Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows10-ltsc 2021-x64

3

https://mega.nz/file...

windows11-21h2-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    124s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-02-2025 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://mega.nz/file/y2gzzDYb#JQaLxiA0teFCssQK0NRwWLJJMsYZDjFers2A-gDz3fM

Score
10/10
toxiceyedefense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7950582701:AAFn4xZmuuHEE2nNVozg9gM3rt14h3XD1Vo/sendMessage?chat_id=7697201963

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ToxicEye

    ToxicEye is a trojan written in C#.

    rattrojantoxiceye
  • Toxiceye family
    toxiceye
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/y2gzzDYb#JQaLxiA0teFCssQK0NRwWLJJMsYZDjFers2A-gDz3fM
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74c23cb8,0x7ffb74c23cc8,0x7ffb74c23cd8
      2⤵
        PID:884
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
        2⤵
          PID:4644
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1644
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
          2⤵
            PID:1028
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:1292
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
              2⤵
                PID:2856
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
                2⤵
                  PID:1340
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                  2⤵
                    PID:2476
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
                    2⤵
                      PID:2944
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
                      2⤵
                        PID:1824
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                        2⤵
                          PID:2792
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1616
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4728
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4104 /prefetch:8
                          2⤵
                            PID:1984
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
                            2⤵
                              PID:3184
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 /prefetch:8
                              2⤵
                                PID:4132
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:8
                                2⤵
                                • Subvert Trust Controls: Mark-of-the-Web Bypass
                                • NTFS ADS
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3940
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
                                2⤵
                                  PID:2680
                                • C:\Users\Admin\Downloads\t0arlre53k.exe
                                  "C:\Users\Admin\Downloads\t0arlre53k.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • NTFS ADS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3672
                                  • C:\Windows\System32\schtasks.exe
                                    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
                                    3⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1308
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp.bat
                                    3⤵
                                      PID:1880
                                      • C:\Windows\system32\tasklist.exe
                                        Tasklist /fi "PID eq 3672"
                                        4⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4584
                                      • C:\Windows\system32\find.exe
                                        find ":"
                                        4⤵
                                          PID:2464
                                        • C:\Windows\system32\timeout.exe
                                          Timeout /T 1 /Nobreak
                                          4⤵
                                          • Delays execution with timeout.exe
                                          PID:2568
                                        • C:\Users\CyberEye\rat.exe
                                          "rat.exe"
                                          4⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: AddClipboardFormatListener
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of SetWindowsHookEx
                                          PID:1428
                                          • C:\Windows\System32\schtasks.exe
                                            "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\CyberEye\rat.exe"
                                            5⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3444
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10553036661381251657,2481698050674055202,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6440 /prefetch:2
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2516
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:388
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:660
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004CC
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3600
                                      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1848

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        e9a2c784e6d797d91d4b8612e14d51bd

                                        SHA1

                                        25e2b07c396ee82e4404af09424f747fc05f04c2

                                        SHA256

                                        18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

                                        SHA512

                                        fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        1fc959921446fa3ab5813f75ca4d0235

                                        SHA1

                                        0aeef3ba7ba2aa1f725fca09432d384b06995e2a

                                        SHA256

                                        1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

                                        SHA512

                                        899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                        Filesize

                                        72B

                                        MD5

                                        6595e86654d80f018453ae185de822a5

                                        SHA1

                                        bc3c932368ab00eff47dc0995426057d7d0e4852

                                        SHA256

                                        e0ea63f8dba50e8542ca24794090382796b8c09b05527d639469148a0396d09d

                                        SHA512

                                        662c7c6b51753bf4a17d5294a06e78767330299255496928dcfdc88f6a40001cc8cae37a491f59a86e14f944fa72acd11c1a5053b019623cf30a9d0affab4924

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        46295cac801e5d4857d09837238a6394

                                        SHA1

                                        44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                        SHA256

                                        0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                        SHA512

                                        8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                        Filesize

                                        257B

                                        MD5

                                        cb2c370608ed5735aec0094cbed1ddbb

                                        SHA1

                                        8b9da953294d7078e9636c4a122d4c98651bfc17

                                        SHA256

                                        01fc00c66b187f3bcf3aa0ab676274ae4629fe537f3e0a50c9c1528e0849d5b6

                                        SHA512

                                        87fc267886df91e9602f890fc931ed971f6892106bcc67774c5869f124755389f6016945d099a9966c08a93a1c1110f5d93242efff93a55de02cde39854ac9cf

