gh0strat | 2e8a6d8e3f5e6fe16ba30fade1d097383fd8a408bd87220ed386ac61b3b7e79e

Resubmissions

28/02/2025, 07:53

250228-jq9jrawmv9 10

28/02/2025, 07:46

250228-jl5p1awlw9 10

Analysis

max time kernel
1720s
max time network
1721s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll
Size

107KB
MD5

3293e67122b2a0f8bcdfb4bbc6576ac2
SHA1

bf3b11eca3ef68b591755febec08b189a27cf691
SHA256

2e8a6d8e3f5e6fe16ba30fade1d097383fd8a408bd87220ed386ac61b3b7e79e
SHA512

67d7b102077fe0f20ba502d45da7ec428322b9d0829e278483bd36ddfad925a2903c25c1bcc008954a4cd9b0eda68d7d1987edd2c1e022dbf1c7e813cce56c14
SSDEEP

1536:DbAJjSaBsyZ++i5FyV6pxPpzUsLSpc6P2fcOi1jToKAoSwzkK8:DbAJjS4lUZga5SppPgcOidToKAoSwQK8

Score

10^/10

gh0strat discovery rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/5000-0-0x0000000010000000-0x000000001001F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3844	msedge.exe
3844	msedge.exe
3176	msedge.exe
3176	msedge.exe
4708	msedge.exe
4708	msedge.exe
2736	msedge.exe
2736	msedge.exe
3260	identity_helper.exe
3260	identity_helper.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 5000	1476	rundll32.exe	85
PID 1476 wrote to memory of 5000	1476	rundll32.exe	85
PID 1476 wrote to memory of 5000	1476	rundll32.exe	85
PID 3176 wrote to memory of 2840	3176	msedge.exe	129
PID 3176 wrote to memory of 2840	3176	msedge.exe	129
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 4628	3176	msedge.exe	130
PID 3176 wrote to memory of 3844	3176	msedge.exe	131
PID 3176 wrote to memory of 3844	3176	msedge.exe	131
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132
PID 3176 wrote to memory of 4672	3176	msedge.exe	132

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3293e67122b2a0f8bcdfb4bbc6576ac2.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch -contentTile -url 0 https://word.office.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc43ac46f8,0x7ffc43ac4708,0x7ffc43ac4718
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12585728281188223869,13348019230858071368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch -contentTile -url 0 https://powerpoint.office.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc43ac46f8,0x7ffc43ac4708,0x7ffc43ac4718
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12574466865610612064,17403455041767133474,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2776 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
89a360a27c368ec94839ac27c5ebcbf7

SHA1
0bdd98c89db17b9a9abb898e304089f3d90b9b1c

SHA256
deb17d7ac3649174f85bed7728a089608f89687972f6c3845baa1245cf9aa2de

SHA512
0da49085517fc2a8e3d581e1a1726d04dc5563cd5e54b2d90f0369935ec0121dd1fe2d8d613f949bc38e714e38637f89dc3ccb8d2ce777f6657e8a6633a77272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4da2c2663191785c20d55151a7ee4ca7

SHA1
c94020bf039a1b2ec462c5bcc0f1704a313fc9b1

SHA256
7203755941a19128fad02c34c13a66d64d2cdbcfb35a83ad002d9eb2ce1b3e69

SHA512
c85a97f992041a36d44e64969396be650d8966991167ab278170494141c0e7227891064b2b0594b83246467a24a87d8d2748a31642ac68e52930bff134aa03f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\54d7c20a-c604-43e8-a2a6-6e9e7821ea11.tmp

Filesize
706B

MD5
8b37cac1f46bb7621fec8c1780f45642

SHA1
ffb7a7ba5c99134c389c47b7f90282664e01c7e4

SHA256
05423731d1dc92ea37b7ca42802db274b9ccb1169d064687553d7c095e8dbe5c

SHA512
e3a3023249b53e5c4fffc674e90388784cc3c11353d5a287618f499c185fa7b598368dc12634e2e6ac2b4ef8b16ffc3b1cf106d7b7948faae5960b419884d7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
3a671fe9b1830a5a55234ea3c4450db5

