chimera | hxxps://www[.]chip[.]de/downloads/Desktop-Goose_180679880[.]html

Analysis

max time kernel
500s
max time network
630s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.chip.de/downloads/Desktop-Goose_180679880.html

Score

10^/10

chimera crimsonrat discovery ransomware rat spyware stealer

Malware Config

Signatures

Chimera 57 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	flow	ioc	Process
File created		C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jre-1.8\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jre-1.8\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
Key created		\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
File created		C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Common Files\microsoft shared\ClickToRun\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
	599	bot.whatismyipaddress.com	Process not Found
File created		C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jre-1.8\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File created		C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023789-6706.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Renames multiple (340) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Desktop Goose - CHIP Installer _ADfKp.exe

Executes dropped EXE 4 IoCs

pid	Process
5340	Desktop Goose - CHIP Installer _ADfKp.exe
2104	GooseDesktop.exe
3132	AgentTesla.exe
5648	HawkEye.exe

Loads dropped DLL 2 IoCs

pid	Process
2104	GooseDesktop.exe
2104	GooseDesktop.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
578	raw.githubusercontent.com
579	raw.githubusercontent.com
598	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
599	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\75.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunmscapi.jar	GooseDesktop.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\1.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	GooseDesktop.exe
File created	C:\Program Files (x86)\Briano\UWPHook\SharpSteam.dll	AgentTesla.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\3.jpg	GooseDesktop.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\8.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\82.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\dotnet\ThirdPartyNotices.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt	GooseDesktop.exe
File created	C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\tools.jar	GooseDesktop.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\hero.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\ant-javafx.jar	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\Welcome_Slide01.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	GooseDesktop.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	GooseDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar	GooseDesktop.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jre-1.8\README.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar	GooseDesktop.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	GooseDesktop.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar	GooseDesktop.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar	GooseDesktop.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	GooseDesktop.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\fre_background.jpg	GooseDesktop.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Desktop Goose - CHIP Installer _ADfKp.exe = "11000"	Desktop Goose - CHIP Installer _ADfKp.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Desktop Goose - CHIP Installer _ADfKp.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000005a5841711100557365727300640009000400efbe874f77485d58f7952e000000c70500000000010000000000000000003a00000000005b9f040155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{8643B601-EB23-44B5-B491-FD79262413AF}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 84003100000000005d5809961100444f574e4c4f7e3100006c0009000400efbe5a5841715d5809962e0000008ce101000000010000000000000000004200000000006836600044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005a589d7c100041646d696e003c0009000400efbe5a5841715d58f7952e00000084e10100000001000000000000000000000000000000f6af9500410064006d0069006e00000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209"	explorer.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 334702.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 413665.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 511301.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5192	explorer.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
2860	msedge.exe
2860	msedge.exe
2980	identity_helper.exe
2980	identity_helper.exe
5912	msedge.exe
5912	msedge.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
448	msedge.exe
448	msedge.exe
1520	msedge.exe
1520	msedge.exe
628	identity_helper.exe
628	identity_helper.exe
4168	msedge.exe
4168	msedge.exe
2776	msedge.exe
2776	msedge.exe
3632	identity_helper.exe
3632	identity_helper.exe
2312	msedge.exe
2312	msedge.exe
1360	msedge.exe
1360	msedge.exe
5272	identity_helper.exe
5272	identity_helper.exe
3232	msedge.exe
3232	msedge.exe
3124	msedge.exe
3124	msedge.exe
5108	msedge.exe
5108	msedge.exe
1248	msedge.exe
1248	msedge.exe
5660	identity_helper.exe
5660	identity_helper.exe
764	msedge.exe
764	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2104	GooseDesktop.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 56 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	5640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5640	AUDIODG.EXE
Token: SeBackupPrivilege	2580	svchost.exe
Token: SeRestorePrivilege	2580	svchost.exe
Token: SeSecurityPrivilege	2580	svchost.exe
Token: SeTakeOwnershipPrivilege	2580	svchost.exe
Token: 35	2580	svchost.exe
Token: SeDebugPrivilege	5648	HawkEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5340	Desktop Goose - CHIP Installer _ADfKp.exe
5192	explorer.exe
5192	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2724	2860	msedge.exe	88
PID 2860 wrote to memory of 2724	2860	msedge.exe	88
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 2920	2860	msedge.exe	89
PID 2860 wrote to memory of 1100	2860	msedge.exe	90
PID 2860 wrote to memory of 1100	2860	msedge.exe	90
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91
PID 2860 wrote to memory of 4048	2860	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.chip.de/downloads/Desktop-Goose_180679880.html
1⤵
- Chimera
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff98d8746f8,0x7ff98d874708,0x7ff98d874718
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7904 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8751199728408956320,9593591801556485196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
  2⤵
  PID:5152
- C:\Users\Admin\Downloads\Desktop Goose - CHIP Installer _ADfKp.exe
  "C:\Users\Admin\Downloads\Desktop Goose - CHIP Installer _ADfKp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5340
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" /select,"C:\Users\Admin\Downloads\Desktop_Goose_v0.31.zip"
    3⤵
    PID:4328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5192

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5384

C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\GooseDesktop.exe
"C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\GooseDesktop.exe"
1⤵
- Chimera
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2104
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  PID:5400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5400 CREDAT:17410 /prefetch:2
    3⤵
    PID:3388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff98d8746f8,0x7ff98d874708,0x7ff98d874718
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10810764855833436311,6553934371126061544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98d8746f8,0x7ff98d874708,0x7ff98d874718
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3907665404557133104,1427395544333062271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98d8746f8,0x7ff98d874708,0x7ff98d874718
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,9681550786740084748,689695369269337921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98d8746f8,0x7ff98d874708,0x7ff98d874718
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4508
- C:\Users\Admin\Downloads\HawkEye.exe
  "C:\Users\Admin\Downloads\HawkEye.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1896 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  PID:4592
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  PID:5344
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,3937237673293458172,9371876110253068145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
728a54ae01f3ab7957be54a3513ec901

SHA1
13d3cbb3589126c5cf78bf528e256541b69b6b17

SHA256
0775e44387d514f759ee4dd914e1b0b488b0a17d7c8f50d779a05ed48c86c04d

SHA512
6f1b7d66d4784230c34b3faac74f19a28ecae3406ac27111246af2b4b3226e13bf86903ff7fe0a62f64c7f33f2031c9566a767f23a466d29b2b25dfef820f2ee

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
1.2MB

MD5
6336865903fa7c4c8c08aec192f3c119

SHA1
0fee6d7976ab52517f16f660c658305fba437c68

SHA256
af3e6cc439e2c2f55410872d32a53d8a00a9d68685c97a54606f434859512ff3

SHA512
c3c43bccd53b4d6e409602805e75e38c6392d8f99f342c197c9a173c71b5f117907169ab14235ed192b73a80b43f170863746a77ae8694a8ae9702d985fc5d12

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
195037c93e186a9bef1174645ca1b46d

