lumma | hxxps://bing[.]com

max time kernel
912s
max time network
916s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bing.com

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://mazefearcontainujsy.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

https://pushjellysingeywus.shop/api

https://absentconvicsjawun.shop/api

https://suitcaseacanehalk.shop/api

https://bordersoarmanusjuw.shop/api

https://mealplayerpreceodsju.shop/api

https://wifeplasterbakewis.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 5 IoCs

Processes:

Launcher.exeexpandera.exeexpandera.exeexpandera.exeexpandera.exe

pid process

7136 Launcher.exe
4600 expandera.exe
2608 expandera.exe
6708 expandera.exe
5676 expandera.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

144 camo.githubusercontent.com
147 raw.githubusercontent.com
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\WF.msc mmc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Launcher.exe

description pid process target process

PID 7136 set thread context of 7156 7136 Launcher.exe RegAsm.exe

pid	process
7136	Launcher.exe
4600	expandera.exe
2608	expandera.exe
6708	expandera.exe
5676	expandera.exe

flow	ioc
144	camo.githubusercontent.com
147	raw.githubusercontent.com

description	ioc	process
File opened for modification	C:\Windows\system32\WF.msc	mmc.exe

description	pid	process	target process
PID 7136 set thread context of 7156	7136	Launcher.exe	RegAsm.exe

Drops file in Windows directory 13 IoCs

Processes:

taskmgr.exetaskmgr.exeMicrosoftEdge.exetaskmgr.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeReceiver.exeSecHealthUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\860799236\2353875992.pri	Receiver.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580750526521130"	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefirefox.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "420414849"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 3d1488c4fb92da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "420366264"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "420382859"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{C48713E2-9251-439A-9709-F9A9C92D7A4B} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\expandera.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\d3dcompiler_43.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exechrome.exechrome.exetaskmgr.exetaskmgr.exe

pid	process
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4616	chrome.exe
4616	chrome.exe
2172	chrome.exe
2172	chrome.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe
5688	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid process

4460 taskmgr.exe
5688 taskmgr.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

1620 MicrosoftEdgeCP.exe
1620 MicrosoftEdgeCP.exe
1620 MicrosoftEdgeCP.exe
1620 MicrosoftEdgeCP.exe

pid	process
4460	taskmgr.exe
5688	taskmgr.exe

pid	process
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exetaskmgr.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1504	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1504	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1504	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1504	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	360	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	360	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1400	MicrosoftEdge.exe
Token: SeDebugPrivilege	1400	MicrosoftEdge.exe
Token: SeDebugPrivilege	4048	taskmgr.exe
Token: SeSystemProfilePrivilege	4048	taskmgr.exe
Token: SeCreateGlobalPrivilege	4048	taskmgr.exe
Token: 33	4048	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4048	taskmgr.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exetaskmgr.exe

pid	process
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4048	taskmgr.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe
4460	taskmgr.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeReceiver.exeSecHealthUI.exemmc.exefirefox.exe

pid	process
1400	MicrosoftEdge.exe
1620	MicrosoftEdgeCP.exe
1504	MicrosoftEdgeCP.exe
1620	MicrosoftEdgeCP.exe
2084	Receiver.exe
3988	SecHealthUI.exe
3596	mmc.exe
3596	mmc.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe
1880	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftEdgeCP.exechrome.exe

description	pid	process	target process
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1620 wrote to memory of 1688	1620	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4616 wrote to memory of 1060	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 1060	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 4516	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 3840	4616	chrome.exe	chrome.exe
PID 4616 wrote to memory of 3840	4616	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://bing.com"
1⤵
PID:600

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1508

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffc3abb9758,0x7ffc3abb9768,0x7ffc3abb9778
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:2
2⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4460 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:4388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:3992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5152 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:5060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2608 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5800 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5492 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5364 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5320 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=888 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2416 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3256 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=3752 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=2608 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=3104 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=976 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=5696 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=3104 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=2584 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6120 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5456 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=3112 --field-trial-handle=1760,i,15739798802830426085,3287327069459702385,131072 /prefetch:1
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:4460

C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe
"C:\Windows\SystemApps\Microsoft.PPIProjection_cw5n1h2txyewy\Receiver.exe" -ServerName:Microsoft.PPIProjection.AppXyc5005t48873jyf8bjkqmmpy1ga90a9q.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
PID:4464

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\WF.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1932

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap21575:78:7zEvent14715
1⤵
PID:3952

C:\Users\Admin\Desktop\Launcher.exe
"C:\Users\Admin\Desktop\Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:7156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:60

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.0.398915658\147067425" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {800946f0-ef28-4fa5-8708-226568d721ae} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 1796 1cf4d4eb858 gpu
3⤵
PID:3104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.1.1158524224\710261191" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e968066e-2250-4cec-b05f-c3ba483f99bd} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2152 1cf42271f58 socket
3⤵
PID:5228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.2.36840912\955931489" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c5ed24a-c37a-40df-9c11-c346fc72d2d3} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2960 1cf4d45b458 tab
3⤵
PID:3964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.3.1478395877\732723766" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {581e6a22-c0db-4ce5-8d37-ba50dd3cd5fc} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 3448 1cf4f9f6858 tab
3⤵
PID:3344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.4.627797636\1181189176" -childID 3 -isForBrowser -prefsHandle 4192 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61bc4347-b86d-436e-9355-b190ee513d5f} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4180 1cf52335758 tab
3⤵
PID:1504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.5.1033512405\1951755436" -childID 4 -isForBrowser -prefsHandle 4876 -prefMapHandle 2520 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fce4ea57-5c49-4463-8ff7-f35446c9e726} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2584 1cf535cd858 tab
3⤵
PID:5132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.6.1057391842\508288256" -childID 5 -isForBrowser -prefsHandle 5004 -prefMapHandle 5008 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f872d11-30e2-4e38-bd17-06c3107b8575} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4916 1cf544a9458 tab
3⤵
PID:5140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.7.1238672548\2115491084" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63abd4b5-44c9-4d8b-8977-94fb31d8779f} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 5196 1cf544ab558 tab
3⤵
PID:5148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.8.2048134030\2102260845" -childID 7 -isForBrowser -prefsHandle 5564 -prefMapHandle 5556 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {164029d1-c3f2-4b38-bbf7-0dc4e16049f7} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 5580 1cf4226d958 tab
3⤵
PID:5780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.9.1308347915\203437889" -parentBuildID 20221007134813 -prefsHandle 4212 -prefMapHandle 3732 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4998eaa-f740-4642-b02e-129a8f625c26} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4492 1cf42230258 rdd
3⤵
PID:6076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.10.2033957749\1481037494" -childID 8 -isForBrowser -prefsHandle 6060 -prefMapHandle 6072 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4adfe34a-b7ed-44d1-863d-d84cc05a669f} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 6040 1cf42266558 tab
3⤵
PID:6104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.11.131463249\1397798801" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {947c274d-7220-4a6d-9844-ac7c006d61f1} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4608 1cf4d4edc58 utility
3⤵
PID:6236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.12.960474474\1529518278" -childID 9 -isForBrowser -prefsHandle 5280 -prefMapHandle 5184 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af98843-44d5-4863-8317-53d90a18532e} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 5272 1cf544ab558 tab
3⤵
PID:2560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.13.651458837\763507190" -childID 10 -isForBrowser -prefsHandle 3836 -prefMapHandle 4620 -prefsLen 26808 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f4d8340-cd1b-4faa-89e6-85543378b1e7} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 4628 1cf50576e58 tab
3⤵
PID:5512