SHA1
b969cfec4787f33cd15d63fb8689858fee04fce3

SHA256
37ab777330525bca9cafc33e9217de099d4dad76a7be0c025cad69159cf8e979

SHA512
b55bbef6d3aebb4af34321c49a280c15723f241553445bb1c2c0005d01b3c190bc7dfb762da51f4360b11d2b9a6f64511c70e0a3c658718a3c316de4ea0435e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
9d86e1a1e2cc2bf142915f9ffb73665e

SHA1
b2ba6080a2045f9ae4e03685809bd5fb803e57cd

SHA256
90d45bb3fa7b8524c5e65172bda498042cf103dde8bd02495449efd49f6bafa1

SHA512
03b661774a256d9cd0637b1fdd3c473f1bac5c3764663e1e0d37b806d76c36d583fabbd789ea9cd53b3c919f391ad5d9dfc1dbf99967d9be01657abda53d8518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
5d54441aa582c20b6b92dc03bbd4c34b

SHA1
ad0ae0b0198301e5589ddc9e401ad0a141d2fcea

SHA256
08fd71bcb27dd194f7bf5f5e1e6c82b9252684912f418ef88eb78659777e529b

SHA512
c8998f496f8b98831d62bd4b23cb3c39acc6e4dfd2f8d7efb35c980579464077f007014f9c9a45a236544aa394effa766a08140457006bad60a3b6bef20d57d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
d9b85faa516e62fafc1591e15e0400d2

SHA1
7c4c3316c1b7117d60b353d195a586722f260ccb

SHA256
61a9eef31e71f90741406122d9d909d24fa04cc20fea404c3a9e900f0e5b3d90

SHA512
94ef4bb6a082f61ea7c04585347746a0edd0e0c2af0d68d09f5fa9901484fbb3dc5e20d9eca206aa5ca67da7a64b5608b8dd714545d893f01f9ce683b711faef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
19KB

MD5
3ba4d76a17add0a6c34ee696f28c8541

SHA1
5e8a4b8334539a7eab798a7799f6e232016cb263

SHA256
17d6ff63dd857a72f37292b5906b40dc087ea27d7b1defcfa6dd1ba82aea0b59

SHA512
8da16a9759bb68a6b408f9f274b882abb3ee7ba19f888448e495b721094bdb2ce5664e9a26bae306a00491235eb94c143e53f618ccd6d50307c3c7f2ef1b4455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
16KB

MD5
ed8c452ba600b5d01523ae92ec363bda

SHA1
26de5667109976a5a0d26723b277471df8a85207

SHA256
3320f5d52a68637aef39c696bf824716b206019d8ffbc4b3a23a6f0e9d8dc44c

SHA512
c784cd9bc0a858a7a309a9b2edb8a9b1407751ba2cc68ae6420b72a2fe0135c131d9b1fbdcec8760c2ec4ac9597a9e46b4bcbddfb9e360dc92c281f924878f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
120KB

MD5
96e339d86011bdac1fb27e77b9cb3b36

SHA1
ba352b1214ab132dcfe4a139fe0a39378a6ade38

SHA256
a2a45d472c6b2c0215ae6e643dea95268e3dbbb813db2fcb991415e09671f6fe

SHA512
554eedd482d091dd1f79a51b24e41ad446f1d3fd1f57466d0cc1fb75eb87ac19219955167e8167b0aee4c4358bafa8ec7cb4b6633afd0d52b0c461349e042197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
59KB

MD5
c1e82bf71add622ad0f3bf8572f634fc

SHA1
6ca863d4cab96669202548d301693b3f5f80b0d5

SHA256
ba48af15d297db450dc4870242482145addb2d18375a4871c490429e2dc5464a

SHA512
820a7f8a0c8ea33a8fe1e90cdc35f45dc1e143e836b0d8ea047e1e312f8caec72cdee4e7db54760a4d749cd0acfe103a27e39a9a56eb2d704e448a67b0d0c079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
113KB

MD5
81c7b985343c317adeea2c28f5c6ff4d

SHA1
7a04d6215d0b79eede6823c4b3621795ad552534

SHA256
6bdba6f0d2271dd20e6e6aea2b459a1a23050ede1b3bbade4c913a1716f6e491

SHA512
ddf40137ed7f870c5e7475685ba9006f9c99c7c0632a9e7738dcf9bd081c105aba5b94b3302bbd26dff413dc065fc442d3cdda33684709d6185b409f08158085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
34KB