SHA1
6d5191ea85406bbe9980427c593a3a6fd27f1319

SHA256
bdec74965347085935427ade7e405e01b56032fd5acb727a599ba5c56eeab40f

SHA512
92a469c445d801be1e872c522e11cba65a889d5a61ac8afbb0a3d3e278afbb16222dfab87d3d184e77b1763794be12a68b906925e0170ea765d6e8c3a3e7c174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f0fa5d8b165a2b713947c8c7016ba3a8

SHA1
a0879b01997f8bc68e7d470977f0697bd49a995f

SHA256
a7103eb280378142c428e483935bb3e5cfda49b506936d3a459973ac86154594

SHA512
9c8a3e8c43514a4b43fd20a05aba74567fb0a0b34a4b67fd3ade5dae04d7bc1941c0ac3b7cca537dd276a4cf77f033fcc8b5e690ee8320948b5bf46ed860fd12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa0ad16f3562b9b898f2527c98ce182e

SHA1
813683109cde64ba42354323ea4f17c03e024ac0

SHA256
7bf4e8a0937308eeb99301940dc18324f7d1b7366c4f28fd60379876e9b99589

SHA512
202884bc1e159a19c8fe1c2b4b98d8865cf3b0f42fe9b41fa7bd3e76324eb9a91ab6a8f8c79a7712eb3741e36f7731b6e71ddc70f21b416a4abb3f291fe84147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e79f3de42e348a44ade1535a3d9cfe6a

SHA1
6296b5d1a50ba63064bab0c0646d540a103f3fcd

SHA256
4a762a3b6bde7a865b66283ee03cbdd5b3b07c58e7b96e9ce01e0fca8fe215af

SHA512
54823bd8cf638a912d9723178a130529d34908a68e0f86bc82ab02ac68a710a4abdd7fdeda5ef3574baa83b86a4a1355620ddd750026eb0d248dd1d91c649677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e5bf51c133a9c732202effa897f36c5b

SHA1
232997e6b74da2c4db39162981c2eb3476151d19

SHA256
814f68b3bd32dce94d695d58b63cc466f78b735f9b351fde138406c22b32bd07

SHA512
209f8a3dd284e79f95537e96e334d37455540ecce26b03a98bf96a0c70966e1946d4060a314c407f55191305327c3f246e2513f13d0ab6fdb07e6721ce822e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e4a2c316dcd1dc256b926fe0c6651e0f

SHA1
712ba70ef67a0effc1e2b397edfb3dd1a89de769

SHA256
75bc47c737e028658edbcf604a8cca1d6fa81ed288120938dfc315e82b675c15

SHA512
10e6a3fe2d6f83a7d215ce175b4ef37fcb36ff6e38198717e53c1255172b5d597cae17d619964927fc18f100d9dc6bb374688d62fc568e2bddc921bd13a64b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
e4087a97e3c7c9d90fcb4a27b9d38564

SHA1
69273e8c81bd67ca1f98ca1a0d6c787f30ea67eb

SHA256
4e4220a20002ed7245801524ade1a920cb7dd1116528b6acc93690d888a83ebc

SHA512
14c477c966a6cf833c3f2d67418fc9460bfaf67655855154abc1fe4391c2d333cb2deefe3be27ea0e18dfe54a5b8e7cd7a6ea1db47130300936c4d566cfc0107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d664f7dfe2b1c640dd2d9afa77fc7c85

SHA1
4ad918036accc0e82af0e147d26df5f341f387c2

SHA256
1e1bb960509f7ba7cee759512055b3a44d545f83a5f0d77878d66721c52795d2

SHA512
1e9ecefd30de8a503e310d438b4f0f6189bbb96ad89cc59c64be64b566296686637289419db8220d6e56d2812c87f00108b4fde58970a4f01ac8c95a3849b8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
45f00d89dfc315e1be1650d6982b3528

SHA1
800567eacb8fa6b95df52f93c6ed466b713b68d2

SHA256
037d80cfb74617608f21135968fe69e7a9d9949d8d0ed97dc196780018c0ba1b

SHA512
2c81995a892d87c1cab05db5dcb221d4d08f5f8c55acf2654205bae05fb4aeae47cf50145739c905f4a107d33a3151f5310c081544ad53b01ddca427f823918b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a6c0e29a5a1514c17c7fe18b29269a01

SHA1
f6fd4b50e6f0c06b4903d2485d234724c4e7c872

SHA256
8cde90a9f90e9308647db02761f7e755579747050fc408786438e0bdc3c41a4b

SHA512
15ca0bb38fa61afb126cd177be46c53db64bc2a450355a0f27c93bd0165cfaa3d8d4d4e829324a6ca588e43b1bda320fe48522555d65220d71e29dcd47aa76c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
69193a172ffc3d96ad78cae39793b3c5

SHA1
be2e0517f0ddf81487cf7b472226d5ee65cc5f1e

SHA256
09cae69121b9d223a3dc9835a50ac0002884b9cd69acc15f5f485141a7691e3a

SHA512
9dd44f7b4fb251825c98e4d5fbf00157ba8d72fdf7447ba4583c842c3a7a62121e1b79d35617bba19b313eaf4716505bee4b7fbcb2ded763e4903afeec612d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
5571d643bcb185372a951d62ca814456

SHA1
a2b415437777e5b92351f838b6627c53cf231fb6

SHA256
f315572fceedfcc5d1755c4a8b42b7fe16fe24cf8c7e6ebb22cb4bb16f03bc5a

SHA512
0896a2c8a806a65026b11ef8032c45dc4481a8dcc8314e13f3ac819328bb2d8467f603436b35a1fdcf33356647705f0d260826dbba8d3179c05406ccc3fbff86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
936df9953d1302443109cc4aeaf4d407

SHA1
dd28b7371f03eab2e273594116e5abb9f47721a1

SHA256
2d219bf9afe92d17c8f5b68a74b50c404016c989e8a5ae8dd65b9ca020c98818

SHA512
b0615fdaffe4ea8774b8a5500cc619d8baca18fc1c7f621fd104a395a5d8aa6f4ab5185e655b44a6fe636a8f391a0b6c7f252bccd04a04ad7d8660c8b8bec96a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
89a2c2eafa4f5b5b4d44db2adaf085dd

SHA1
25d844e1bc23627e078683406c1bb8ce8f550a64

SHA256
2dad4fce2262c4dd729e2d2af20ddaa5e434835c523433301a5e902e82620310

SHA512
4c6ca2e16299271a402d29e24c0591df490b826f41e627fc6187b2bf972567e43eef6af30ce47c9f65564c0aabf0e24a5293d43052ebc5023118bbbe29b17ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
6457a9626922b78a272ba22e873a4b3e

SHA1
1f956399cfc5cdd3b4ea0c3ac635c03123a7f60e

SHA256
ba27d693cdaa64de3c96a882b1f0d125dc5ced8c90bd64d2041cfcf261294529

SHA512
30e454c4c6d24c19354cfc9998ea181bb0ab33e7bc6d3403c43daa793b49b607530d8f56f08cfeb62add6b40321865bade228a7d8baae78235ba427756ce5a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
683B