C:\Users\Admin\Downloads\expandera.exe
"C:\Users\Admin\Downloads\expandera.exe"
3⤵
- Executes dropped EXE
PID:4600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.14.254805169\807321661" -childID 11 -isForBrowser -prefsHandle 5736 -prefMapHandle 5572 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7b1dea4-1243-40c0-a52b-5ad0d98ae128} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 5716 1cf4225df58 tab
3⤵
PID:6292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.15.407670010\853984075" -childID 12 -isForBrowser -prefsHandle 7304 -prefMapHandle 7276 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {343984e0-fea7-4196-913a-74ffd3ba8d08} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 7248 1cf504b4b58 tab
3⤵
PID:2768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.16.1182238936\203504961" -childID 13 -isForBrowser -prefsHandle 6236 -prefMapHandle 6336 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {380724ab-568a-4718-a95d-96ecc3610d42} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 3824 1cf50576258 tab
3⤵
PID:5292

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.17.739123436\1730497535" -childID 14 -isForBrowser -prefsHandle 6372 -prefMapHandle 6380 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cd34e60-bcda-47f2-890b-640bd71a1f58} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 6260 1cf57234458 tab
3⤵
PID:5468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.18.277562645\1178186605" -childID 15 -isForBrowser -prefsHandle 4320 -prefMapHandle 11268 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {728dad78-0d73-479f-950d-305d1aa058a8} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 6568 1cf56cab658 tab
3⤵
PID:3500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.19.1205750806\443869894" -childID 16 -isForBrowser -prefsHandle 3824 -prefMapHandle 6736 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7040242d-22be-4f53-ae69-d6aa1f7e871f} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 6680 1cf56cd5658 tab
3⤵
PID:3960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.20.1244100841\1549923184" -childID 17 -isForBrowser -prefsHandle 11004 -prefMapHandle 11100 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad37be6f-2313-41f2-ac86-44cca06b9b18} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 11052 1cf5a5a0258 tab
3⤵
PID:3460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.21.2029192154\1915862497" -childID 18 -isForBrowser -prefsHandle 10804 -prefMapHandle 10816 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {518490eb-b936-4b85-b188-2ea7707be372} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 11332 1cf555d8c58 tab
3⤵
PID:5388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.22.1467725472\608254593" -childID 19 -isForBrowser -prefsHandle 10636 -prefMapHandle 11332 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31e598d8-8a19-4612-a1f3-3892f2163c27} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 10648 1cf56133f58 tab
3⤵
PID:5380

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.23.1569290021\2135589667" -childID 20 -isForBrowser -prefsHandle 10448 -prefMapHandle 10444 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d324b34-c131-4f63-8ad4-742444b32884} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 10456 1cf56132758 tab
3⤵
PID:5400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.24.250098084\1681058657" -childID 21 -isForBrowser -prefsHandle 6728 -prefMapHandle 5556 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a26876ae-d036-4bb1-b9e3-00a95cb03a23} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 5008 1cf5913ed58 tab
3⤵
PID:5956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.25.1496262638\1083457019" -childID 22 -isForBrowser -prefsHandle 10412 -prefMapHandle 10416 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa20bff4-7f30-47e1-a37b-d681154ee504} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 10436 1cf5969fd58 tab
3⤵
PID:4560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.26.250088512\1909191554" -childID 23 -isForBrowser -prefsHandle 11216 -prefMapHandle 5732 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b2a888-670a-46f1-baf7-9847ce6ee0df} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 11224 1cf596a0c58 tab
3⤵
PID:4588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.27.1606692761\135540175" -childID 24 -isForBrowser -prefsHandle 10652 -prefMapHandle 10524 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00410cae-cb9f-42aa-805d-c65054337534} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 10144 1cf4fa0d658 tab
3⤵
PID:6408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.28.1008151782\186681222" -childID 25 -isForBrowser -prefsHandle 6380 -prefMapHandle 11456 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5b43a1c-33a4-442a-9ff1-a28855add194} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 10456 1cf4fa0ee58 tab
3⤵
PID:6440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:5688

C:\Users\Admin\Downloads\expandera.exe
"C:\Users\Admin\Downloads\expandera.exe"
1⤵
- Executes dropped EXE
PID:2608

C:\Users\Admin\Downloads\expandera.exe
"C:\Users\Admin\Downloads\expandera.exe"
1⤵
- Executes dropped EXE
PID:6708

C:\Users\Admin\Downloads\expandera.exe
"C:\Users\Admin\Downloads\expandera.exe"
1⤵
- Executes dropped EXE
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
Filesize
49KB

MD5
e1f8c1a199ca38a7811716335fb94d43

SHA1
e35ea248cba54eb9830c06268004848400461164

SHA256
78f0f79cdd0e79a9fba9b367697255425b78da4364dc522bc59a3ce65fe95a6c

SHA512
12310f32ee77701c1e3491325a843d938c792f42bfdbbc599fe4b2f6703f5fe6588fbcd58a6a2d519050fc9ef53619e2e35dfadcbda4b218df8a912a59a5381a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007
Filesize
24KB

MD5
e1831f8fadccd3ffa076214089522cea

SHA1
10acd26c218ff1bbbe6ac785eab5485045f61881

SHA256
9b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac

SHA512
372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008
Filesize
44KB

MD5
2b312fee4bff7fb9b399aa619ae1811d

SHA1
cf5e3270ef62ea6ce023f9475dbf7ed67e10527c

SHA256
fd5fb41882dfe849ea47547bf38b9abc435683d7473703b4cb37e8c28b1de4cb

SHA512
3a42c3a12da46656d8dca9b54651027873f42d2ec2e6e706a41b4b520d387f0c3c0388e3d117bd49174d7074079f3404c00b6141c8dd22d38ef1a257f52a9791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
Filesize
21KB

MD5
e9a5315fe482aa6a84b4cd461a41a5cc

SHA1
06833b57adceda1c91eaa2072d368c54fe4995b0

SHA256
6a00fd28670b7ddc6725260bf6cf4c345762edcc5e74e4eb77367b4969efa9c9

SHA512
86dcee3ad5c69dfb9bf6f0e8246b1bf2f95a27188c17e1cab7b9270774c37b8d0e6b2acfd33f144ba74d17c849299a9c750dab9c8f1bff09147befb7876421c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b
Filesize
106KB

MD5
c32068cc5af65c3041ba5d1169c21877

SHA1
4916b1ecb06fc8dae881723edce23c15f992c425

SHA256
d2236b94ac1e28588be6609b6320fd429146a70e97f37e2a4d70410cb15990ff

SHA512
f6ee1f788ea0ab74538c9661df557b9f1f81465f098a9021d73703a7fb5fa81e849b89ce6a4af8377972b3a39179860483eed32cf7277c414aa96b48344ce3e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c
Filesize
223KB

MD5
e225d1ab20c582cc893e89b96ee0c798

SHA1
82de39a3786bfcfc0e6841e8751352d53ab9d99c

SHA256
f6d6b38cc040cefbdc83be030dc6552ef6fb222984dd28f50c9a3c01c74fb193

SHA512
c06c736a4b349c9ce0a4ffae4534348822c9c8d2b0831c202e39f91c223c38bc2aa0f338d68c941042932d6ccb3cf7e5d64056db3bbf196e4e6c373716f636af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
73a86c2bb8080719cb941e1f361abb1b

