f7dc425de85b9804337e40f1b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
d280f87bec38518aebae6cbae5107439

SHA1
e43c0f7e50acb2aea23a1fa97aaebb61e8279c9c

SHA256
d72f52f55647f80ba02fc0cc367d6a8058abd4c7a6d856214e6b8e65311ba40a

SHA512
c2820dd3ce701052bda809a365b24e174061e9493f5bf2efd7a52363d7ec220d16541338cbf857172a21aae0b57870e0293e78d32082c24f94fc041199c86fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
547a7bf51dbc4a37304cf6b41995716a

SHA1
d7bb6d8f427f345dbd7b10b96edd0c181a102606

SHA256
9dfe688b42fdb39ccf6fc26b421198f7964951314a6aa1e1343a93a5036bef6d

SHA512
049069a729b2ebc444f798627cdc925f16902bd68f4386ac337d08c7c3cf7991a42c78f200c2ece39a57321bc03af8dddbdf9a55c0239ccf61f613e839c641f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
279B

MD5
861863a49990456b5b32dd1b94124d89

SHA1
9e30e80f5cad6f4abdc1b09bd534aee75ec2bf17

SHA256
088170eac3b201e5619a6a141e432ffdef438d684db7e362ac60c6a96b6c949a

SHA512
ab88d99c560e11000e2b4d3819db4c412d892682b8b4d51735c510b67678d2dc78fb66defc6be34895126bb730e53c9553849b3c19724b64518273f8c64c809a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
5666fe21fb75a7338dc9a2261e1c4138

SHA1
bbed806c6802dd1a8e54870c23d408fce1c3014e

SHA256
0df30bd4a1bad543316ab007e4a42efa7058099e364a32f718a15f9cb4a1ebde

SHA512
c653bb02bcbd8b6dde251c0c49f6a7a0996ae0e37ef5aed9eee915f62a188c7568afcd367868b9b9d1350ca986333c84dba5139a4ddc204679009c2f97b77c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
b3090df671c24bbd7758b3f2278eedaa

SHA1
bc82b102be1689e6f3bc0990b111956d4a8fc1ee

SHA256
32b851bb3eedbb780b07c870329f153e78dc6ec2a1efa7f7ec2a4b353918d1b0

SHA512
f3e6d2dde6bae6db150fcc69686dbac4ff209230be5dbc89acce9ba7c210b30ad1850115d506228bc3b705c1efc5f1ab35d1d3b466f4ef343f062b9890223246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
d38286ec2eb85c89fbdab95b12d2bc41

SHA1
925b545619848a6eba925d58fae75639dac959f8

SHA256
86a56c219ef43e3ee15b21a5bbada82beaf08095625fba0116730b5ec196f3b4

SHA512
e9f07757c96da533b50450d3447115c100e2ac67de1cd800e1578a777a0253304ed9b85d5831fbd9f9270deb311494911d493248f0b8bfb293de79eaa77d8b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
b92d7adf692efcf2c14125c65793e235

SHA1
3e2c86e922b20d94f8f0e29eb93412c91822176a

SHA256
d9e85ff0e5334c13bfa9284dc58789f23d00bf6dece5f68a982e1a55ac46e5ea

SHA512
e2df135d22642632718798f50957d5120f2d02c541d19ff490381baf13b77a8b76f41d100ade979fac79163285feda98889027ce87a02e82f5d2cb65fd522d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
293B

MD5
df984c4d65902cbde2d404059635825b

SHA1
697966951f21a94c8ab44e44fbe22c09415586c1

SHA256
399dbabf208c72fa251686513691b5c01bf032222d312c3b324b29db3e59786e

SHA512
a2ac06c03d8155b29e8bbfc59969185aa28e097d4fc281ac6de733cc35792adce1497ca0e1c03c9da08402262df95469c272e7153e298772239d78c0d6bffd8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
738B

MD5
32db9ebf7a1ba4b5f7ec66e3ee1716c3

SHA1
c97cc329c8601d11f485cd758af9c7b720779450

SHA256
708bb986482c675cb0feac1e55f93a05cd80f4a8654a9311608c8f03bbe4525c

SHA512
d5251b56cc125c133044c743357098c677b13e0a76fc25cdfff84213ccd834dbd62d475e6aee1feba2dab108455c39c38c85e83dc369d1f2e914bdbdbbe6df3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
062a8cf737f79384c8cb9a03039e4b6a