MD5
70ba5971e19e70952d3401682b20a0de

SHA1
75c71fbd014bede8b21ded15855b5b2774b2fe24

SHA256
22332f2fe951612f5cd11f74f8a4b4a5b8611a3aec8e11cbd742039232af39b8

SHA512
991b44d120896008697ad712cb8b1afae6cd4ac06adb0c05759b3347c0387177c849a52334e166009a4c50395be8b05b04de910d068cb61294a0ae204e4bd64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.chip.de_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
267KB

MD5
1a69e3966ffabe1cb55196d681cf135b

SHA1
2129a8b8d57bddc249b14a37ae1ead21cf2a8d89

SHA256
8224bbe32e3e24ddf6ac5ec6c23892e020708d006cbf03933a53efe80b055ce5

SHA512
b479a66f1448d9687b6234b6eeacc106c7c475969d74e9a446a2870d51ed7c73e00b2de4471afc287c25882b0d06712686e95fa139223048b91881c513ef0f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
08ca3b80a1e08bdcfd86d44fdc4037ed

SHA1
4cb2bf88bf2485b0610b2e0b832de175d148b344

SHA256
e99f491e49d04a7c5c48ee9e91157288c9e7d3ab3b5925d7fc582041f30f0c5b

SHA512
d41cf28ba959ace8b6ed9e5203259b4a28a19233f308c17e1a1849313bd96586a22d58789d2f92625aa9462902ba0b9042c1c1704170672b8444954627c6081a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
8dd74ce03fd3ac3a5596a2ef841cc022

SHA1
d6d196bfdf5ee9f718aea4c120b2e44315916a77

SHA256
98066a0771a5cae6acb1206666be07f779976221a61ea1583630a54cd0929367

SHA512
64ed08bb6acd2712d92bb0709550f76710491df65df60e318cab8bd9c98e071ff897763383961d4bfb8d19e82045962dd880a53b92fda4ac7788fb30b8e853f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
403ab24384cae9e00e5a2066ecde575a

SHA1
986bdae63f66fc79bfb67083292c9b016439429a

SHA256
f5e584dd8261a1b056ef6e20ba3673a3387a592174d05c0cfbea28ae59957a7c

SHA512
ec369469a80f982866292c7c82e18cc49a8e37ba04d7b48d09a215c625d6d5b24a203db00e764fe1c0df428d689ab58bbf0a779bc7cf417a34e6e86d49df52f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
212c148541e5096ac966cb6ff19f334a

SHA1
77ba98829c0033d663a987d7e39949be77f34423

SHA256
85bdfd097a399493e78c834c9450c24b7cf2cd2166dad7be9b184d10ed7aaf21

SHA512
b12f7c19cc2a1c824353386ef47e278bfc7554e64593e9bb96f7e0dfc1262abafbe2fd3051bf8b998830f2ed504495acbed9e559228bea9746ea0f2172f517eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
a7268d43a2cdefe80acda8328eaa049a

SHA1
42d89327eaad71cd496aff45f603311995377867

SHA256
55275466ad04bfb38760da65b4c26d5f355d26dbd348c2ab2c4b02f095b12f45

SHA512
c2ef4c86784a082054779e2a043779187ccbc1d8f557c92828971e202d2b40826045165c17947727fa0b92b6348f78764f5f3f57efedfcad3f09274af5ae7925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
35dd9f5addc22bfbb2b020e5f4c06a13

SHA1
1880b88f57f008165ce000c88dd42c78e81cc782

SHA256
8b7565cbc2dae64d5c29ecd92463894e6534653c6d3ef22681e0e1c4edae9c82

SHA512
c760adc0cb094b26352493bace167c0027b8a09f3067080771435a66e235d7e3cc1241fff76c6673fe11c6eb0a7e942e5863e7b35d4d2709dc1f07ef39a86c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
e0ff157b9d499cd6af0efa0644564875

SHA1
f468730da5fb5d130ca0fac77e36c68789d2ac1c

SHA256
73c357077663676cc3ad3822bb89ff0ff03350691bba8d4b5d6f6dc2f4a454fd

SHA512
d86ad44edf7dca8ce8e415391bc8a9467f30d7da6ea5f89f79e5da9039d3c82b759ff47a8078778274e62c89d803460fc8f2f53034ff3195ed601f85531fc866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
a4e71482a970fdf3c68b6d831c17b4d5

SHA1
f6f3b6478da65f228e8c14503aa9b8c65820326d

SHA256
0eef01830c1449f399d87f163b4675313debbaf7807ab2e778d14f8d66711a1d

SHA512
ed2f3de16f72cc2e899bd7309963a5ec999c5cb194c7dfbef5733ed74d7688ac1c1c89098aee46edc59d8fc3d62304fc873554a97c5d8571c1730c6227806a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83ed34ac546dd0cf58cb2b7d26e3625b

SHA1
519d16988867b38977b89dcdc4418fb287b50dfa

SHA256
7f42b1a63137863f8ac0c267db37c457013def48cb009e918d3570ff756f1b97

SHA512
7247e3eecdb47d658908c9a13de81b75b446ca7eaf492785558f236a2099224d817922b6f04099b5a785266207d4187f4c20ca5aeb72c0a52fb8126b988204a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2f6640ef2f8b16570d2632b619be2065

SHA1
f81d393fae6ef06cc8c173a638d9c706949b877c

SHA256
4c466c7d5bb5e2643a0ebef5ce1a5efe3240cbd5a10756de4bb1bf90eb26c4bc

SHA512
8b01e244a569d9cadda3c78c137b381e52a8d9f2b506a2905535c81142e0838ee6e8f9d2daf0fd3ae3225e16c41f9dc53c6c3d37e4abf969272d7229125faac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
96f4fee919d00d99ed4d0fb9beb84437

SHA1
3ce880cb5a1b43db3f75f49be0f63d1088ca3ff9

SHA256
de9db7860d4e765eefdec307d77db9d0e034c70df7c3935750aec87718bef432

SHA512
bf39e9e9967454bdacab1ffe4ea48c06df222e03f2893f4efd76c4d1b4fcc9162c5413efc82e6363a7c6332602c8592e4e8c3384fe1de0473782b03f8352333b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
221b99edadc9e919daf74b44bc8c329b

SHA1
4cbebdf2dbb9a56f8812d2dd558cbaa68c83999b

SHA256
10bc7e675a37e1312b0fdad698eb20540d27200081519ca2dc068a87addc22e2

SHA512
e72a82f63401ca28eb4fc2b01656f1ad7ee43fb8f39ce144d2d1712a272d48d242f025b98e1235988fa7f8843d20ed1fb75a024d7925e9913f48944db61fe3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
e745f3b66b7b2cf3bb20e24829136840