SHA1
41d497a67c975295e0f8d8c110c00bd9f6dd487c

SHA256
04b953cbe9878643e5e9136645d4cdd3115f914f5b5c4e2fb9ea87c9265f3d1c

SHA512
17f92307decdb46fdd45dc4d370e5ba1178df747ee5507a037f81646380a9f80f4b63da7f898479ba2a7ec066cb2aa08c8843763eb2df69eb0d5f3ae544a28b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
9f3f724b5acccb9f72658abcc094e44a

SHA1
171140e8400921c9922ca0ed55dc5992e00bd369

SHA256
097fca7a84f6e0a49ca0f4b9f8d8981c2e9c0d4f1ae891d3c8eca2277b4595ed

SHA512
03f1fa21bee2faefebeac0beca54180d142be7d815ea226afe9d898e31e9512de64e4c0927c51fb4224416388f06b75bcf2cc8c1f98b3c43435bcecc23cffa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
78a18f8c9108469fbf027df749d41a2b

SHA1
dd72c7d58abfe7860b2e4d6f9c7c4b30b52b50e9

SHA256
5c765f845299f62e5ac24ccdd2ad120f1db9aadf03db4b076275f2f9f7743735

SHA512
cc9fe6f1a336f3f78de181ae9b506541be98cacc1ecaf8070ffa7c907be85dc541bae6204d80464c7a80c39029392377788b7547a236ab9ea97c7dd750d79646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
f5dc37f9f78831645218deb57cdcbbc7

SHA1
f44b79939b5e4ff2d232481b4066183ab2aca84a

SHA256
b81e1ea4b91daad24e9ce485ccd323bd9d4fef2cf0d002ed7f745828bef6e74b

SHA512
7ec775dd347688e5ba6a72ca48f6270f9d572e6da410fe8f27f848ef4f806b0d6720b560613b32091c34979405ca356d0eec3b4dc4264017b6f54a728322ac4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
3b9ae15a5ed5fb9867fe07f0a59e97e1

SHA1
adc2eefc93d9f4b543ac873257be544701c1a34e

SHA256
6514f69080ea45f44c99040b7cd8d0407596ac59310737d7fe5a6183b86eb8da

SHA512
298e7b07fc21955cc5fff97aa355e8f5d35d850bf43f4eb87eb9c6a295f03c60b328ad578d40c315ccf919282d2014db85aa0b1c5059ca355d90ed3ef4660209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
148KB

MD5
582986a9cc224045e4fbf952265312e7

SHA1
4225f4e11eb325909f32d9acb2116b4442c365e0

SHA256
cc04738cffd9daa250601270d73629d8524f40ef4573a709a9da2ed4845a6d16

SHA512
2c5f95ad73ed8e5b0cf6d2130423a9da8d469c42c398c167b8bfb40d509202aa51de41ce79eafaf8621fc47442b8b77f874e5dd09472a3f35ecd4c22950eca75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
8ab154902cf81c350a84ce382a66af79

SHA1
7a8b69efe55abdae9865a8db9ecd5e2210676bab

SHA256
77d3c3642c53b7d8ba81ca3cd23bf78f588595cce6df30452ecd45970ee6e7a9

SHA512
635ef596f0a26c1f582d66a3dbcccde649afe7e6494d18df2856b65c4051c6895b05df3674a1c3ed9d36d399640a7cf67c30e08faf9327f6a658fdc5bd52fbef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
1613149f15560b9db7036915b1273bb2

SHA1
2871fecd9b27c676254af70d1de3f781d7adf654

SHA256
2c0265eb36e775afc27db4b88594d7852a6e202e77f7f3906d6892e814890d93

SHA512
fc3659b21fc0a3078c1931c5b38f5554c465f5c2e2065fcc30afaf5d3619f9f7bac0e34159f26a61423cf421604afdacdc8c254a4f021ce38bdaffc82502038f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f276a6cb969945985bae36b18d3e6ed1

SHA1
23607bdbe07c64269c7e8fcf4c22b30af6aef364

SHA256
9ba8d7e383b3c284cdea4250e8ccaae14ac5d769502161d112ae75abdc67e1f5

SHA512
bd4775dd44008ff3341ffecf874c884ba608e4e8fdd1ab963972a91f5329e29535f9507b632be268401c36b1b125f3941aa455cd100ab56ed797a9e7eb7a1a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
0bc73e1f9375245a0d226e456eac727f

SHA1
ba5c57350b0f7d4c8e7c64e2038729b66fa88faf

SHA256
828b3f9262a7f9fe723024c1802894dd2de8988644451a9b105d3080f48b9510

SHA512
0259b5548839225989362de110bb87e3dd19585187a2500a23d76892f548e4aa89973390b8a9755bd00209d60692111bc420c28a40bc750a06fc1eb37c890914

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
c3edea738fff62a64c442fa3f1f87232

SHA1
2b7f1be1d23a4e4559d7f82e3185cbddbf406ae7

SHA256
91f392c945716fd7f3a977cbb62fa43372afab23c128a5b0487491703347d00b

SHA512
5724f1b36c18c116f2d35861ec82ffbea5f6c1f264a50ef6824ccdca37f0277e80b4e6af272e1a6f885112e433db0738ce74c0de87331d865572e4b556cf6751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
857bf6ab880b00946c7873923d015a29

SHA1
86dde6f92ff58a689a80cdf1f50734f61ffba7ab

SHA256
ef954ca29e6a8e917988f1cca790bb8074e0be7af5ed738af1e008142a374a46

SHA512
b551f27ba1e7bf830142164dfd4ef2ee688d044b4216daa782324048489b76340b65226295e77a57d8e2b5a98350af5c47a748caa7f42a42d1ba1b9bb2f643ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
21b62cd59a56f12609a7df25440dbfaf

SHA1
0b2065c3e8cc93111148c6e783dac0ad056519c3

SHA256
e88adceeacdef0c12f1996983f1096ba731793bdc6c32757368a7caf1a105ff8

SHA512
7f38797b78413021bd86e6fcda468084f15394beaa07cadb7f190bb0975f2d62ca7f21bd5be664496fc130d0b9866b2cd908acf946320792e690a3550e1b77de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d16867c2ca4062713cc63446eaf8f483

SHA1
f184b67d1b241033c28d834b44a80dcd9a70d7f1

SHA256
e2e3a206b402fd5bc34f9011a022a2a458ffcf9648c578c2a1a01c326ff925b9

SHA512
11a55cfbb5aa9bbb45e858dfaf8834bb392d99c63ff3358f147b020140085c21bb77ffc0445ea3bd4a4009a204475984f9b549b31bef5c22abb9caf8d3a3faeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
86bfa63cd1718a0ef01f82b25951dab2

SHA1
3adbe9baf8bd7b4ce0d31f0f94b613e4cc7f0043

SHA256
c1fee92a80afe591aa86df0e4e8503f8ab57805f5895e321b9aa2d214424e0af

SHA512
2593d406f98d824b11a86f322e2e761f6068c9d639bda18a556449cd33460293b0fe56700a00a51c1663e3607cd5fe61d916c7bb4d5375cd6ff8426e4157e1c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
38d65d8b833ab2e0749beb535b139e39