MD5
57eadecac2a031883a702f6b12a14502

SHA1
3c1e4f5abe11775dd678085eac97029df618a9f7

SHA256
c76276a58dfb0e4d68d277526e5f05ee357e13957b4c91be2c74be7cd20b065e

SHA512
d98ac263512c6cdb0a522c8b550f4ca8b901f620a1ed416c49163b28e0d5d08ea9605bf681f9f0c5567eb244bbd319d6596c6b46e860f48ad5ce31154dd2ca5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\03f3a69856202ce6_0

Filesize
280B

MD5
34925764c3059431e0745b9f5e570875

SHA1
a63dc59bb24fd6a7da4f6972c90f0434bf72157b

SHA256
9181306b2c0c50810d645ab67b7deb831b1444b0ce0a05ffc3f9edaec45f8baf

SHA512
37f4a2d7503d00607a2e97ded8d93a03e2e879cf183556224a1770435e7fc1ddab712a75d96ad19312d7a31ad4d527a6c42d2263e98a344b822228fca5fb2123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0bd5339676cbd492_0

Filesize
284B

MD5
ce975936499d6090f4641f1678db5273

SHA1
724a67aeccd76b67beadf12a89d3f74f04d5994e

SHA256
f64c1c9b8c74b18c39c78011d4b6cb628c5a41be288490b754078c7d99733d53

SHA512
cbe20853641ea70e54158e4b95bdc885e4120d8ada2313529a93ca0ac2136a7ec26ada497aa0143e33df624375bad5f9848797f129f427f30125033900bd2166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1481476378cdd475_0

Filesize
261B

MD5
d5d5d8624eb985fb460be6cd67feab1b

SHA1
367f4c2ad8366a9f43fda7df0df4789a86988dac

SHA256
e69cd360729298dc9734a6703d64c5677beb725bfc88bfdec7d40700f8481516

SHA512
27e38f824d746ec596d633c655ca6d537a0e4d35c0f53ab1656650aa55fe30ba94b2528ad60dfa41c2c4509f492585af9319b322cc0350807824f64c20c606bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5067c5957a88e7af_0

Filesize
243B

MD5
a02de287aea048cdb36c967053580389

SHA1
5c8dc5f501db6d722c7fa93b2d684a20df68e7d7

SHA256
99ed5f1045612911ec86619ac6a487b35936ef56411b2d9415908826188da4f4

SHA512
1cf6abc5b400d233047655b7ffab46e59b24f49742e5865e1a293d6993ca1d8771824332c81cc24582240c2f275d7c14667a567a0536a80db716a2bd2b51f8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a0e3def5e2c04b02_0

Filesize
286B

MD5
f191b3404379e0fdadd7259b822afb0b

SHA1
dc028a540a4888033503992c0d257464f045c459

SHA256
36a4e387d7080c9ddafbd7970ab69bac97b5488a9f838c591ae53294feca056e

SHA512
c23d1df3b1de4389eb0d1f5d8a83636644744a5caacb8f26b62ff7830dd5b220f1d894fb81bc1005b659355053d0c1e1a5305658c32ed1cbcdf8062f40bdbd12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d9adef1bacac0518_0

Filesize
290B

MD5
a61cb7c85a0bf7fae2c94caeaf0031aa

SHA1
2bb9d9050ebaa3cf159edf2c85de1683cd497358

SHA256
f1b038e51f88cc5c2275d8bad87e3b5e1525048090c73efc2722a5d43e5992fe

SHA512
bfb4b3d1083561cb41b80b3f601d51e8a8a0f8791946fc8dcc25b4958e2086f19e1ad25e6beb67d8d5f7e373297f74eb4b9c8c629baa2db7b2dd2f65f9c363d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
7c13720b2a98789f93f8545120025d37