SHA1
62d8cade3fe7acdcb343874e56be3314343beda9

SHA256
fbf789985db510ff1d72ac1537d721faa65c920066b887e9f9181af732da1ad7

SHA512
1d2b8fc03cb704d30b87cc4971784cb1c4067d947679984f4fb0a55e1b1185918c3d67e2fc0bbd794697a9a518360d3faea6f945c0092adc0b4a47c3288a707e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
46eef1d2453e9db0f6aeb79e05da4327

SHA1
afd06ef14481785c8692ee9f5763bdd455ca0037

SHA256
b5bd191c8556c7eeef1f0d9d813006edbe8cb4ba37b2e8d108826c77eb4aca4b

SHA512
c97482afa650d745c47bb8cd190b81b0b60c17da980e66571bc5e2547774898a290ea270545f04ca297f10ce3239db10ca16b5236a4fa7352ce56665bb5dbec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
304dd7d427b8900ae1cf2efab95e5209

SHA1
62375a8ba83436fc12a42c90e061162ce4012156

SHA256
6d956f71c00cd4616cfdf1eb5d00f55eba3fbc6c62dd78aa70f0e480fee6a3f4

SHA512
e9ad6c88d81b380d92f8c1adbc0cf7acd9b3f09c927eec441ac5d0af0564f0babd4c5b41a8bc6994891dc9e2ec052f9698b5729615a305bc5e14e5a3dc4ef4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
c4537a09b602b3c86e2bca712e7cb107

SHA1
ec3300f1584093206336f31c91c27c6bb37027e7

SHA256
7edb4a11d15db550f65c6ce4df4d9b219ed63fdda89707ffce1aa10a3ed0026a

SHA512
a3f8811c1dba5e6a845d9d925417f6ed8bd8a7b18d82ed7f886f54db52900957ac5eb39ab9b76d0d840a8cdc95817873a717080f4c78239ccd78f5d3dd3752c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
da2c39a7151aa8eeb9c3d3c5e90dc788

SHA1
6c969a768b42325e1735e78df32f81c0308b5409

SHA256
2c8c0d9e37e5a5a901f06df13475a1b067170b09c52fcd7896384794dd1a9b99

SHA512
0996d02ca5c13de7fe952468b97934206f2b461b82b71fc05fd363c20cb306331a3ea7279655b2518632c092483a250119894efa14537b1402bd310d07973203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
7bf3f354e61a2edef0d5435decee0cbd

SHA1
c1614ab240b2ad2541a272feea37975f5b40bdb5

SHA256
1a38492ca6cb808b8311f30a0b6f2afa57b57d859310a30674737f589bb06a05

SHA512
0b3f455f9c1fc85245d9976a4a26e1227854d1cb255ed3092cb530cac3564865758578bb7ddf64a4505cad52eae2ba861103b52cbcbcddf8bff43deac13ef5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
5ed7aa9a65423655264f2952863ece48

SHA1
f34687da61e754bf599c5ce2dfbdefafce6125af

SHA256
805720d4d37423c4876db12fa37179bc4b83ac545a43677900eac506212e1c1c

SHA512
34d3ddc985cc1f36bcf00b372d5c94b8f70e99067b1885d3cfc37d696d459d6ff64d78c6a622de3a8eefd7f0a5bee26fa537177c2c5ddbe1be556c22ae3e5c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
3b85230a56c1f48b0d7c912aa97d043a

SHA1
991e819b6881f0aa46c2b561c7519ec3cfc20271

SHA256
4df30dd973ade178cb4b4dd8d1a8af7160aa6f79816c0fd87ccc0fa73ac31819

SHA512
5e728d0535cb28a2a2e3da1c14e77969ae5a4ebac3cb51185aa182172253cc9cc411083bad8f833b083ec32dcf944d83b66b7931b585756ff671b3f5b3ff0d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
05a530eb44b1013aceb13a6369ac4ce2

SHA1
fda366fc5117a713d9954383e482134d74bb3179

SHA256
da4965f0a31b218cab9a34595f32a84aee707b431d3949cc9f7cba0e6b03fce0

SHA512
872e4fbbbba521d2b816baf890a38dde9523c4bb286d135bb7f2530b442a80024dbe481d0b72704ca97861b17987ebf6324f394753b44b5a32b9643e56c39302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
13bc125d90cf4cee8faef009e085d260

SHA1
4df3d62dcd5fc7ffdcdae0c9cd64a9472f4c95f6

SHA256
8e1dc373cde3120ea3924258e87a7b2405bd7b2df72bf9fdd229d6da3c8b00ce

SHA512
1f2b5128f0995d1983f43690aa06a33d32fb00341d5e19dac2abc30c3819e5f81fba040cc9103264768d80d99089a4ad6b0bd5b9c24feefdfd9477cb0e08e5c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
2ca97dce13a26ba29ea63983bee1ee33

SHA1
d18e8e20774a5dba5198f7ae3716f467869cf949

SHA256
2f261f9c12ea48b66fab44c58602db91c93ccde08d39a906a9b457dbd914f59b

SHA512
e53520c574d42d049c5199712a1d07dddcf8eb7166ba1f7bc00d834c9c77cb462584e88ffa0f76f408e19b214fafb8b85caf7dffded75f0d5402c99c7858c267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
b14aea3e2ece32cf584f115c540aaf27

SHA1
65dd43463780eb2ba5d733d35be22911c3eaa925

SHA256
f44c0ffbbc2d4f084e337a182a81373461f858027cb46c2721d6274533832d49

SHA512
5b2e6a3f1c3dcecf599a9447e98fbf07ef096086839676d7566c78fb07fe58d195d1f2ed2e92bdbfd7bc3f4afc1c5b64e12d4d4b52e9f4067d0be3421cf1643d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
42KB

MD5
9c2ab41b04f13a86a8e1ac88fc611091

SHA1
f96db0e32a7fc2a99912b0e74dec88447545dc48

SHA256
ed439e8a99461cc0ca55e93c09e14a758ac01c4203a5bcfd72a7ef76cabf61b2

SHA512
5b8b2973516832a5e4440b227e3fc6544b6dc025c3628ad2a9a690b9eff1373f89e898ad158c9e3a9c29b8343da938ab6ba08c3d20883048b924f367428de970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
76056ce644e617c9bdcde4b4656d0e8a

SHA1
2a18c3c74c01892ac2a8bffafddc9fe9b394b657

SHA256
37698606b6fba5531105be95bd55d5e1d5399ca3b8db07bfa8270b8ac689688e

SHA512
8fce2f4df0876988c520cc685cf81ec15f24191ed7debdd15878632179709183c16208e6a0acb5301d50d3de5a91431f511e2c483abd3e29e9c7d0d467a02860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13353706067688249