SHA1
21dfaabb1c1c53cf5e8a539efab9eb5a1637e740

SHA256
43cf3f4c2ae7ee1fcebb53530fd1e70a6913626679cb71adce9fac70bf8654d0

SHA512
b972fb8acf3ba8476f5c5017c76ff47afab07eb2e5c0412b17908e49043f1f19e5c6ae5cfa540bc817660342deb7dd3ca94eda08f8cd9a81bbca4752d3251c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
eb73f37ee1dae62f4f7becdd50036ea2

SHA1
a3829099491f855b62d3d875ad23528971cbf3d0

SHA256
3e5a28e22e33165fa14907733ff40c5a4f9f58134e25aa9c3b8d198d20a400f2

SHA512
20e46ef105cd61f690de21c8f44ea8fed0f859db31543d9a45b5d2f6c13166d2356f5265e02ace445cc89f491fd57689f21cb559da6f0abedfe465442d234e18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
042c10b71ebc265355eb36641bcbd9d6

SHA1
f70bb2bd4031a13d0534d37c4afc4f453b49eaf4

SHA256
e0ebc6e2d89c5f478a1d2efa0dedb9a6fb244a95c7ab8605659e862279390b3f

SHA512
991d755a451bd1de4ed7741cc7fe99e1d2d4f160d1be6f728ed79469bff6e674192d0baea5c8af06dca1b0245da08a32f64107d2fc430c8ec54bcdfba4416445

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
b0296bf17161eebf30654f02862bf35d

SHA1
8454d291a365bab19bc76745ba80f1e731aa818f

SHA256
acfda07f717f85c2dd54d3691617b8dadc59bb2f79d76e410548cf6ea18e90a9

SHA512
2a11066cc9b9b813127114a98734eb8750732e027b680b5256b92026b5aedda952c2b98aa41afd07e551c54cc4b5110301128ef44f448dbd1a669d8537c48b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
24cb388a28f6a53219efee8dfdec4674

SHA1
516ad91861e5d3793bfd0c5fe813c0ee16df832d

SHA256
cc16881df4c7dda6a0cae86826de5b3c0bdcc3a05d75697639f186d35e091d4e

SHA512
1c994c6b22d0df4024e2323204f298b4f1518e7f215d86e2d38947f49c65357d7ff27fd44bcdf04402e1d3f713fb32ed62e8d4409403f24871851066067685c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
a4bc9c95a95bd07368626cf022f03b07

SHA1
4bd6f23f47b0659997c9e6bb70a29a1f50f5a7f8

SHA256
16d031d8abc88c78d2c34d143287dbb8165e9fd72dc789a1a80afb885c3bc8dc

SHA512
8fefba5b12c1988228cef021ab6e2400bf24f236c38228125b9dc1c7baff49719b5d0b3739ff49a33869f8156e0b456b78d5483eca789201be90b22ffae00fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
740b9198bf67e887fe28da21921733b4

SHA1
469bfb33d0da709e4926adf1aabe4c721bc62284

SHA256
12b35e80598ff8d76b6559ad7b3666d3c28d1ed4c6e95dd0968880918b23d65e

SHA512
d30ecfdf74177668bd165df49856b098ae65c430be13ab949efe44f16e31c2a401c019fe4df9f0dfe667f6ce98b2c0dcec5413c23c6dac2b1e51d63ff31a0d5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5f561d5e32559e5da3c5b87e0e20b3a4

SHA1
6f954f47c1b09169c4253846368059ffc594544c

SHA256
9a9c955cf8e211a35449ad258cca81a016042b8665d9df660c4748388adaaf5d

SHA512
f951ae3b0f82deb3d69b03bf76808b51dfce476640c5edece998dae000c4d4a68e1e1ba28d15484af27a5dd6047bcf6aae285be23abc585d00ca928ac3038469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
16949102e50d6c74b483686a73193577

SHA1
0cd80a508f9f79ebb6d80f966c7f1ad3d6f5be1e

SHA256
e736773fa202087cb2cc32b5681ad6b6a4e41b6544536c547bdd0b64fbd568b6

SHA512
583782663ea8f16a85fdc37558b780879cf71494d011514bbb4854e298609eefe345bccd4550d239d9a10a08b3e9c07e10ae709ab6cb31307217ef0941163eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
8f92deab1da1c8902e49a6a0795db96b

SHA1
241d602a5cc4c7b4765ed4255dd7db25c8f456ab

SHA256
1b31c2dbb4eb19cdf16c2bea9f183d755773416f2dd97853c735e4909b1caa16

SHA512
b6f2ac372d9e358194600ffa7a1dfe23b743f7473ad142e17b7c4e0b053f59e34274310f3119a7dc454f3156d9005634fc4ae9b69c716a3eaa896a474ec8991c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
8fd39be8045f206492099103ec479230

SHA1
097ff54527f31d56f6fac79fc7c3a23c0c88bff0

SHA256
152cc6d85b0e441afa6e5fcbb0e2a81f5fefb4880321e5450e5c29574831bb4f

SHA512
53e8c17fd018fdccf1483c3d319f8d25dfdc9cd1bc2847508b3ca5c2d837d2bcadebbd7f4281aa5a5e514cfc94c20ff49af48bdba448a34c9db48767c3b0afd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
bf1022c05dde14a09e8f6b6095dc4813

SHA1
9e6e2b4762b5e4d33047feb933c78f77b6b6a116

SHA256
f391ac7784c5e8e551d2e6a2e56b1a446b3e97600609f66cc6b993a55ee1ea88

SHA512
e2f1265e6bd931c0d6bdf8863063a2969b1855c7065190df8528de7348e3c40058761c331359223746ccee4028d0ec6353dd246df7c6ec12051845337962974f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c508bf56e0b19e42c975ae01eaba81d4

SHA1
7c9fd0a22a780b959f94cdd7c3e2d56284e27066

SHA256
654efa4b1bf1274e76fb836c1880db52f75ebb118faf17896807741118107444

SHA512
5ca98c053968ec45e3169ec730b1cb7acd8860a052e863e17dbcb3d2591ff2796d9d50112d84379b5d0b9b3cc4048d5c4f4e65925916fce14ebbf6df54a02c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d80ded78da12ffd69116299749ba7c3c

SHA1
e39085b6729f138f8e029c253320e36950dbde91

SHA256
acf1dc80dd47c51bd88e68c9091bde9e5e836ab35664b783225efc297f039ef8

SHA512
5620decf9b8608a2d51fbf827cd86e5cd5f8ffe38cd08e5110a44bea4f23c79d9fa99c73d98b98108916baae3e27894c692e98d6a420070dd1a29d0f7ff14da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2ccb2ec20d941e06dfebdb58f0e7c496

SHA1
a976fac28f0f314c874812f9480c3aaba3d5f7b0

SHA256
7aea111dc5ec5c1bc734cfa785f35f43ad9374941d1f05abfa646f6f18d91d1d

SHA512
210d2413ff8ba57f3de6ba00c276e38bc8dd55b3e457692753799742dc67201a5f2cff866db93b7d0677f0102dcba8e11ebd341ec1e7970f667803073f47212a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c31ed559c2bb7dd989b54dc78c85bb00

SHA1
45eed22b4c8ab8e7ae85a618faf0cafdb4de2ead

SHA256
db374c850f5531c80ae323d5830280ebce8cfc8d07d07381ecf0a93d97f2ccbd

SHA512
86278640b2a502b3b272236bad57cc40d99b1671489c53229c7216a41e7c1596e606b9f7a4aef516b76cba4ccd722de5b932996c44dd0f342fb927bc9301844e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b08e8f7932e9098e0e7712cb4650b867

