pandastealer | hxxps://github[.]com/omfghello/omfg-s-malrepo/tree/main

Analysis

max time kernel
66s
max time network
70s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/omfghello/omfg-s-malrepo/tree/main

Score

10^/10

pandastealer credential_access discovery spyware stealer

Malware Config

Signatures

Panda Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/5488-812-0x0000000000D60000-0x0000000001154000-memory.dmp	family_pandastealer
behavioral1/memory/1444-852-0x0000000000D60000-0x0000000001154000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Executes dropped EXE 3 IoCs

pid	Process
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
3176	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
82	raw.githubusercontent.com
83	raw.githubusercontent.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com
86	raw.githubusercontent.com
87	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
3176	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
3176	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\is\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ms\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\fi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_2876_1240731924\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\dasherSettingSchema.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\te\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\nl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\sw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\sl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\az\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ka\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\pl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\eu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\pa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\en\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\da\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ca\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\lv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\no\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\bn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\fa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ml\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ko\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\ta\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\iw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\be\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\sr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\_locales\km\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2876_1742034689\page_embed_script.js	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877720866085568"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2873637269-1458872900-2373203793-1000\{B4255F49-A4C3-467C-90A0-2C5CF89F6404}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	752	7zG.exe
Token: 35	752	7zG.exe
Token: SeSecurityPrivilege	752	7zG.exe
Token: SeSecurityPrivilege	752	7zG.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
752	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe
2876	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5488	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
1444	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
3176	a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3776	2876	msedge.exe	78
PID 2876 wrote to memory of 3776	2876	msedge.exe	78
PID 2876 wrote to memory of 3724	2876	msedge.exe	79
PID 2876 wrote to memory of 3724	2876	msedge.exe	79
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 5560	2876	msedge.exe	80
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81
PID 2876 wrote to memory of 2616	2876	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/omfghello/omfg-s-malrepo/tree/main
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x28c,0x7fffb6cdf208,0x7fffb6cdf214,0x7fffb6cdf220
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1740,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:11
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2172,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1900,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=2460 /prefetch:13
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5148,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:14
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4992,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:14
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5620,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:14
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5620,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:14
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:14
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:14
  2⤵
  PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1136
    3⤵
    PID:276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:14
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6108,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:14
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6276,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6320,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=6360 /prefetch:14
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6180,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4120,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:14
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7032,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=7028 /prefetch:14
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6940,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:14
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6404,i,17236963403583352601,2515132064474604757,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:14
  2⤵
  PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1004

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30460:190:7zEvent30183
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:752

C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
"C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5488

C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
"C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe
"C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8272581d8cb38484cc8cb6afbdd0d37e

SHA1
2baa96a0439003aabaad1ce5619ea0a581cf261a

SHA256
025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297

SHA512
60574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
be1766195bf5ddb37487c84e82fa362a

SHA1
f7319820d2dd4ef0b2a7f5c6891b9630e55ff8d6

SHA256
d2fd051e2b66e1b96abd7dacfefa460e06fd8d0b9aa9e88293c0a94a46595e1d

SHA512
c5228b35d7cd41941b12c58e42bbf72d75e52853a6525f74cd130f654045a92e45e9152d0e31b6eeb28980ddbccbb08d632684bdadc424d51329284f65156350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe584f54.TMP

Filesize
3KB

MD5
47d2004f1aebf6b4962e1107fa3706bf

SHA1
f1bdaf92c48617fdc12a789f50ca6567e9898fae

SHA256
61d0f7504c9d9a69c38d2c9b2cadf1fb8f521619b596e877e6a7176eca158107

SHA512
5ba10bd4038425145c8a215336a9c0e58e0a54fd2bc37344a8ecb785f00aa11f61a5ec6efc32fd70040564dd465aea6f03f4baad1ab5ac9a9b5a4fbab4e01fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
61fe74498085094c7c8dc5f3dc28692a