Filesize
36KB

MD5
2e0ff0b0095ea661d15564f5874a513a

SHA1
4906305377a3fcc0c33817480ec7a454de3ac6cb

SHA256
b13c9238ae74816f40ee60563ed27d46bbc636db2b9fc28978e6587993005e21

SHA512
0c50f56fa8d8d853fef57fbe328ae4a9da3e3e0ed0b87e6c6303ff3ac3fbb6773cd0ec1ac5d4d91dd68f2833ee59454bea21558a459878b4117f93aeb6b28eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
285fc03aec3d666519bf484d7cad030c

SHA1
c0ce52d8d38f25856ed8d0def1bb56d73f18c8b9

SHA256
94feaaa4e5f2bf54bacfb9f18dcc2e84fab9f24afec05f001e4936e3249d720f

SHA512
96ffda9ac698bc9dc3db0abea7075a28d0e337b54805143c261b25f0a3311ce26c9096f09eb647a3f7accae57046bcd9cbed189cd78c19a0c54c7edd3ff22168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
f2b1d12ae9096b3387dfc57fa3cadc62

SHA1
6421109b428b4c828e3a7a2f7c8824b99f40a651

SHA256
b71b3d5cec19281c2dae885712854a3758fc4941c96684cc2e5035a747b85fcf

SHA512
83460a25a4d1aa931fdd756385be140e937541f58ac780facac777de85c0e27de2ff5596894e92c7efc8889aba1af063f1a9bf66c08029e5e3e445c0f38266fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
59c4b96e5395eff3ee46e2753b916b26

SHA1
17b595112c6dabc98fd552a0be9b1fc78f8979db

SHA256
63dc2436741b33f6173caae0772f898bae509be9a3d1847252c9a9991ea38fa7

SHA512
638c27ba66811c48aaf2744d4a39bfd7176bbe46394e740bec43bef966b45540cbca846d1bf878297a0ab1b2632d2d2d2ab6eb6686be42fb10a12a5025e389e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
dbe9daf7ab902f86f8ff193ee636bb07

SHA1
6e156cd7e595fe929f7706072ae3af503d1276bc

SHA256
4530ae8342a706ef64a51f6c942a73464073117c8a5add3feeaf15f67979f798

SHA512
cbe764af74b5f1bc8ce8d4708dd466571e60ddb6c27bda2dda16bb39fa61c1c36885385c47c72727ce1e2f75168fefc9edf0f93b9e58c81ce80dbdbcfc21479d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c330791ddd9278728d8d4dd072084277

SHA1
4e6c63f59e214a9bd114184f4cba88ffc61226b5

SHA256
2a783e0cea105b3c817d0cca944d1c7cb42a33adc8f026d4b03e43c98524aa55

SHA512
3a05546e0ffa1b30b9cf7fd044862a752c08727df87b2c4eccb1253bb2a9a0312f89c66ccc593ca09f656dad41c33444609f7fd09dc16da9d51f8e2ed0831b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
8b16c05dfd0912278d59172b8d603b64

SHA1
8f8d9bedc24b89197aa3e24b6b1bb89f165cb4c7

SHA256
55789732a08c64c26aa3d5746a9e3ee0ac4cd6e2dff65cc80f27f85d6326e3e7

SHA512
86d0847e77e209dd2032ab2259bd887997855c34132f6a9b161acce03a3daae987d672cddd327627218775257843d73a8cf9e11c3d0e6e688ddd67df9847a3ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5a2d15ae025020468a62936ba7699a7d

SHA1
b3bb5f6ea8c288d944d10f5857f8c941c7b53d25

SHA256
a9482a64d259eff557bdba38a6f99527cea3d72a0530a52ad9bd808cfccabf7b

SHA512
1eb9e5ee12bf26da869fb7c98e51256a7900758c32b4ae24976783922dda4412d724adf03a4784d46cd9644d8233f7da091872970dac3e6bd1bb9d293810ceb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4b558588f25e0e8b8145c1a9642ea52a

SHA1
775909494253ed056a9a773de0c3373d48700ff8

SHA256
43521bfc6c9daba6badc5ff780ba0c8c700fe98d2fdd64a8cef67df24524a002

SHA512
2640c6f1c4e08f2eeda54abee83e38ccbbc493a98eefb1af78b4a48bac31899e353ff3f864a32a13cf3555e7da9cbf44e0f55414d1f36425f3d25bc00008dc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1c428736afa29d34e349d99c3e67c89a

SHA1
00a5e1975656c9c666580980514d9a03de5d6126

SHA256
a8d06691d6d62fb9aec127275058c9548db379e5fd40955b654bc263eb442ee2

SHA512
3ef80b1f27305e1a0ed4734d731ec1902a8b199d302e542e8247e3a67052e34d7e6960a83515371f7eef417cb7e1178ddb594db0367d3bc844f29b71b04d61d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
46b7524cef12c3500e2f4b339b555655

SHA1
6c269648bfa1456479fdcfc38729eae4c012729b

SHA256
a06e225b058e252797eb7c3bc6ffb2a85d24fb0e36fc164819f1d0c102fd208e

SHA512
855f6739733197e47bbcc9cf768b0fd7e5075e9f97932a149a3c8ae5ed2fe2af83e91ada4210436ab9b814a8e99f2a15e3d4fd15ce7f999765457580d3e1218d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
2b5c064e32fbdf5d98cfbae5dd037e5d

SHA1
e5cfd73598e926ef4774d44e8f0d213464873e76

SHA256
2e1bfc3743a294d2159c25396b1d6f51b12bd59f283c498b8bc2ad2ddc2c248f

SHA512
7999121ab1edef3cc890e3cd6b9a068deb7d1247bdb6a8f26fd80088d88de2410400b6fd18f37db74247dc767e38e5ea3b3e0807e253a7547bb0268a7b28346e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
25f9aeedabbc886c1e547196fc3b8676

SHA1
c0332267a9d44f3d9cf6140bc4e5e561d24190a1

SHA256
9c97591d7fcb3d80430009d31aeb33b2440b6073d566281c6fffcd1474581601

SHA512
068468f1a004cd1418fffd2004eaa257292f6605b788468eacd0847e43f4a55e1002d907642e283c8c1fa038d40c2af02812887b124a7e3623f3f605494d2bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
04deed46a9e7ef01dcc157d5d4a9f61a

SHA1
fe2d81a47eb471294cef6e3cab8b51c592fc346f

SHA256
837ca1c80b9ed556786ec48dd72545f1f3aee1f494bf9fdf6538abe1e372fa0c

SHA512
20d4e2c1a9c74d6fcfca8f3be5402e421383534b4d6933f636b90345aa7564d434d0a291909fe43bc975046dea51e30a55c2cbb1183becb32382447f57b48fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
6f0825bf2c200553e592151d171d6c31

SHA1
ed87c26d4554b6db9d2104e407a4ec3567722f5c

SHA256
6a0eae80caa65697e4a2b2356fa8d282749717d02d0c4e7a69637c5d52fc9102

SHA512
f4ced02844fd6bf33924f4c9f11d6094847be91e21a99800840f506bd1808476db3a7da0cdaab3e7700122cdb52bcc816913a93fe62bb893bc067ff743046567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
8ef2d0d41d37ccea16fa135767beddb6