SHA1
cc2507ab1e195d72c75c956d56452ffba8380ecc

SHA256
2f9280a7462873e609f272f6fa875c1c1873c4d9cc1ee7f611b3da00214f52db

SHA512
0753952e1bde669299e2f3a93f3e31c61a4d43ade16317887bf70d92c075627c17fc0ab4487a9232908f10bf9aabd1291b1565afb8de663142f653db49ea9683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
a8e5e9f2603492c236ed422abd37b6d7

SHA1
5fcb329b52e21f8b7f4cd32199bb931cbbc1d1c6

SHA256
76ef2143724b295abcb12523bd266ebe2647790cd7f0b4c5b20df06416d30076

SHA512
ba93496ad7451b528bdf6ee9e3ff6b34b0bd980f10e6edb8bda00d7265980247bd2a789008b15d9149f74e0eceba73280fe38d1fb1d24596321e8885e22e964d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
351cef288f29539592bd917936cdffb5

SHA1
0a375ad0e401ce21c40743f4b266f80450151751

SHA256
e7e8e5b82e4faa2db553f6993dd7c482c18a4481a4f13cc38c9b36c4026f36df

SHA512
ded1ac8fc116938b925f4c50b173f94611270db35bdbab71d4a343b8d8823a866c33e415dd07ba4541fe7b71f8129b2b84814ae790b5ebde3e48aadaa262519b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
54bd966cb00e6e98c793a5c353633501

SHA1
1d4933af5df59b3e1d8be73fe1893d15ea092044

SHA256
38a97e9cc5c3d0fe7f85a367609fca06832ac21d4ce12e6f51d6279087a60f73

SHA512
6cb259e3f62ff30faea38eb8cef990f7abda319b9ca903300047d9459e830682752ddd9e27c0e68e5263516e6b791290e545be901aec4fe38127960a905845b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
9e70627d2ec0dfd72895c4fb9263161f

SHA1
52905d130033dac5d197bc0151a689fadcfc8cf5

SHA256
fca9dc527d32cc3cf1e1b823cfe679dba5d3735bee341b7b57aa0bbcbac8cd62

SHA512
2b73b325f87be3cc5c1eb4cb26f063f943b15461201a3cc103bb21146e11f502ab61bcf54af8539d0d353da278ee4c8accfbca35058e10d1717a0d12bac56fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons-journal

Filesize
8KB

MD5
ac690bc1f294ec253d23426a94c6ab92

SHA1
ec3049716acb953d001f5918089db77580ec382a

SHA256
0a621fac64e13580d20a4ec55d3ecd4ce3fed57457d4991b616b4c5afbb302a9

SHA512
f4a5eaf4140d3e53c1d0296ab2e86287af87d4a2c5dc1877d6a06d1ec6287223a6560519b14e32137ac900c994eb0a7398d6a39e2173bb52232668ac723d96e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
7ae142a772f7f0c66d57741a9456b020

SHA1
fffd0d4a9bf459901da1cd61233bcc3ebb114fa4

SHA256
45d3a3f599c953654aaad63613ebc563e3c14307ceafedfed2d157e90b6984fe

SHA512
96e2e95c725d9455657d3b6b91690cb2da0d8474f8bc32614f300be8c696cd5789ef883090a631842be0473d5bf89321f632fcfc91d168cefc9ddc118b36451d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
2570855e63f22383d5ea5acd5a2f6a54

SHA1
f4350aca72629564eff68459d2a604aa0f1e910f

SHA256
eba2ad5446158ad2b7292c5fc15cf221b0d150bec25dd2bd00d02a107969574d

SHA512
5309604a161559834a5fe5c335ce3a830d65eca90be0518b8a77a18bc5df3ff175a64b484eaee15810433782926958a739253e4741e504fa1690fb98b032a229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
8d35d85581b9510e7c5270b362428d67

SHA1
a01b398c6c1ca62d6c8befb29fe4f33971b82ed7

SHA256
9b835895271e9b1311713001575d68a522d3ab00fd1add596f56f04f46d0dcb9

SHA512
c88e5fd55315a2101cbeaf1f8880f55233767905169890a421d1b8a67db79c1e92ca55fbf44bf7e356f30da7919fe45940c0e8db2dce9b1f950bb2ca00796081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
170B