SHA1
38f43c86784fe367d6a70181a80d7565123520e5

SHA256
3d53ec55579749750a198e05447c8a50b8440edb16805ff81b9bc94904135436

SHA512
5f274af336bacffba891bb6b0ca8a049e1932ef9b438608aa8a42cfb7b0e704f2c1d2a69ebc24528400c71139e3f6ce88a96b9da85f630951def8262baaa45d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50d0598a23b2f94152d1f967b5b17c53

SHA1
682dc6b93017354e36c38529cbfba5d3f00e7dc7

SHA256
19d49b98649b2355dcbe008f215c7d7fe79755fdb4421424d17b5a5f8f33beca

SHA512
c6a2f7ddb0bdcc22b32581006d9404ed65ff0e98f73080fc9852db24eab99bdba068ff8d7c4ed2381c7d5dbaed9ecc44eba00995fa73396e9b5ae9ca063a0b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0658dc92b53189f012f909957b4eb6da

SHA1
4e849ae543a94dada03dd6965f82c848c573cf5c

SHA256
4a1a376deeba7223327cc6f9dc1dfabfb40997e7b8e40a6843176a75d77d0d14

SHA512
e0a5c03bc6cd2cf771b22d6de0c8dec9b7670f4d96923ab2a026f6e0efbda90d716b6033b2ba0ba96023203b0ea65b0c7fd9239cc2785c43d46dcb47ee126a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3569fb63ec0f2e2dcbd33472ca3a0de8

SHA1
2ca5ef897092c77021779aa7242389f0182deac1

SHA256
e8c64848063727784d8bacb1843bbb08e4be9caa91b8e66b77ead4c5776db246

SHA512
d9a524378c6c09fa88d0ec8b8ddb7a90cd453be047846021762ef716da64d0aa935d7e26138b5ee5c60148e9abf765dfc11766171e839bd351c7487aec127cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
64731748bbaaf7950604c08f5adcdae4

SHA1
550594ab5e1b97d1b4048ec4f6c2770b9ffa189f

SHA256
e4b8cbf5d2f3264447bf9ad7523aa18e6239502c0d20251dcf12d28d48a6726f

SHA512
a240f938cd6ca183cee91b71e58d40498c20fbbc361939b03eca5b9372f6f09135813a96a5eacd4a2eb1146ec9119bf11157dcfec7c7ca7f3e09f69f892cd8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d64cede45c469cb2ee1070c784d999d

SHA1
e33fd02f9b662b4aceff4d010e2c8e4058199b10

SHA256
76c9e34a4dae0bc9fdeeac0c6f7f0ea04351326644bcdd09e7d7e98d8a4a71f2

SHA512
8bbe3803b9e0297f621d82a82c6fe237e9c113955313ba6655485b8a952483751c98824fadae7ab2d567e2c44b5f2fdd221422778a9243572940ab7edcd9454b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0493f44576fd7d9b6216b7387a26543e

SHA1
47d35c7f2990ec4668ecf1c01e0e5f623153a3f3

SHA256
0679b6900e2118e17164159f449fdc1f6bf20c0cc0b056cc9aedfae42a830ca8

SHA512
a519962ffb281d471bcf63c0bf75bed19d4eeac591cf6bf8565af14dde1d57fe8cabfc05bec52b2087ce8c6f637dbefb438ce22054895dc116b31bffa18e9cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
de79f145eba63371d5fe862a6937c3dc

SHA1
0ab4f374c5bdfbe9f3a47b32a8cd2a27d1426507

SHA256
e59f5df8fd37b8ce32faf45cc999a1fe6ffe384e88df2c1bf33f13bf09f11f4d

SHA512
37653040e747c020007d4eb9a80627965ed2a0b343e6780529d2c939d0237c9aa910e87b873090bb17e0b8a81020f13f1620f98671dfc78a7c522d8ace322040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
99B

MD5
ba92e5bbca79ea378c3376187ae43eae

SHA1
f0947098577f6d0fe07422acbe3d71510289e2fc

SHA256
ccf4c13cd2433fe8a7add616c7d8e6b384cf441e4d948de5c6fc73e9315c619f

SHA512
aa1d8b7eb9add6c5ed5635295f501f950914affc3fa9aa1ee58167ed110f99a1760b05e4efb779df8e432eab1b2a0fc9cf9d67a05b2d5432ff8f82c620a38a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
281B