SHA1
320b46062ab23d5dfb02cdbac29cd82a28520d22

SHA256
270dff7cd83bc9bae99760ab1c7dde1869c45fd39e33252c6da689c0c12cefef

SHA512
787a6b1dedeb83d0cbd0ce692e094d5ebc1b074e7d1aa738140d9376bf2f3b82981c751ba84e32f94eefe5bfd946fa40a2b438418699b8e883f4cc15cc8e0482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4d2e1ea2547f2f6d70779b19d7de9ede

SHA1
703eb886c0feb2e117b0748b978379b6ddd80ae2

SHA256
dc59c82b307078f78dd5f853a818b9b2196a02afcead95708919d79f05b80666

SHA512
7805191bd2684d7ef6689328133e5b611c4188a310d27d96869a468fd18abb64029a5b3e498376e3a97e21dc204a19a6d9d55617890f7fe54643e282943da2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3cafeaf9c08f91478ffa5be45299d547

SHA1
a4f7ca20d5f7e49356522a9ec527adf7b36ac68c

SHA256
04df9561fed53306b05b21f06a576c205619322bf9f868c7e5ac469e5aa88f11

SHA512
97862adf94069542c751dd8ba69e5ec63f0360560c16d9f032871c36e3bc1fb93fca583e7bd0f675133f9a8aa3f3b6e08208e62203c8997739105c9debb7ffc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a62349d3b81f17b6d1aac8ad76cde163

SHA1
7545e6eefd41788289b1f2bd2a2323acba5bc9ae

SHA256
7aa94cf94085f30c2b185325899579432c7d4b1bc79b7926834c8ee27f825c4a

SHA512
a346938439232208b19b3f7f9d534dcde0276137021b5ae06aa3e42360cd9695f5b8c8ce29bc3fd0beef0be48c0d399a7414cbf38bb571e38eb836a0d29e90dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57db0e.TMP

Filesize
1KB

MD5
90204e69c64af0a8178035fb7ad9e18b

SHA1
94cf3b6f81640df909a330a87e84efb92c31124e

SHA256
91bc19de60dab7f6277087435a8566b4fc07eafb4edda464d7d97a141466296c

SHA512
7046fed8bafe8885f58aef2d1cfc4d76bfca437c951e613022d0d2f90f26ac06cbc0b83b21e2d9af0f194100df73becbd972ec6bf278f20fb87f3afd26eca665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
bddc0f2260f8dec967b2b240a406c6a3

SHA1
136d055057d7f88596865c52d1b828de05a836d5

SHA256
b98f8e7279079e8d82a6ae08da20dad39358862feadf91991edefb6d1686389b

SHA512
e27eb85542ee14d610cdfc49a943a59f5d0ea2bf5ce5a5232a2182f4e7da064035e718d5125dbb1cf7a9a80a56a4e9dbc8eb8ec3671d153b948c14b0ad402c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c9da6761-80db-45e2-a51b-98411b52b1df.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
ab6ab31fbc80601ffb8ed2de18f4e3d3

SHA1
983df2e897edf98f32988ea814e1b97adfc01a01

SHA256
eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8

SHA512
41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
84KB

MD5
79e81b7f84a479644f828f9335bb0089

SHA1
bd776b92cdbffa3e0337bc5739b35dec95d34de6

SHA256
eedfb350cdf9721ceb39a0b832523c677ce6f3dbc0cc34c62b84de0b04b46774

SHA512
decd5cf0f5d1394592334a571bbc65a36319ffbfce1c6517acd1941913d35fe736e6b6a9dc2a903a04cfce5d0eccee02254bb0034115a9d7991df0aecd7c7b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
3.9MB

MD5
2ddca1100d65d48d9ceeb8337bd8177e

SHA1
d0bd7ac83bc4855202d6065e4cde1a0a37c3a955

SHA256
95f910142ff2a0063a44a3f6ff75b59d0595743342e286609b06e52ab89e509e

SHA512
df44eb2b3f21569c8f5d88c0490e967c54653465630657bc84699bc46e9f28aaf339788511dabadd868c3d02764e4d12720330bd5220d915a56bf501f4811d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
11KB

MD5
0c0c98814fc0f63887a837538294f5fe

SHA1
135409f6491638444173a1dd24374a44ae1696f6

SHA256
53bd17f1d6f1062c8e4de8720d03aa2a560d49f336c9881ab7af5af926f0f213

SHA512
979fddab65d19a09c1b9a961e8526de4fdd18f617c58d30b0c1062a0277d7a2623fef941f50509d21fc2535c8aefe3f3effd3700887f3ffaaa2765a38f495bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
da8e7fdc848fcf4fafb60a16d40b1ac5

SHA1
40e6c68b18b819f2bc29cdd27296db4f5d6f4b39

SHA256
d30d3866fb6a58e331d06228236095923c760bbe393aa5b8035bbd6c95c99b31

SHA512
c4c5ce0abe97d4168d3257cadfb1fc642d6c88b67ecd023c75eca0cc105eca67421a4c19245d16037af37f5129bc941bf608ed22d1ee251e41ac77b7b335001e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
36e178cf58d9909e258c2f99dae81433

SHA1
f543777697d1eccf3e8d29ca6dd32f0040b711a1

SHA256
892812bc7f12835a5cd6365745c46de73b12e9fed4c1ba15431a63b8e6fc0307

SHA512
17db82af1d7943dcc95f40d2fa80382e59e850dc9be6d63960136d29d4a63485ed569101ce6d9e268f3dd49d2dfbdfe03f3fb23f99b2e8834ac6a299d24ec8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
948d4233b3add76dfc78f4a00aac961c

SHA1
e064649ae9deb1c4b8a537b8cc7dafb3b937f765

SHA256
7bb77a683e40faf204ff49b1310d11209d2565d64ca13ea905e11169cefcfa9f

SHA512
dba8db8fe76fc42c91b3491c0c0798b2c9a0bd3675b0bda79860c55f9e48394edd0c2a34b90b745f87dfa029604b21cdd1a0e8b4233270998558be5e40bfb190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d6817f7e30f9e755012e644d0cceb1f

SHA1
b8f47bbc1740488f40e93380dc82ff369d441c75

SHA256
64093dfa703588c3df6d6456aa1944c0d2f3d77a7d227b9fee58f14187c99cc4

SHA512
839da5eac3158320f5e7d98a8b7b9de97c3b41057d20c330b5693e11c124dac358555359e2eee26b6131dfab97b9c040269503bff26ce9cd0c36443b1bed9abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bbfb85d49723140aefc09f0ef0a938bb

SHA1
53be1ca11b5e60f433fce322d5d9525005d651c6

SHA256
eff4bcfdb74b99945558fb5be5ecdbdb60bf094f84c7c468022bd2a0ee72da3b

SHA512
950305a0e3e813c2161a1352a5f73e6b238ad18d51e735a4f0d8955fb67d2f09ffe37ead3a0bf4277efe4fa83cb03da309c46fa32e483d091dd6a4835e4bc03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9eb8fb89220933016a061d86bcc67b79