SHA1
9a8e5c8898c41d298271c637c6812d03cb2305a4

SHA256
ddb6606f2ece1f542ca1b52a95e3f2df9650cd5106dc4a42ddc4eae8e8e69d46

SHA512
8f4f6f41c6ffd79c0ca10c95a89891cdc7135476429d7d8b2e6eb473a60d1786c3aa5669897c34edabd50b0c6bf14f6ed5e2af6902f8d4ad993166f4c533e9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
bf152e1aa48a6d0b5b0f2c88d906d576

SHA1
c73a59c7d9041fe0574bea6f2cde558d730f35f7

SHA256
4e5a18ac0a806dce776959b80321e0f9c9c959d9680a245954deabbc9c5be988

SHA512
c2ec9d73b1e31963728a5785991888ed5912afe0e648324b7214ee58407441d83b3a65dc37d68ef8a3816a68d90a8451cbbe9b42e3f2974f34009313e933c621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
3b913ac499505863f135d0a7b80e7871

SHA1
a79a8f91691b9dec7db2d786bdaf56da961d038b

SHA256
9a9cb382eb0e8a85a3a0e33b5bb9f15a5ab23b9622828d3ca995a30ae81fc7d3

SHA512
a01fd14142a0c8738d4f0c511a80aaaac56f5dec2e751435f7a41d5ea0490aa2d18b56b9532af5f0be2c87b8922f6cbe2512bf8eda770f6bd4c5cf435ce045ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
790b9bc07307a4b6095ba03a2b2463a5

SHA1
4f90e6e51494d6f799ddddd8edfde98b0b55f135

SHA256
5018b819663f8bd6ef709b20a86c147527e5f8ec40d873c5e0e99e9cef9b807f

SHA512
f96a6125eef97be0c35032222b45d95cc2a514933c4da1dcc0b0bea2ecae234ef4209d26da5da66eb9539dddb602be50ddd48e556db9e0d513668fc70198a6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
228KB

MD5
3d74d011b318ba9c89035d2d8edbfdf5

SHA1
8a04f12886e8e381d9c818ee91a9501d088d95db

SHA256
3a3933126091b66f5897e4cd39acd12adab1c0e98cd7e3a49cfacc88d5e14f0f

SHA512
ab2e1946b1dfd1c6058dbd6e6e2b5a01061f0fe28eb004a3223cf82f07fafff6c121befcade235498bc6995d93310280568702d0507f7157045df21478706d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
421f4ab0dbf0b3ecf350d0ae64743ddb

SHA1
95560938d10ea13b919fd13060a1af14f8ea8c81

SHA256
8255634ccd0dba26674b6a7070881ea8f06bde0da9cc43d7b5adaa4d98d2071e

SHA512
11f619ae2d64929901a8807bcc39914ff06529ef59b7644b35a0bb117cd41213366a89c317c6486a352ea2149c64e5c055fa40081e362979152eefdae5ed9545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
526d7173b49f5774b5f0699d9be25ca5

SHA1
e6aa67fe2d7360379b3daad3b134248de7132f3d

SHA256
42ed90701d28c338cbfbf66f3c9d6af4e0a358849307e6370f1d06ba11c35dfa

SHA512
e4e109c1b5a9c81809f976e54935a42e3a6eb395fd5d80599379fa74451b1f338a7e1eab53a8439ebfded7085985cbb9790391b1230a29270b2c21e4767aad8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
2aff46230905a4d7810c04b56d5edc6a

SHA1
ccaa6aa6d919b1f7c18bfc76b76054447cdce296

SHA256
932a5a76376aec148f29fda878cb60e9782b1120d93cbf55ed1f1188e9aec5d1

SHA512
86b8f4889e8b1fbe6cd326c5da019a49aec84cb254689d61e34c9e96d54d8f5aee2bbd033ff404e8d9ad97509b240ba630198e5adfd714bb6f0da1efa9b185e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
46ffeee90ea7af0238fbcb07d40ebf5b