SHA1
5a10db033e16bc9d20c28872b55cbea38856c5c9

SHA256
aee2b33d606b9418ea69cafb719c90ed74655447b37721f0d9210ff790721e18

SHA512
3e9155d75cb80fd804465394cccea2faaeacc327c12e827819b4e150ee279748c159174953c7a4601fe4991c6139fe5da6123155a26aaa22add5b569440e1cc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
64ad1a03102af1d519e05bc9353538d2

SHA1
1af2e65a0c35ceb1235d17fc1beffa98f5244045

SHA256
c7993a5b58e31461981d9640ed32aad1aad07dcd8f12bc7fc8c4479eddffb55d

SHA512
201fb7fc01d584025139dc5af4ed698d53c9e4d6474126b31551321b7896b3f86e1661f3fa29d606445ec60382b236ca66cb6e5fd7bd981491c0d84db871c5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
777fd4551b7a75de16ccf062af18ff91

SHA1
4be80ad8617b39c4548c357047fdf53a31c5b972

SHA256
27f3b3e61a6f971ca2573c92b567a38db482fed88ee12359ee522eab2d0a1538

SHA512
fb4d7484407d32ce87afc47cc01bb8e5a4e822a76dd19a59903f4ab1b98d96c0f7ac4d10bcb2b9807d0e5b880af1dd1dbd94955738d91f44b598dd908941299f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
bd99d147f5e21b680abe2e4dfd462b66

SHA1
a9be6cd651c25e3555b8bfbde4ab2fe87cc6f298

SHA256
a136112471f8a2f92147888f2d0900b8fadf8c908b1915a1ccddfec60dd4ac34

SHA512
e056348de1cfbadcc9cb4c93df9fffa774bfdb69311cfe6ce9b24844eb5fbdf1043f16ffa9af74696f985156e97cfeb26c8908bc82251eee3d7d71b4ae4cb188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
bc36a8676236763821bcae94392d2000

SHA1
5bd4acc7869861321fbf70e8f48897fc2ae0102a

SHA256
e0da915573bdd7d4e38ab092ff5b75741829252fafb1d72712803996914cc494

SHA512
c0d49ca6750219ea40fab19ddbf813749e547099386fc6e73e043da7fa1978c45c8e2a84623c4c90bf7811b5bed6f9a299c1827abeaa2814cf77c1ccab3a76d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
4edf00759ca192639a03c89c7a39b4c7

SHA1
53eca1572bf8eb2489c283f5a9b95c79b43f4728

SHA256
27cf5bcf55c174bed12fb5155e139f454174acc08298ac7064769d355cd53487

SHA512
f43a8016f892ecd95222ad92ac81237dfa7b84e4533e88902d190ff67f1258ea0b19d25a54ba4e47d13a2ce4e4168d5b3e697e369410d02bac584875e3938975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
16d6287b810ee5135cdc9ae6eba59896

SHA1
ff33f69ab96f8d63f182e859df1e82f897d5b353

SHA256
8d0660d42914d85f83b6a30668cbf7504053bbbdee5bf6784a9ccbd14ea78ac7

SHA512
de1dcaaf77c6fd0a2ca5442f77bc7d649bd2e5590f1d0dc7a2c7bfdf4584164724fd04e295a06a6e09c5be9eb2b45e1e413b56da5a609e8ef98bedf2df687845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
e2a8a010b1ca7a572398ed9c73a68781

SHA1
ccac103bc31f383b5324c4a5c57ebc3723622b01

SHA256
ac8fa68ba7c63ccc71d12977de4e2e7a00de71474fbc3f65340a329b14b63f91

SHA512
5a98ec706a5077a81e83c250d5a3d548702476946ebf3743e6e5a0eb488aff839ca34b8d2218214503be86bff9a9bc88a2f92d2e70310d5790b1092d05011971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
272KB

MD5
d766ba5d5a15d0c84822d7e707aa0070

SHA1
4ceb1a08457b4af316cbb258ad4b8cb74e437b6b

SHA256
e256afa5d68e14180c1e0b18c51de00b94960640fcff02dbd1a7230995ae3006

SHA512
6d2597fb8bc4f8c8f5796d38d508c8bd8bc03daa0f68083ae42c62e681e7dd0013380e192e0b0cecc3faa16a6b3c4438df547641f02c84ff983a31c36ab6d666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
9eb0351775863f0f9e3701c9211885da

SHA1
b44c48d20d13ac6f7d2eea3b7643cdcb299bc123

SHA256
99b7457ffa2c10b9bed511aba1b820bdcebc0733bf990a7a58d5801822362c63

SHA512
598bcf02c72801ebb34cc8bc3dc92ff23dea51e7d3291ea008927bff298840a9a4936a573b1c1b4a007f2b5e65c7c7c787b151cc05f510f9656ad2b0535ecd59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
108KB

MD5
ff1907700aebb04b69339082977a194c

SHA1
58dcfef99ea0a5071ad5a3748826875d2da882c9

SHA256
f3248a65f5eed9bf861d6ccf4e81aac66578ae55af0176fde19c27bf7942a158

SHA512
4999cc741724258cc1a3b690cad4f72178284fb158de1b11811b55b3b03e1de11f2904781645cd533868687c001194224ca665f87a0919008a675b3a3ac4b62d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
93KB

MD5
05f684c7c4004c8ebe69b95171ecb439

SHA1
41e9a24df5cfacff5e76e373955f6034c5a77e68

SHA256
ae966d3ba909dc45e71e1812d02dbb1915c2abee94b26697ba09653db061e83c

SHA512
75865d97b84f5c73ae78f4fa10d62c8033ee59dbdd9113dfb6ebfcfd9045bec14dd9980ae294cfb33ccc8b2b95b8e4ab674e155672c22b7eabca32532012a68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a7560.TMP
Filesize
92KB

MD5
36a220bb75ce0f634e524c3bffeb3ea2

SHA1
46ced5cbfc4b02afab9af0e088b974e1e4764529

SHA256
c47a7e77a79f6173bdee55c8742e41b27e4abd9916fc9954539c0aaeb7fc96ba

SHA512
5f21cf6755434e4d98f4d4072b4e1d0968d0cb0b8ba54085195d5cdee82792afde4141b8f4e73aa22750f7d8798e41a99663a45f769ca704552d0fb82475b950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
38d4829f19f993a9431c63322133b435

SHA1
30f058d9a1dd291ae13aa06e847610c3847e8aa2

SHA256
c3a6ee35a9ab78b56dce23ffbaae1afb2fc198b7054ab1fd6588196be5a41c62

SHA512
3e3e47032dda559259788413f97dec5e97abadbba14d8c309ab0e46ad0d5f365016dc1ef77d8c73dd99862be85c32d0f8d2eaf72d00f899c836b06e0337d6cfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8S7W85J5\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri
Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri
Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1426
Filesize
6KB

MD5
c893975bf8cea9a12f0af310edea4b46

SHA1
9ce48acc9177f41adfeff89d19de476635dd3f9e

SHA256
a9079ade29f895fb366ccd4b3b1da916ff19f0d9d7f9a0c4f53cf7bfa158aba7

SHA512
161340acbe0c9603a51f52eb034a76e043c30a5a3749db2ff2c909187e59ac74ad1e9ff972f90a257e8ac72e9be63ea4d1a490352d15737acd852d3d25e11880