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        e65d8c1e022b7fce91d4f7005f1d540b

                                        SHA1

                                        daa44f5a637ca868a0b74c5daac11b813bffad60

                                        SHA256

                                        c986e96e57e77f5c70f5f3cb99fcd03cdc9a4da8fd606b8f664fb7fcdf6934f7

                                        SHA512

                                        45a66618d51939eeb9da093a611edbaa95f6384a62d80bd3640957cca309ea094e4fc7af40aa0437c5e38aa4be41f685dfb55f797a8017307a4b43bda3d23cc5

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        6cbdbebc0f98f7393db8cf3b8bc9c19a

                                        SHA1

                                        3452a14b6b26d4d2ee699cbf329f3a9fb76fa9d7

                                        SHA256

                                        db4b82876d60faaadd0a0c59032efc3b11bcf6dfa275bb0385d777cb5198780c

                                        SHA512

                                        1a5bd5633fc3bc95f00768bdfeac790ff5542e302122b8e0c08809ea6d912db8bb60a35bc31263e6a56c3d6747cb69a8744ab5368659d982b34c7fcf1cd7d66f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        5KB

                                        MD5

                                        c648f530e20dc337aa531644c02cbfc0

                                        SHA1

                                        47ec9742b577b0540420ed376e5eeaa3d6065b24

                                        SHA256

                                        68150f082324448eae3120f02bc0489a4b67a0c8548dce70d4a998f28066f2d2

                                        SHA512

                                        8674f523b3ff4365566702dcb027c3c9403dbad228e606af031c9367926a068c9ba089860dca616b1dc965775bb28b3fdac8897b2f7ecdf0e8fb123c582d1acf

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        964e36210f6d63365a261b80766828a3

                                        SHA1

                                        934bfd13f490eeb1b2561a383416163f91681431

                                        SHA256

                                        633267b6c0a1cd7200ba0a7dea5219c01069740a52c1df9b52e6e7b2e646df80

                                        SHA512

                                        5351a03dc8cb02a28815b78a050cb958f8c205f9389a9e384e04ab6adf64df2b9ef40a40f01aa4251cfc8962442fc5ec0354c73f5053a1de6e0a1d45be6d1f55

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
                                        Filesize

                                        41B

                                        MD5

                                        5af87dfd673ba2115e2fcf5cfdb727ab

                                        SHA1

                                        d5b5bbf396dc291274584ef71f444f420b6056f1

                                        SHA256

                                        f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                        SHA512

                                        de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                        Filesize

                                        72B

                                        MD5

                                        f16760ee14f1fab29a2d5f96140a2504

                                        SHA1

                                        4342cdfebdd961662e5a23c2e355c8c21010d985

                                        SHA256

                                        1c7c3ca299ebbfafb844d74608998721ce69013b66c9084297f7a3d36a81afd6

                                        SHA512

                                        dbe2a50f79b44f73891759cd1e2477337b682e18cb4a941665b2ca5b4a0c2646c7bae952a570dae8efcc1c7a694f72700bc85e8428d501bc20718ade9eecc163

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d273.TMP
                                        Filesize

                                        48B

                                        MD5

                                        6df1ed0fd2827134dd2d87a5a4efe67b

                                        SHA1

                                        c70041a35fcdaa33957e0d1003dfb5d046d7f8f7

                                        SHA256

                                        69f98ff08fc62aec36dac6d82a1a30db11e1d37767693be06cef6b61642fde4a

                                        SHA512

                                        cf4520027a2c7e4aaf3a1dd6001e9ddc7cfd781de742ddd51937a27bb7632ae278b47f2ad79c40801191694272f34969ffec2be7c3ef0d6c98e8fa481ddda421

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        206702161f94c5cd39fadd03f4014d98

                                        SHA1

                                        bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                        SHA256

                                        1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                        SHA512