SHA1
53f39da7a52e3e5a5f7ae307a1760cdfdb3d4a8e

SHA256
18f44af2d01119cf1e7dcb5c7f7926b9e0a3f9813d69bc44d3c207dfa7dad4f6

SHA512
24f150207df06202bc70804e2b82802ec414c6dc99711a3cbb10704863b9fe80cacfdba18a3e95008bd8a522c33e7547b98551bf9f6935375bbc81bd296e9011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4a97ce4c83dad5495ee70f5f7eb450b8

SHA1
ebb8e92be479b7409386f5125295f540b0f08cf8

SHA256
c3df19b323d404af26c582e5c29afc9b6cfe12671d6dd06e5fd5b5548fd3915c

SHA512
a3a41d02eef2142032c41b0662127839242939ecea6f3ceedbd59ed81853919ebb827faf6727aa956d280d611b60f1b3eaa2b5a359675598eae5976586b6f1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2a78738e366f02c60a28b62ed21fe548

SHA1
8bd97b1f13a89b44c8553e8ed9a29aac840f9c8a

SHA256
8c9d9e76b45bea32c2d28fed75ea89f6d2fe1558904da45ea8e9e6cbe376c052

SHA512
90e19775b03db189e1d9ebe221f2ede2cb13ba4bef02efa0a2a9420368c43a53baf4c2b0f613a43d12a1d0f0bbf5084e6f1b668d793b9be1ef6b5d3d7a3dbfb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2c58c2503aad3c74f094397db8307732

SHA1
12e14a4066b6a9d2e3aed1d48835cd0f84fa4cf6

SHA256
b2c8f8e692eeb81f9c9bc3e889f44b505338202ee44e685f0cc365e8d8b9144a

SHA512
899b6cd5e86763cf49370a9e0098adfb69d74860bfc36d3217d757671cc4d64efe7e62939ddfccf5b295615a54d0429f3af56e56125a517bf13a4cfa7d5c826d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8455271852116b72f82b43bdac103dd8

SHA1
b0bdcbc411bcf5b710cf1aabf002eece4c63e8e5

SHA256
a7081a7795918bca4d3bef2432bef14b1bf55781f1ee90583df51b6afe264720

SHA512
26cbf1df63a972a212471a768935b491dd9227bfeff5a3598cb90b6cdf3fd341ba2e1e8b97e3bbe48a0032fec2483ae83b880619569c7312be0e3bf7e311d2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3140b3cd57fb1f89448fc9fe8cb874f

SHA1
c412e3c364e1164f5fa346ca2b106b7caa796ff8

SHA256
4e332260c34bd5bb5b2cfafce7a7a772bff6377b472d4fb33b1530222b3adfcc

SHA512
41e752b8aebafb2e3d71eac886a2784e7eae04195f264936daf4f015f02b700dd7ac581de102f665f6ceb59e375d1d87cf4c4a0ffd16a5e70ec0fc497040d655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
4720950d037e8d01b878049cb37efc3d

SHA1
2a6f2b28756943c19423dc2828e9aab99bcbf42c

SHA256
090b14e05c378f1333345d6a74d08944bd42721db560d57c263ad05ab9766479

SHA512
064383c9f512adf8faef484a0544242ef87f2674b562eaf76bbd5d75bff072d786184a271968967f82cd9dde5d2eb6fd7e7474d8e6fb414e0b34fc1b77782c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b01033ba-6933-43f9-b2a4-a22f17654ae1.tmp

Filesize
12KB

MD5
357be4e24b069d76501b63426c555530

SHA1
176aef0092c33128764094409dd43afaab3e36ae

SHA256
4d7d78625e96bb1e85c96d533eee05633a082afed9d2be3112cdadcf5962864a

SHA512
3685ddafb2eec59fa4495b36fdb0cf7a99efdb1ff2fdaf222a021a67346a9bab5bf92f14f51eba0eed5f1363a23ddad1f51322c39da5d7008004cf4041cd7433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP7H3V5Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
10KB

MD5
4e332b3c88c3bb4182fd39de8c28fb15

SHA1
9cc6136d4c0f97c14cd3737644c576d16c6f2e6a

SHA256
0f6049ae9d3892dc6e6274552accbd55715007f161fa59d68ca607a7de4b7946

SHA512
8cdf4e2666f260d5d98dbe222eea565395c710ff4399e4500c7b1384bc32fcb47fd329fab126259d5a93c3e0a09f4ffb549943244060743187af1a4ea96f219a

Download Submit
C:\Users\Admin\Downloads\Desktop Goose - CHIP Installer _ADfKp.exe

Filesize
5.1MB

MD5
f5980f17f44da870072c5ce396eb01bf

SHA1
22ce208acb16875cdd9d42a794557a56068220c2

SHA256
2f9079df89e96a997a910f9243173ac60bfe625501452152f8ab281778e5696b

SHA512
f30c2029f7b85c7959385f64627d2443e9e76b8a025a02aa2619f0758dbdd0e00f2b0464a8af5a4607be1bff006d24f677d548bac0e755f880f7207a6e465037

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31.zip

Filesize
4.1MB

MD5
eaad0961b52b14d9a323f092ef307d8a

SHA1
feb3aedf16432b063ff93c90623a865a1fd5214a

SHA256
e66264065923676807fd6d7b36f7c9dc52db9ef1c5399b2811738eb5e22a30f6

SHA512
fc42d2ed6a8a8efee0898236526dbe46218dbec657caa5e70bcb18433345d56a010903c155c726a5c9e117e1759cae42560e18da49d5bbfe4e99048fbd326330

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\Assets\Sound\NotEmbedded\Honk1.mp3

Filesize
5KB

MD5
db2b7cf36003b2b653df6f3ca986e007

SHA1
d61a94c7b965dec3daa6351d849fa22f646edf8b

SHA256
56a240ddfbb494a6cb5c02a1271b5cc9a79217c53b481d9d3240b4973808d65b

SHA512
3c5ba0484567bd520334837c54df160b26d3a3be952474aedf23a946369bada58241dc43a471d8e9e652e0b682599f1c5dbd03e39fe8c1f6182b806b6939eef3

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\Assets\Sound\NotEmbedded\Honk3.mp3

Filesize
5KB

MD5
bcd1908ce864cb01a222b5cc791d7758

SHA1
fd1f938c0497cf8cf81832843a58db3ae13eb4d9

SHA256
e4b86c31838511199dac9eb6e0507736ee461b0edaa4bf9351142c534f2c2e8e

SHA512
8e883b8d54f9461d1f9dfae64cab391c17b405b6ce351648aa420f0a589def8a4f6d135f3bfb12158aa66df67d4d7b056f0ff3d80c052bf8dc0e1b31a670f759

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\Assets\Sound\NotEmbedded\MudSquith.mp3