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\19627
Filesize
9KB

MD5
b42d159eb7bad24b9a32cd474cb2b3f1

SHA1
e6c231f95bf84154e021104e2495123f37bca996

SHA256
a18eccb30ba2d6d456431842eb3ebab2788069cf83af22427ff3a7b56f5b0aa5

SHA512
f95c3b393d284dc8f3127de542d1ec2b7fb4f60e52f18d1016f9d5086f1a61eabebd4166d04a2f28e98fae880beecc3125dba3b72d58a7ff567231376c75a409

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\21018
Filesize
7KB

MD5
96d6b4cdd00eb79a85bd177533c576cc

SHA1
1b92995734f0671b7a7480eaa8b45b2fd268191e

SHA256
a072a16d6d37efa2d867d00267c2ecdfa4ea7a325163664365208558942a3238

SHA512
fe40b0b50641ed534247ca859d5b1516c1968549d6fbfa051de33e6824eda4fc158d2916b1a07d99dc2465e234f9a7cfcf531c8e41bda884e6b47c17013633e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\32409
Filesize
25KB

MD5
6551d6fb3bb43335d05b2afc0b0c3648

SHA1
8f692dba38d71b849e6817020eea61aad256e178

SHA256
1f10e0fa9bd5c1de569976df1ebe90e5e5e6770632bdaa61e164e2cde795a0b7

SHA512
134a3448ce61b6fa29c75086897fb412b5007807f9fbe49a533a92cd0c1f18dba9dee9e9c222220cc8757ac667425705770930b28bf48dddd40a431649394013

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\3791
Filesize
9KB

MD5
9c0f26cac1fb027c1e56db56923dd17f

SHA1
0257832e060697314d67a600353ca954a1d56cc6

SHA256
95547a8a9d07a199adbc92a00190f5199156534790483b6551a178b54b8420f7

SHA512
845b26a9804baa42bcf76c867edde0c24763087bafe580aad6eac6192fcad2d07674ec568c8b34889fa42f2ac12f78ed4f269bd1e7cd53906e4b69f8bdc5a91a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\7336
Filesize
21KB

MD5
20085b75234f73078c44c1e09867d9e9

SHA1
e791a9e69cd17645e7e8e2a81833c27558ec60ee

SHA256
45714200036b8f32f29368e5512a80c66985711f5d1fce2dffde4263f1013741

SHA512
cbc6fb9d1a5e5aac2125125d385d6163f8cd1fee21efe14df87b98e02ada32e74bdf09fe8ed0155bf7dead1e97962ea405bda605c7934b610a41f3ba55a42c89

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\7730
Filesize
14KB

MD5
cfb408325b9916537b55de789ffca1e3

SHA1
75ffca2c6d83c57a39c453484bb7957291826e96

SHA256
ddb3d7d0f1ae781461831d29819ffe1de04a8f10fb993413c45cfd27eb79f0be

SHA512
f0f1497581f76dc4ab0c914637bccc771aa409db089a23c856d5252871b0f0a0e3b4f1c562136bbc4a196e67d48f8c9030dea19ed6281464bacbd311330b00ac

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\128513445433891E69077542CB903482ADCAB54A
Filesize
13KB

MD5
eff563aac75c9e67cab24529a8a3a2b5

SHA1
881ad89436d3136dc6e73dea506fc5a896981750

SHA256
6b6ba7bd1027cb57ff2cf1971fc8c758e61f4354e028e27e097a623362216323

SHA512
b978598379526f666f4456ae6431f8e455226b5f279a6f497284734d5845f653b13eb72327907f6f3534cd22e505aa044142533d04f4b57d862073b0e881cbde

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\2ED5EE80267654F588A4C23FF3C5FBFD9DB2BDA3
Filesize
253KB

MD5
f5495c96d632ebb3d6a2a9bea905bec4

SHA1
cbf57fbc7edd7d4bdb9270d10a527b5c4d40a39f

SHA256
24ad205b495eca773bfbc0bfb74b8cc327bca24afc68471922544bbbe7d86538

SHA512
2d92fa7a71ab81b38f2f97b96e2947e209d138802a211ef028148ef5a4b85f9bd895b483938e734934b0dacda185f664db14cb6c66b5c77b040ec7757f9eee40

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\3BD8DF8BFE956A0E5D9B468584F7FACB895BC6D4
Filesize
33KB

MD5
9ba6880bc398c1191e78b37f8b600171

SHA1
c3dc74f3e4bb1ac2812686af515564399a7d7df9

SHA256
ae56a0e286fd8e888337315ff2f5c0795a6ce29f97641d0dd4fa66888807448d

SHA512
0fc8e56fe5cd6316bdca3c355f6352527ed5a3f933fcdede03b4cdaec4903891d4a6d234063f57a4dea79798eec96364ac08aadf24229fdb4902eb2731fef2d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4
Filesize
1.1MB

MD5
3aa2396b32f5b6cee135dde5278c3c9c

SHA1
3a44b14fc1998e06d47a09b2de0087b42a69a299

SHA256
cda85fb6052a0e1332475a39bc99c9c1fac8a754f29bb7a4fd5fc6fd2cd595a5

SHA512
9ffa2d6ba88e741ff36c94e3d7a97a284d68000ad1dfa90aa5da871a60b27c60344f2d34ceed4148ad5ed87ae1445f69d0f95732a49f27dcb7af91878f59a03b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\5AE6D89F9E02E65CE57A707F37A56F985F9BE4BA
Filesize
68KB

MD5
2f4563dc0f7a937d0ace68eab92fe5d3

SHA1
a014bd8d5c60776d44d0a89c24b41ccb904a8a0c

SHA256
e119b254287607ffc301fefbb94a01eb0dba845c67aadf739f0c6ed08665ba11

SHA512
faebfb99fdad8350b44e653c6fa5052f661acc286deea47d02d42e4ea2241092969a93ba0669fd72780e6da60773ef73fd466221d50621b9c3a045de6c4dc032

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\80BB96996C8133B0FE5E0D6E5EA21B26135E8EA2
Filesize
111KB

MD5
eb626ac669b5ed4228f906f1255d9765

SHA1
3453593d6cd3db60b5f76b5abb9828d90ffa82b8

SHA256
084473d84e61565311281d76deb54c7e80d7ea75e59df230c68be13867aabac1

SHA512
b175b27fd6b14413a846687f12ca4cf93897ea5abef814c81905ca1206fa0e748f4be7807b5aee3aada99723f5e27b71eb933a84e71a91d0a4d5e3b905fab4c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\8A5654D907AAF807732AAB43C4B9E770EA81B93C
Filesize
57KB

MD5
6bbbec6e619cee452c3e5c2fa1ce5032

SHA1
acd71dd626462cb3c600d60ae30bf2dba53bc745

SHA256
a910c95f337323daca887b103200f9b34ab54fc35c681548461661ff3b16d683

SHA512
cb4f50977deaf270268500b3825fa0a79a04948bf9f15400ab708e0eaaf33ea38c6cb52f51a0b4a98b5df84b4b2864222e6970e54de41b6976feeaee9c48f8c7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\958C5460C13AEFA1D0C9ED8F4AE5C4FE9A4E191C
Filesize
192KB