MD5
a75b3456d59daf4b35dab492fc87a786

SHA1
60d7ac5a8eb865c55635bf7bbe0b62f564210bfb

SHA256
47e225f57be4534a18add9c6af828c934128242b0550b43e2049e57dcf803cf5

SHA512
e6885a5617a0df94387f834bedb58944e725b0bdfe6fe26e671013c156aad4e2f140de5da0355c12b3025156d89d1755bdcea7c7c0eb0c72ed08862d80b62c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13381219920205745

Filesize
1KB

MD5
71fbd1b6976e18d9eb98d6a25ac84484

SHA1
d17ce71bc08beb2f07d6b2ba8c840bd747979ee9

SHA256
098d371eccf7772d9a410537f5b34dba786ef176dec41286b023074de6206647

SHA512
8129da3a30af42183f08ce09db01d5c4309704b466280efae0be29b6f9b8e817de2cc19539b34a870748b69e908ea67ada99475e718b6e3e9d3ef785e0d6f0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
43f584060de7124db60f09698e7129fe

SHA1
cd549d3b4cbede7ab7e358fce167672aa99acd7f

SHA256
d2f8601ee83c3a94d8d15e11e8ff1010730e4d8e2f92fc8a1129d925a9ca0744

SHA512
5175670fc7b6e0f8d36f988a999a9acb59eaa2b6d8c260d15c755fe2811b7e10301e8a7dc1cabaf2168a59cd8edf877a228915e9a41e88df354084f207a6c356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
19e4f2afd4a1ff72218709a9f8948d63

SHA1
04edac26db48085d5b0151d0cb43577517a92f69

SHA256
0e5a795367d6e4cb23bb6a27393ecb628fc0491151bf827789fb029742949f46

SHA512
d3cebe9a86f92251a246042a1baf4adc5cfa525d34ff0315a5733e26dc40ea8e47ec87e1ae623c81b725eda4217c7b1e9a993f54014817a466820c46f5e88bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
27cbef6a5c885579d61fab926714eb04

SHA1
cde0eb770c009f36c37051cd2c68b44806e45af3

SHA256
5ec45f975a7b4abdbd1a2f637f0420c5502bdb69de1d3033f07322ae957e3a5e

SHA512
a76f9a54a24e6bf325eb252775186906d51cfdb293b6098d014c474ac389fe0f2abfbaad749b38729538f7d3f5decadba32a6c975fee51420647950b805bf80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
905KB

MD5
a51443f3a062861e684c76ecb10bea0a

SHA1
ce32050ece7db2fc4fe1c31d46ad5692421d5378

SHA256
9b4043a509da0e913ef70d49449892b98d57c413aa3b4b69da3c4a7db00b6681

SHA512
ef1fe3eec2d67cd0340b4f11a9e2bf70e7cddbd7412399e8e7638cf64ab53085088957c6176c80d5264bdc0383791a911c532a2a0a663ee5118f2f2f52ceca29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
279B

MD5
3fd56b9acdd0442e89ecd2ba3acfca94

SHA1
47760c5f36981f7b5eec3b7b7877b346c698d525

SHA256
efe3d85285dd4d1b3299337c94ff42c3a63cb8eb350c74a71edbad9096dc822c

SHA512
3dce66e2b844688f917a3ac2c42ab8932df1adbb1f554070564a3900e0d2f74e3a653c1f5f8baf70b5f3e56db83773be71058dd821721cc1ffdf762cb5df74dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
160B

MD5
2e19a9040ed4a0c3ed82996607736b8f

SHA1
5a78ac2b74f385a12b019c420a681fd13e7b6013

SHA256
2eeb6d38d7aad1dc32e24d3ffd6438698c16a13efd1463d281c46b8af861a8ce

SHA512
86669994386b800888d4e3acb28ab36296594803824d78e095eb0c79642224f24aca5d2892596ac33b7a01b857367ed3a5e2c2fb3405f69a64eb8bf52c26753f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
97c71e2733d5062d6520fd2018799a2c

SHA1
6f0e8a3a27b32c9a1108b72500ffb3a9bb738ef1

SHA256
a1c25242966de024b9cb6a812a63753e05128fa5ca4755bb59a161bd5d149806

SHA512
3f1f5283e2fd8234ffd4d1d4ac96fd6185c1fa532cec4bca90ff9a7cad55222fcfc3df0f2bca6568397a5027e1211b8720298f9cfe34d8d8806476bebe8221f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
55e63c7d5223e238850517e193991852