MD5
e3266c91802feea451559c9e6e965b59

SHA1
81189939ea49f354524f3536c0425d8c34591a75

SHA256
733a699715700017ab0e054ff50c0f3d5516fa8fd775d14945816ebd027cd777

SHA512
4ac3822dc10eafa5f025b1f4302a22714903c7894592df19798463680e1fa6f2bd1b34812ebe2a43794ed81412d39d0e13d9e8d10a97e0118bdf206fb69d8ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
97d6d292e755adee2a4f662fae51aa45

SHA1
907e6eaf7191495d71f6b333644a875013c7f95d

SHA256
7fc8fd891e9dbf322a97dd879fdf78368cdd1c2cbe416083964a822add1b7884

SHA512
cb6119c400397b6c0b6189b3f3ae2853c33e8b98ed0fef05f7c1b1c58e257a4c2a3477b92151fa947425a202d32e557a8b780cd00888801361aaf62ab01f788b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
513B

MD5
48a3598ea00d36b5c9bf45ab82eb9674

SHA1
fd4b7fba15263e0b0d9717dc57432994cfd763ab

SHA256
019edca128560fde6ee17b39d5b625f92d0d3ebd3b3934d396ce537b13f5bcc4

SHA512
aab8179b4436590eaef149eef8c5c4cf1522b21ffbacc440ce2e69a4e22ad2c760660ad71dce42656ba7f0d90119ae7cc894f36a1135f3bdd3d22c7200d85bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
341B

MD5
e8e444f823804b37127f90c132d83285

SHA1
aead5f9fadda5d5b48b7130c34f0071176e9968e

SHA256
6cc26e8053d5f9a81e558044f46d0ffbc152ffee29549f6c296de2cfad4e66a3

SHA512
ff6492709762b08566bae88e5e594f17751fae38c080e126b2866c8b21ed473b93da03d9fb759f24e55b1f30db8d9cfc110098ed8a356b51592c49b55438741f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af3c09cef487c00c2468d4fa32d68e77

SHA1
617431fae8ce3dcc7f7a71858386fae022c94084

SHA256
aa60763a550368bd1337bca6062db32f513875ca721ba66a92202b87cb058121

SHA512
a41cbebb9caa57731113ed352c7f5c904f64489183e6e326b895ca4019880eecad5bddeb6a170156662c39889ab3723a22bf9d568bb24848f3dec66c28502a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8686f5351afe6541f6c56630a10a1379

SHA1
2682e25c4428ad405764135c96ba43192cb05499

SHA256
477c4e0d4b4eebebb2fb5b8e06e0c6f8e7addd610a9c4e380cc125fa94d1b7d9

SHA512
4db67b1d74bf306571a54984044a6b0c076244f61f625d2e4b232ead73ea5e0d264a5f1b43f6e6375262aec3653b7fe34e18c160e044006abb5ba7c12a3556af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef25d8b550930aefa7206ff023228c82

SHA1
62112bb97f971bf0ec77971bc52fa8ae2a3f1c1a

SHA256
b3c3e1767bc8cf57844af6c5dcedb50058683e0025e668a2aaae6ce1eaf8ee5d

SHA512
531eb1fcc27612bdcb4c2025dcea05524033647666e5b1dcd93c7f84a4d004a20b8480d947dcf81ccf8a636c8c4157b3a6f702a86011c613d8914c8a8e0f4439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f58f390f2c567edb8818c73ee07e2d64

SHA1
1735d5a5eec52cd4d8e6f1e194b3574a057557d3

SHA256
9e5a691607e6c548b930352b30487ae7f5fee18f2b5650fcaa43b61fe9b36608

SHA512
af06c9bb0b11823c432e3497061de7ef107fd45d496f81d9e48f2c4069998c5ff8090ee34c7043502a5b9b17fe27bf4159e210527bf59408915534f9a831d713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
6481acc25c5a1ca941a34756268b27bf

SHA1
4eee3b4394b1939407100e83508669805a1be43c

SHA256
1c10585cb718f758659e122d3570bfb2e8a14ed4f6044b1178c59742547e416d

SHA512
a26024f2fda330490d86119d9d762011e2b240b0ac5b150f42ef596c22ed031d2ac4923bd72e411b37c1c9f6d1b951a63bc5334ef7a3fe897c6e35b3bc734c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
46197ad7ed5343077ac282710dc58eb4