                                        0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        11KB

                                        MD5

                                        b7310985bf8d92e7124252583d2e4285

                                        SHA1

                                        43eccfc4dce36516f6150d632e9e2e54923131f7

                                        SHA256

                                        b17d20d687b80cf68b60e8f2b368dd0cfd7a2d8d197bff3a69ddaed07c763b9f

                                        SHA512

                                        3bc682b0d6f2ac1c82f32e76d7877f75cab9d57ae93b58a39117da0c312e8870b00e3dac3c870d9cdb52899f0e1058168eca948b8f1bc6ff129120fa343c8f0a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        11KB

                                        MD5

                                        d9004d53ea69379d4963cba233ee12b5

                                        SHA1

                                        b2f571f96d5a74f9ecc5fc4f7fd41695191a21d1

                                        SHA256

                                        67269fd6c170c0b157be4cf732716c6be79a275cdb222bc616d0a8d51b3cf080

                                        SHA512

                                        2ab449feb45bc2a27a935ef131dae12b5762ab9b33f42bc1ae3585622a623bcde6f1a1dfdde39e2d44a9d24de43edadc6398f100272f746edf0a7ad4b7f5732c

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        10KB

                                        MD5

                                        8e869c40d61f6f509ed489cb84eb1f10

                                        SHA1

                                        93e3d84651642fff96bfaa201a5155100da9e18c

                                        SHA256

                                        027d6a9c7c70dd0a84a1152df2408ec4f03245cf2de87fbe39c66530cf3545d4

                                        SHA512

                                        32a9bc28082b3658f3d846ff05c74e1dc63027796ef8d78b27d3946ad04ccdd2cacf8d5c1d72895df6251fc65b26f0963e93c7d046d809141b8665f9b3dc89b9

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                        Filesize

                                        10KB

                                        MD5

                                        99d3ecd709464e38b25be3ab947ad5c9

                                        SHA1

                                        f3753394a5fef90f29dca347abd40adf15e9a47d

                                        SHA256

                                        c87c395c07643e24dfa5b59915b602dea53bf7c7fa7db991af59b84a122c91a3

                                        SHA512

                                        a694c3c842ea72e34d654998cc38a98ec5f3b53727a377789ab10ca49845e7dc1334c945bafc659a489f5c0cd65180c08b13d69d0780a2855c95a1978c58c991

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                                        Filesize

                                        10KB

                                        MD5

                                        711f1a880c08e1f7867f1bdd117320b7

                                        SHA1

                                        50c2d0859f6fd41024d486e2ab537507b975991d

                                        SHA256

                                        f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

                                        SHA512

                                        885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp.bat
                                        Filesize

                                        187B

                                        MD5

                                        0ce80cb9188f672e801055e767b731f2

                                        SHA1

                                        f93f8a24348e63fcd8a7f34cd3876e55b7b50374

                                        SHA256

                                        d45ac50c9e5e3c41edc5847583efda101a8908ebed035c216dc3dd7697b08e69

                                        SHA512

                                        e1bf449f6f2683d44c81efd1c8df27a05013a03159920a73b2cb64e74450d79054abdf58f51a8847a3ef15b35afdac1e8cc3ad993ea3a4ab3bb70f9f00d82893

                                        Download Submit

                                      • C:\Users\Admin\Downloads\t0arlre53k.exe
                                        Filesize

                                        136KB

                                        MD5

                                        7b1da431d084fbddcd5cc381c1375ffa

                                        SHA1

                                        063dd969fee81141cebd18b82596866b03c876d8

                                        SHA256

                                        1dbd123052335708a614264887e7350e968f06abd97fdf5c2de13e37316d0d9b

                                        SHA512

                                        d6546dbe74c065ec507eaaf4197afa1aea05b138716ed29b188556ed76eb26990c42b9d2d986b9d5f8c1b9857133607813a7705afcf3557f50f31e1ae9b89a66

                                        Download Submit

                                      • C:\Users\Admin\Downloads\t0arlre53k.exe:Zone.Identifier
                                        Filesize

                                        52B

                                        MD5

                                        dfcb8dc1e74a5f6f8845bcdf1e3dee6c

                                        SHA1

                                        ba515dc430c8634db4900a72e99d76135145d154

                                        SHA256

                                        161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

                                        SHA512

                                        c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

                                        Download Submit

                                      • memory/3672-290-0x000002B6EE830000-0x000002B6EE858000-memory.dmp

                                        Filesize

                                        160KB

                                        Download