MD5
5e1a3fae68ae3334617b76db0f9b07b9

SHA1
1d0aa6071f5403906bf5d62c79ac87c7a92ead5b

SHA256
0d9509712251dc250db4bc1ccd2b26c430e11279d2ce175038dbd6df2bb2995b

SHA512
6187d1e0715a88a275b2ab4e1ef01d1a3b1f06dc51c711005c8adc274a7712cf5b9d7bffc2d601256858c2bdc3d43e414611f521394e36ade1c5deb917e9cdd0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6
Filesize
2.0MB

MD5
758bbde7a4aada090e635d74bb8ee1a7

SHA1
2f8dc926649c63fd3bc4e7013aba10878915469f

SHA256
2977fe28d14e3b91ab83cb1dbd1cadb2473efc42303d08bedbebee6647ceb51f

SHA512
870eef3087e46cbb701d453eb365478df47b95029cf7effe8d7ca33e0e5f83b5fad8a2c32e745b3e2875dd4359ad7a1ba5a0fbf5bb2da22373ba76033f5e190a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\BF7F91E87FB83785193FB64216D3073B92E7CA34
Filesize
1.0MB

MD5
5a92775aa656661687677b6e3b007048

SHA1
7a4a82fe466926d0f72fddf04dd91eb35390850c

SHA256
cbfc0211e30bcf2eeba59aff67274316aaa853f4783f13240db714372cb61949

SHA512
a60995cb09bca23c3e7dd359e62d090a3cfc95a36c199d768fa84ef37f8cce13fe01e07e13f48b2cc4e383262f44a5620ed25980432e268f31ae06cfb732153a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\C9E895265CB2DEA2BFFCD7BBED901DC7236ED57E
Filesize
97KB

MD5
a2640d11ed70d2f00e1bba4f308efb3a

SHA1
dd8197f94d3fc39c78f28fc77ec0de0e3579f91c

SHA256
f7ad1a05bd652ae8d245220b12a8aeca999baf83ce4784c9b72598bbf5120b3c

SHA512
cfadc5da8f0ca2279abe497ba3cda06763374df77ced6b4682d7aaade958106d3101152b2689bd2c783d04ddb4e80d566438de9f2b79e2b2ef93b118b6d4664f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\DBA65C6EE618B6EF56625796C95AE49A84F4610C
Filesize
250KB

MD5
e3b6496c6ef065c4fd3645fc44e1ea2d

SHA1
0f5423dae6d2f490d5158c38ee457115643c214a

SHA256
324b9803da42bcf3b371fbf9781de45d991ca7250a8caaa5118103598b0ca17d

SHA512
7b5d15712c57332b161ba3c8d1bbc7e8ddc57a0feb4c0bffec2610140cf8741f6e15921a2a9368c8eba7694a00b5fd6f54dfe64d7627823ea202ceeb7e5f11a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\jumpListCache\SdYR2DeZAxtj7HkUHl1FCQ==.ico
Filesize
791B

MD5
9716678c94fcf52cb33fa3200d9c2b8e

SHA1
cc13dc5583bde9852964baebd5669b59b2f1830a

SHA256
96070912f427497a91856fd79df7e03bd80bb3b4e622af82d9f382b4550d0d36

SHA512
89f0dd65868d001ee5682a42478795f2b13f9ea982abacb7415886d929fe4b2ce3f0e9bf5e0b5ee7d51b7a21dc982fd40e3554ebc7735a0a914636568ec8bbfb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KF7LLIVQ\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RGAYC15K\favicon-trans-bg-blue-mg-png[1].png
Filesize
531B

MD5
c7a1030c2b55d7d8a514b120dd855cc0

SHA1
d07abbcf44b932732e4c0b0bf31e4283ae0f4b5b

SHA256
7c5bb9ca2fa67fe7851d145305e17a8370c4aec9d09f54e0920d32f6148f12fa

SHA512
1b51972a1ae1be2e85b9b125d7e2443c1b47abbbba9492d4ad52bdf0f9cf82513eca3ce436f9beedb7463a6f7b39ddd87245daf790226255a2b0d478dc380b81

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFB5D480D8F769FC57.TMP
Filesize
20KB

MD5
bbfa6df0ff1de8b6e2ed970c173a9f23

SHA1
c5b9cbc45df3abb9915f91110775735eb40a6095

SHA256
f79786e8c79529cd439d91eaf0906d35026bbe1e59aa87a1ce2c4aa28ca67cce

SHA512
deed55614bf5ad6c049e6e9ed874452331a1c20d6d107506b5d04d43b9a5b138537c68e5a21b75056b180d402d5e6ef2c9477c3cac63e276e9efaba9c8d64f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
98a65296b4e48464f66ed9cec554bdc6

SHA1
91e3b69e86625195441be5919e429628e037e0f7

SHA256
0a2a21248cf6ba5c7b5321177761309817cafefdcd84fb1ea6e3e466247e2d58

SHA512
f334307cd5b17a8f86344051943e1b9db6e27c2c4e24b91add3b7dac67ef6426ec98eb4cdfd84d0ee41e9611be292df76ea82f1897e95864a89755b527f91219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\bf0a78ed-98db-47e0-9f48-fc9bee7c0c36
Filesize
11KB

MD5
905a2540dca7b7d896483eb5a07c9734

SHA1
0af11ab8af628769639ca9528ec76b5802c9cc34

SHA256
40fbfc03b52fdf5c3359bcb75518637ad5e6a622c600c35e97d5fa9304447f70

SHA512
4eba223163a05cd61467caf51e78a3dd19a2f60e5ac3efc5c5d3bb972732890bd20510fdd896d5a4e97b36e8cd5adab94dd3f849f1c12d3ffafc8c8559363d65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\c2bf7eee-eb9d-4fe1-bd25-bbba611dc23c
Filesize
746B

MD5
ca77af09d4609d0f1f3303b7de70c9b8

SHA1
b95d33e53e8c90bb5f0300d0c7f1d89fc13ff7cc

SHA256
d3f463d3c7f226c32126cf29981ce74e7c827ad1bb68219d43660bcc4f8a7cc5

SHA512
31a913e92b4f9a57ee895bedae5cd9f8c8c169fb965a5fbc74f06538a20ff4540d8c405f4fe8060a26fd4fdbbf83e3a47a36588187977f3ee972fb81484e4c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\key4.db
Filesize
288KB

MD5
82168d249f199fb82627af6247b17344

SHA1
00e11b1f46c02a796c9ed3d7e678a4781d830c50

SHA256
e61b2b2df03863e8f07bfce014230dd343ba6a9a66f900f9570380f66fd7b551

SHA512
bcb4fb794517e21ff3033fee43e92f39579122863f7b41e1fd29cc5b0e6f3741cdcc1d0012a2471fb33fbbf37a5e1099cba6e76c0c202ae119d4efe9de55bc74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
Filesize
6KB

MD5
dcf8d0f70613f4214907ea1305d214d0

SHA1
65a3010563b5613ffbdc13a45d1a18ff158170c9

SHA256
94f2f15fcd17fb9573e3d33bb491fa92a3d9c55023ff9022ebdfed9002ea96b3

SHA512
71ce4d83eaddbce4c8b95bea01fd289256649971ed965f8749be13b4d9ab7402e40b2d838c067db4a4bb04d4fbd83457a721319ebfd614f6d1ceec4a08b27967