Filesize
13KB

MD5
b2354d238829d09c54e272d8b4f60189

SHA1
5a2731c04c50903d41f65d9fe5528a66cbefa289

SHA256
d5281ba99731fe3c443b6b2d18960a49e74b5b407956d3e1a3cde360f86573ba

SHA512
aafbc687b5eac32fe1b4d838ab1ac88103d7f59d0b5f51519845abdd9ae37147e73143e6039719c3d06915107397e3e0a666d0cb1677cdbe05bccebea69ecaf9

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj\Release\DefaultMod.dll

Filesize
5KB

MD5
d9d3634150a96a3d15961599979db1a8

SHA1
ba4773062cac856ab60e35c29fb655dc82af9144

SHA256
feb32e09081e223ddaf453321abaebc12c3f18d533a393326142deec7c31394e

SHA512
a086f46c1c2743cd13b59c492c23b8b15972070c3555f50fbbfbf5eb40d187cbc179f473939b615cd32672fb6c6d952d5b11400e7172770f2d968347df39b29a

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\FOR MOD-MAKERS\GooseMod_DefaultSolution\DefaultMod\obj\Release\DefaultMod.pdb

Filesize
13KB

MD5
ea84a9650bc71ee622841e827e4b39e2

SHA1
7298af7d1a0742349b68f78d7a5b4dcd41d1b647

SHA256
4c97839956c209c0f2a734e26a7a2d23235befeb938384545fd85f691084de7f

SHA512
532ed6194c95fb36de8e385289464e11c034d0c41e0354629563ad69a41ee034c27e54f4de96985189e8e65b0dda6cd6f8a8cbc8374bc55f895cd7693207491b

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\bin\Release\GooseModdingAPI.dll

Filesize
16KB

MD5
6f6c8f80d6c36739147b38016bd4b469

SHA1
bf0f81a00ccc595242620b15ade2a0661424d9e3

SHA256
fba607ccfd47e2b6ba04d449f1de10e3b66ba35b7d0e96f71e7c61d0c10486f4

SHA512
1b3d6da8eedc140f3836c60eadc5251870d01db99e72d33ec0b2a585e2e4b2f7e643e2a12ad42f8e6d8704e8af67ca1df728acdbe18c614a1b8f6746d0c3fbc6

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\FOR MOD-MAKERS\GooseMod_DefaultSolution\GooseModdingAPI\bin\Release\GooseModdingAPI.pdb

Filesize
25KB

MD5
5e0ccb3bd78be9cd539fef6e4005e47a

SHA1
9a28756dffdef59d36bf42cb9cc8e02e454026d2

SHA256
4e4eb668831c91756eb030045d118ebd069fda0b0e0065ee2467c4c1c382cdd8

SHA512
4c58e1d9d77c42500c3d91314257f563a6b3af627ae0d5ec257b38a8b8008b47ad10b8b3a0661bc72a12bdaf549a33453a971802542f5c719fc979fa9f6c1372

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\GooseDesktop.exe

Filesize
221KB

MD5
c883e2c769ebe56240a71260b17f1b93

SHA1
4a831d4f48f6ea81db508c2a87cf860acd17edb1

SHA256
943fd1ea44266c5d7fa02f2b292db095a4e6ba8027a1f6c73fd60d1165e63aff

SHA512
dae40d442794152285ce484b10095d11592a39cb1968bd38cc70ee23005bd1e04ad4312d7266107bdd375e10fa91ab9fd3d41d4d6ccd2268d052b343528c4376

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\GooseModdingAPI.dll

Filesize
16KB

MD5
9eb11041f2f11d939074e26b4b554088

SHA1
50deec7591fcc5db40939543fc9bf92109f2df05

SHA256
efa31df7ab1394092395365805f913dd023cdcd21796603f133641524fb9ad79

SHA512
2d07f40f56ae0dcaba51bc65e4617a0bfd67be13be5156fd7c2850645a461f87b97e46b2c596c21752df2aa488f6e6c329534a523bd7f88234be956b8af13bd1

Download Submit
C:\Users\Admin\Downloads\Desktop_Goose_v0.31\Desktop Goose v0.31\DesktopGoose v0.31\config.ini

Filesize
286B

MD5
0288c130074a043df404ac331b9842b3

SHA1
196355e0ac857082a32e36c4938fe22794b8c55b

SHA256
db74de308ed6c409c5460ba10ddb590ed1f5b5281a61e10934d004feba454ee9

SHA512
52af081fbf93803ab11b4ebc219371662613a9ca05980a045c6af258ea631f2462d6f932959f9d98777e18644a608e884757c5886e00bbbdaa138b3f8afeb07c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 149053.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 334702.crdownload

Filesize
3.2MB

MD5
d1cd47d451a58bca4480c87341cc0170

SHA1
cab769f187ea6ed34d63600ffc54747e1b928b91

SHA256
2d20504119b32a9e83ed2d0d2bfceee225863a7126321ae658887bdb0180c5c9

SHA512
c27222872c3bfeebc2a4c2ead058e16ab4722c654193b21295e8860720bdc7711bb17c7076e12acd22d704b206f994411ce85002a8b88a437eff758435838595

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 413665.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 511301.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
memory/2104-885-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-887-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-889-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-888-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-891-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/2104-892-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2104-893-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-896-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-898-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-897-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-899-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-900-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-895-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-894-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-901-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-902-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2104-903-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-904-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-906-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-905-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/2104-910-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-908-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-912-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-911-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-913-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-914-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-915-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-917-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-920-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-922-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-923-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/2104-925-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-926-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-924-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-918-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-916-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-927-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-928-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-930-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-929-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-931-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-932-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-933-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-934-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-935-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-936-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-937-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-940-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-939-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-941-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-943-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-945-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-947-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-949-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-946-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-944-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-942-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-890-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-884-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-883-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-882-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-881-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-880-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-876-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/2104-878-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-874-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-875-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-1123-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-1125-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-872-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-871-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/2104-862-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-864-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-868-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-870-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-869-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-867-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-865-0x00000000078F0000-0x0000000007900000-memory.dmp

Filesize
64KB

Download
memory/2104-863-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-861-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-696-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-695-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-694-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-693-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2104-692-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-691-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-690-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-689-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-688-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/2104-681-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-687-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-684-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-685-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-683-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-680-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-677-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-678-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-675-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-674-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-667-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-673-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-671-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-668-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-669-0x00000000077C0000-0x00000000077D0000-memory.dmp

Filesize
64KB

Download
memory/2104-664-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/2104-658-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/2104-657-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/2104-656-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/2104-655-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/2104-653-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/2104-654-0x00000000009B0000-0x00000000009EE000-memory.dmp

Filesize
248KB

Download
memory/5340-462-0x0000000000400000-0x0000000000928000-memory.dmp

Filesize
5.2MB

Download
memory/5340-389-0x0000000000400000-0x0000000000928000-memory.dmp

Filesize
5.2MB

Download
memory/5340-293-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download