SHA1
dc6d2edab34bd8f4414f49ea453918abc39c6432

SHA256
3748a0339ee7c0829200f3a6d8d109e20c97cd31a3827262a74781044cb5f226

SHA512
69ca78ad47d45f18c0429c5a4c196e0d18172b1bb794af65e06a8892a74c47119e501a94a9935ddb0780f133dda86c381f65bfc30204289ac2ccc5f6c7c8a019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13385203096060317

Filesize
7KB

MD5
2f0e1bb7a82b068d08c92405372b747a

SHA1
def7d1ca5814a94a157f975faf3573132b91cc40

SHA256
67acb35e420a96c0aa46af078cd1aceb4af9434e64856965bb0c43cdbe898ae2

SHA512
25f9727e7a1adf5811feb9f92b5a883d3aa9c650bdfb952dce1c8c32fe5a96106444684d0761688866dd2ad8e3d7cf4c6c9593bb3454d63abe90b699dc59b807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13385203096589317

Filesize
4KB

MD5
b9acfee2e306b1195e7c7feff6e88392

SHA1
9c3b870bfcee619009d1c05f2168919c8e9aa9da

SHA256
cd76bd477e4d2dd5fdee806182eace32ddec5672f2552e14a5e9db308ffa037d

SHA512
fae99944b94e1a8e08af786ac9e5e4672740f97af569ea522706c16a46d4af51f4fc5207fa8f8277f8d71d5972d397af0dc26d398e659cb94dbaab2a67a27b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
6b9ad8e424139b5b7b6c127f5f1fbefe

SHA1
3ad855abf6c62cbbcf634b8c2b4c715c9329234e

SHA256
11db69e3caa703d279a57619901583b1242f031589f275e3725a28c41ba5d4f1

SHA512
0a186fe7e6df9981b7e6a0c5d5f9c1facffe22624cb8f9436b300c38c998a625bc8be3ec6fc16d908e21301b0de7738a5aaa84ace8bf5815faedcc40c9d21837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
e067a705553852bcc90ef4798e9e1650

SHA1
fcb1fa5d33b41746482ef064d7ae596b56009f62

SHA256
6efa9898d4d4735036531cdfefc908e7f68877240e906be3ce93266ea2e4ad07

SHA512
3eb496580627974944f3b7e35005bdcc06e1715a3c20e5e6855472958c41204778028af449b838c5ddbee1ea969ae054da4b04d593f1ea9567e3af9ec52d9e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
46ee3c37437e421207710693e860c62b

SHA1
8fbe6ab5dbe198b8e62a1ec6d3968ad9c34b3206

SHA256
a8e39a9d69c6990b5446da8ff719a3f02aa2301ae030905cca8bd7a89518ab0d

SHA512
aa1fbd8979c6ab2218b0a313d833f97679c80b1f87e60ee494a8aac16a15750ac87927c03925cf4d89a71603c0fe65485ed062f6e7d0399437a4875e26de81ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
92bce65e818f2ac07496b7bd978664c6

SHA1
111a66a8784625785794bb1f63abe2a8e9c9d5ca

SHA256
bd98f4b4289f6b53832c3628f1382a9ce2b8ce3ffe5af1524c9d29444a3dc1f8

SHA512
240266b230691325336bd83f2d12e80de9205c8ef3b807fcc35f61172ecf62c5cfd7c56731fa5539def7c5296ee9de15c5bdcc9e88d248fb7438c18fd15867d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
c2447e23d23bdd802152598b58ae51b0

SHA1
2faa58608ed63f2c27fa5396bf1f3ae4e45d416d

SHA256
92c031a3b17c57882b79795ffbb505e96ef3c121a123944541305e10ca2d2f69

SHA512
95635e16da446624b914894ecc5fec1073c51c2984cd9adfaef55f053d0ba8ca26c54933598e756da74a625194245cc0dba08feeabacb1a0ff75b24337afaa59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
b58530bae3aeeb308206f26c8714c8b9