SHA1
a21f967f1945cdb311a141a8058798c18cdd76e4

SHA256
7f3caad011ae349b244c15bc896f30677575c3f22048af4eed5bda3820a98188

SHA512
dd544a9ba6e99138ac75d0655ffe700ffd0a21766af80708ac17ce1165144e22bf9bfad79935c37fc7dc3b0978a3f885500c825abd36a156e5a44b8dfd35ba3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
7c42d1c8db6c2db5b545f160dc6535ae

SHA1
858f5cf1e652353de594f04287ed4ce97b15b1ca

SHA256
cd234b26f2268aafdda25ff1d91607ea2851c1ee79eb5d8d1ecafadbd1be3c63

SHA512
d9fcf6b03ff8e03d204d884dd5984e8adc911cff3f7df7782e02df67542e5e48bda88a9dd9637c7b943a7813e1676fc4ae8c4c4bf4e2721852bab956eea6c49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
3e854fdc08bd9edf5535ef63eb5a49ac

SHA1
02092d32868bfc8643fe3adb495d0d6cb7c45b09

SHA256
a89e0f144587752e6bb5fab9eff033bd8039013353f235afc1cca9eb9217d60e

SHA512
e01bc7639ccdba4e011c67508754c663b66b0d8a61ed3f9d98afd1f63ee464394e1347c0b2d38f8a4280d9c54aeb9b45de1e39d9ab0e4394b45cd625fe5e2cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
0ebc17d2e848274cdc1f03f4889853f0

SHA1
5cb1abcb8ad7f9054d7ad75fe8ef1abc631f3b87

SHA256
28edc52290cd0f57fd532620a4b84959a5bb49e4cb9267269a96995c6ee8e730

SHA512
f5ba0a9e64b92476030f382634307857d05ec5bf25a82ffbd29ec2efb0a2b65c33fb59c09a13880a9567875a8d1266b99a308e7438ab55e8a1a3b37a41eade94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.exe

Filesize
1.4MB

MD5
5b17a03a0b5c94c375c32700f075bb02

SHA1
64aa47ddef5c2cd0969010ce4a5f01316f28a13b

SHA256
a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336

SHA512
0ba5e0bc997d0f44fab6bf9c8ba46e56992c56aa4e5fe1f4aed4420f958f26c684341d46ca0000bab3cc7141b232a163e6a309268945149a3d9f7417d50cf96c

Download Submit
C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.zip

Filesize
1.4MB

MD5
e7c95eee768612c7dc0c14425222546b

SHA1
84cd97092cf863050bedcc5f1b4723b54395e9aa

SHA256
22a469dd024f5c8c4159dee30fb5b04d50fc382e05e6deda5362e793bd8a4262

SHA512
921081120a550bf9c5b71a61e570620ce4f01cd610d89d138e0f3ce8e00be4f9da4dcba2aafa0ef99534b5fd01f197656551e664bb59efe4c7d60bc9be2eb9c4

Download Submit
C:\Users\Admin\Downloads\a3dd5e28b1b551cbb99219d143efe1e888180cb6d7e20e22b78172e17e046336.zip:Zone.Identifier

Filesize
212B

MD5
5401b3c71b0ce74d760517c246f345a4

SHA1
e9af6b3f245b74468e7d18ef78e9b995c8d0b55b

SHA256
db50136b86f525b8308c39db161ee35214c6e3888dc29af4a0627465ee85c53f

SHA512
d79b7938bfc05b9d7efa5a141c687c84b67ac1a8b6e2ff14c19119f32aa5c54884a83f596844f004fb3ae944b8a3d7db259b0579c1c13c05693f68aafd7b7c7b

Download Submit
memory/1444-835-0x0000000000D60000-0x0000000001154000-memory.dmp

Filesize
4.0MB

Download
memory/1444-852-0x0000000000D60000-0x0000000001154000-memory.dmp

Filesize
4.0MB

Download
memory/5488-779-0x0000000000D60000-0x0000000001154000-memory.dmp

Filesize
4.0MB

Download
memory/5488-777-0x0000000000D60000-0x0000000001154000-memory.dmp

Filesize
4.0MB

Download
memory/5488-812-0x0000000000D60000-0x0000000001154000-memory.dmp

Filesize
4.0MB

Download