SHA1
f2550f2e76052a7ca0e2627417cf760bccba69e5

SHA256
affa88b075678ee2ef8042e1e4872fdd43888a74a4786c69528857bb57faf7b2

SHA512
4348e95cb0a7ee42c6400f613295b6c59916942a347cf70dfdecea65e02cfeaa911df548ffa4cc78d2a8af6012ab8861d48ed0afc57f49c99b8e7c92339a7db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a0398580325cc1beae0494f9dcfc76c1

SHA1
9e7dafec8c0c6f8b0af303fdc34fbe310cde9735

SHA256
a049067c41db2e2f0cff9da91dbe61ffb07a5fe286c21c477e6fddbbcb8f75e4

SHA512
a28b8441afad5e2d630aceabaff81b881efe896704757c76b247380b769c146f4227dcf1851973f034ac20b38fef6943f671375fd1931923dfa75538993d8b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
2a094c9a300d4b13e46beb2178c205b6

SHA1
ae1097e6af4ca53874a9dfeb3a3b22480972e09d

SHA256
3707c8f1a1e3e98cd4ff46bbd7c7f14c45972bfe0e32b11bd806f141eaa0c005

SHA512
2a887f14f8f6c6d587748b8935ca876b9142cef8cf6876ddede082d934b6d182ba76b6a91542486500d013140dcbd8ff219f65ab4c0f9bf4cf6e16323d940dfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\index

Filesize
256KB

MD5
c16762b2fcd16ed61412d617e8e5844a

SHA1
c0b7b223af66875a695ab5952ad25c069d785784

SHA256
b2fd743009edf96de1c45d58432d12aa7651e6fdc08f174d6f145dc61c026590

SHA512
8fb3d8c47477349c6760a4ebf4d8dac1ec07787d24d0f3e7017583c92eec1bb8d33a91f8223437006263b8d551f55c49fb6435e0330e82edcdec48b27285cc15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7542851f21305370279b00bd10e7e32e

SHA1
bc73a32da7badac46c7f92683eeb5de89bdc3a8d

SHA256
944513e5c7b75f35b27927b6a2e81730c6ad28a80f2c2bb4b5913d30d8649128

SHA512
f7dbd886143eb49c896ba01ff64f1eac3440eccc12e5c29e28bcb30777cb1bdb10e8bc37e49955051e5f6a824f7ac10c911cc2d6136bbf299c58fe702f696ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cb9814ae0f9d341596d68719b41fdffb

SHA1
071e5fd49883beb4a1cd55dc06d01a1dee0cff4e

SHA256
afc17e717bd90c0bfd3b3b8a29e7f355c6b5a79d1518a0282f55e465e97f0aeb

SHA512
95e01737722d58b5d364e044ea3b3dc95edaa7523517ac25cad9eddc0be92f274d6089cb7798d0088ba3ae6b68062ebb5f2ebf0e64165cc3efc8d0bf88f61df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e77de5f6a09c04941ae962d6bb6725e

SHA1
127db5d24c49e7340b448cd4bcd59b0c0f693382

SHA256
6d527868ebeb12007c20568b26111b4719b73114f04ee25f8e890b0e9af31515

SHA512
b110103f7ab1b32d42dd4cf78ee97a395e66cb111e63679ad9721a70f031fbb800865f80fc59e9adf4a6a5e82cec62a4a7acbdc5db844c5bff4ebf4c31b4628e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
6955c4e98ff7b8f294e1ca048bae78bb

SHA1
0a4a55a4defffdd1ff4aac73a40424154296526f

SHA256
0263208ba0913b249321ac86e129a7542a256e378adafd6e4156dc52879fb67c

SHA512
12588ecaf5b248abd9d097087fe05a528980db1158266c4c9b81659127733240b7ba142427980dc3c7559a15eadc0aa9087858deea8210bb94a78cc3ad4a9232

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdD0D.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCEE.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCEE.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCEE.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCEE.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 321878.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
memory/3832-13157-0x000000006E5C0000-0x000000006F901000-memory.dmp

Filesize
19.3MB

Download
memory/5064-13047-0x00007FF85BBA0000-0x00007FF85BBA1000-memory.dmp

Filesize
4KB

Download
memory/5064-13046-0x00007FF85AF70000-0x00007FF85AF71000-memory.dmp

Filesize
4KB

Download
memory/5572-13005-0x0000000000FA0000-0x0000000001452000-memory.dmp

Filesize
4.7MB

Download