SHA1
1b36baa9d29ddb7ea6ac0199233402b74da978e2

SHA256
39c7b75e37c12f3879b09800d36a9b2108447fb6f6a8b8fa417108b35a8ddab9

SHA512
4afbaf7de3ba4904a0630a5a70d208f9c696009550b0aee9fa982029ad145c30c77c439a7fdeb6ceb2ec3c1be27115aaaf003794c183592594cb9825b11d10d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
316B

MD5
04e05050cb0a9b02102e2846575a5653

SHA1
ef99bc925905411c8d96d2cac63b8b1353e5bd41

SHA256
fb2dafb31cd9e8ba6e3979007bd2fed6fe40b97246200703f06a705977246fb2

SHA512
a0220589e6c3af036fdb4eb2782fd526ba18686c1c27f61cebec69a0b6c90349b02ce09b67cc5dcc96a3ed616373303c80753ca1d8da75070a281aeb27a69fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
334B

MD5
05ffebafd1cb36b2c66405f1aee0c391

SHA1
1c92bb6043b89678ffaacd7a89e039dcb3bc1504

SHA256
83576a2ab905a5494a5d0bafe656ad7e7a94c606f8abb10fba795e1c1de2acff

SHA512
23255686902be044b072881de25853e77b71cb7f14d299f11bdaa26590aa735d32e788be0a6bfe1eb7a3398a5dd657d9518db03611bf2cfc5979241f484842f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
e679a7524d8967c6ba1d7f757ba2172c

SHA1
3fabc14f4449394db4f531d00bbd3831f3c311ed

SHA256
3856cd0bc04d6001d9fbe50a5064edfc32b11abdfb6a69da8bb03d6248853626

SHA512
832447beb67100983f73ba628dc612f7cf9cbda70956babff064f4bf08caae53e3df817b0211f432763c48c8ac5881d4e3080b9d7550e02d71a773a59d7001e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
6d672f253e96edada0bd4a8a5ec509f7

SHA1
2136cbb52c06cd086ed237f2a14004bf876261aa

SHA256
3e35271cfa13d1636bd267468cc6bbe0fa1a17cc6c47041ad718e03874304273

SHA512
201d4ec678a0ceebbe33b253f73b684f042d4e15a900901e06ce1b1be64a8a62cc5dabf38885227ac5ef91900aee8362db1e3a72de594b5aec771a83f5bd8c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
979d5d42add2594bc842d5625377b4af

SHA1
7ff170c3d60ead145e0250d381d747f752940335

SHA256
963d77ec63976b86325662d5e65684468ca5c8753531840b5d52598aaafa2877

SHA512
ad6b76b85fd060dd3d18a8122773feaadd0f30ec025fbd1f8ba1197fa8e385d84d1ac862836e5ca6eb1b876b99b34503931a5cf7effe207a75f6c0dfb23aad73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b08dbb9393471e88e8dcd3160c530511

SHA1
a952c1134e3fa5761e2d059a262088fdd61d9051

SHA256
2b6ffad626d9b924372f9d702741be642c086298f47b79760a0699e4044eb88a

SHA512
050b9325cb85df75870e4bf6e7096324ed45737f57432bc4f505fd9ec0a6a0c3fc95fc1fa2ddac99f965fba20fde321891721aa4fa2488fbbe471c3799e81f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed66f032194e5f370302ec9bf60f05d8

SHA1
717dd4cdb88ad3330750be48787f42fc624e7fc3

SHA256
0d888f453f36dd342d9718165ed3d9094e07f3fa5bc55657a124472ae66a5006

SHA512
e74a5736ade4bf6c5d164a73fee470f01e4bb33451b76eb21e1eead29cf94e27ba95f22ca47493d200a290a06d4cce62d55f92ece63d12a7adc35a16c536eaa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
7da2cae902993ed0676d46777a5a8e6e

SHA1
7e4cf14626783fb16a61da0e6f12579b8ef9f232

SHA256
411f65803597077eec31ea3c30ccac5de7254eb96ada96321fa9a68b64815c53

SHA512
1cfa6258f700e688fd3c5cad246a138f326f9c8e1a4352fb5abef1003edc2bfaf3ca7b8b370ee3b99cbcb8bc9d15f8e7679b0c387f17cc020545514655e43966

Download Submit
memory/5000-0-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download