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js
Filesize
6KB

MD5
c676a1de4179df50ffec9dae9d939516

SHA1
62245a1d08b0b5c8c9e86a3afc344162c25ffcf8

SHA256
427f9a16cb471bee494f54dbae94a3d3fceac981db6f4046af3e9e8ed0c05ad8

SHA512
d64d3429b3063ceb6859515c5cf4caf8806d03e8eb806afb636273d6caddf7d8938c7e33c57d94385bcdc87fcfc13a4c82b5942355084d1b3fd0c116267e3266

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js
Filesize
6KB

MD5
46438f67e44792ac08e2691599bab7da

SHA1
827415038f314bbdfc7e3eb6d8b7e1d661013742

SHA256
e9ffb31d88d96011cccd7592cadcfc7e12f91d5439ec24948bad4d8c66be0dd9

SHA512
e01cf6c84274da420bd922a567e3ab78c8cf222ffec7ddea3c47098f3b0a3a20fb1e64139fa9435711b0b33562b6249c66568b44e3b72cb8126b0cda1387fbca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
90d0774eda90f85716b9e59b4c9791be

SHA1
88665311e35fe2fb6a5ee389c855f7c164251762

SHA256
1946947e046124e6f28cd395d0c438cb7383c5dc8777f8526ef7bfdd629f022a

SHA512
7577755d2d4d92971272fd324cd5fff2e3d076d7df9bf794ccadfc6d397e9c15d9b30eae7885f81f5e90dbfa128e9c2d992ed95b3cad9007065544ad6a2655a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
160891e27a429dd2f99e87d546009121

SHA1
f9f4d5ad067f6d81a777233ebcc6dc2d00fad6d6

SHA256
054a13c7ca8f1fc95fa69dc6b68a2c6802ba78b99260a2c3895e41d801e224fc

SHA512
6243fcbc9faae5d4b82bc94df1b5554a53ab267f52777e05704d80aeedf86574191fc95cb02492c2bb48a32b1193f9a6cbbe37af7c2a8e50f40ae7fe224869ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
11KB

MD5
620477088a64575e48aef41f62da15cb

SHA1
7b717ed527e5c945bed3d9e81c2693409b066eeb

SHA256
10a926ecebd0fb72c38739ea287dcebcf0a43f131eb423c0e05be55edcfbe2dc

SHA512
99eb019ffa2ca095b5efa971330222638e4e1fb5de391e2aaf2a671bd26441c2d472dd0716fb49e2f6b635ef8ca192c269b7ccd22f9ec2845cc3ba251fc03ca4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
d1321d95dfa31141c87d2d8636f55680

SHA1
3c474058b1f60adb78f603b4effda2a933fef0d6

SHA256
929dcbd8f9c4585b4127098d7772fffef9c7eaf3c989c544d9ad3f7ce1b4577b

SHA512
45e8ece26a33a83bc2a9ab2bd5a1fe9aa0888bfa79f713b725360b4d78f0592ffd6a23c1228d758e123d199e8e380a330e1150600e9333caeaf0d2d5e0b4322e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
0a411f3cc1a494c26699076c9798290d

SHA1
4825a34d36011c92bdb65c6783e781608c0d669e

SHA256
43d4ce94013b91a46b10f24cf87914b5dfda75cd5409afb539e766c77a38c23c

SHA512
6b220a9fcdfc49a3bde25f9c51cb4b0bd9306e0b8069a352b7e21cac48c6ce41ced74297ec8f4acb147e8e3ee62904ca94f973dc0bca36a897bbbfb3c28c5315

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
13KB

MD5
2475f67686c2a4e71bea6f6e4199d37b

SHA1
c0ec242c1caeeba40cded79c4c6bd2ad7be17de6

SHA256
8a4633d1e8f854b1740c91ed2f3ad8fd72d6389f330fb93b93cb44d0224adf34

SHA512
b32224a7d5e9ec977841cfa90d587f6beecaefd7cb5b25d843d1a00d5e7dd820a8732f0fd325945df0545316b63c986e3e9206d9c63ed749e0fb303ae4aae0f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
d450eea670cc0a5a49fffdb929168f58

SHA1
d1df4cbad3edc4177eef3a27516cc9103a78aa81

SHA256
8502ce00103d3d8c945fdb47a0ff3f3f6824caaa69d47b65890d05de37eeba34

SHA512
0f00a7eb6eaa644ffbd0ad66e4b4547328c4abee89a2554d4f1960ce293d8b12a72e0253a0f4362ceedd3e5e4ddd7300186d0faa8c064eda363593636d0aa3e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
18KB

MD5
8444f5ac88b30b7b4a8c267490bba331

SHA1
abf89112f290604727802d1f8f7fab6fbeaa4c01

SHA256
05e3419a5bd4e2856acdb044c89e30a3cf9736ac3287578578d357031afa4544

SHA512
02fe066802d85ec786e85c0a21f662c1d6e00ce5068aa43787d1c130f0e50ae21dbd8a0f526665e3482411680a8f5d2fee5e478d031f5916aa05a9c5e96f56e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
fbf7645b579ab864438dd1188e732fef

SHA1
87d604049b93233e93c6b62ca8654388e48017cc

SHA256
8b80e74d40b050192390ef021b868a464bc03e7c90fe6f1c1d1d5a300138a380

SHA512
41738b363bd1b46667686d66c748911a8d0230d820f1f029d11e1ddcb673941225c01fcfcad1a55b91897321523e85cac7c6abb35443c9236ac9f1f4e52f19c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
15KB

MD5
6819dc86fa3e448f385c4da9a1f989b1

SHA1
5ba3f6b7a727a640d9b2b40d11ebbdfdeaa83733

SHA256
1a2f1f808db6728ba913b7f62f25be303c8de4b298f7828faa27bb038e78e1ad

SHA512
633346434a8bf9e8bca75b7145e2a0e06981e81bf36dfe5de368a821e5853b0aa0b7e823f484efafa26636616d84526298344af95630e85d85fcf1384f104eed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
19KB

MD5
de1be6cba8c7161de96d45e4b3dedea8

SHA1
6d0e7247654fa9504ffcec0a9aca46331f138b7c

SHA256
e0a86aa37f5d6d8dcce5d5d72c27144dece121c06743b24f235f15a30538bdf5

SHA512
ef6bce76902a057f7ca26e0c62f616b44a19d318df61bd8326fbeeee66c54fde67df895f16b6567ebef85b15fc8f6c417858a0cca356fdc7115efc9aee4dcfd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
400KB

MD5
cac97a32180a9ab115733c93c062d226

SHA1
8fe2a57c799b4e87e63f66ef366f73f8931ef2d5

SHA256
034f7094741c99cf8ddd04556090d91e29257bfb66455b58f287d7e8974f1fff

SHA512
2f22ab114a82e1c83cf041aca3e2a4562660db4134cb4484bf053086cd96e087ada22f083cd603a7db76b84adc5af1004500fe69d917eeadd07d99b9842c600d

Download Submit
C:\Users\Admin\Desktop\ExpLauncher.7z
Filesize
30.2MB

MD5
7e0f3b85d33dc93354dafe8775021f03

SHA1
4aec1d0ce5eb9ac5638ac15a3957e9b0be9fc597

SHA256
ecb369b32c0292d026185c0dacc77324ea81ee9198672792c6fe4f0a66b96afb

SHA512
72dd8a2f6e491face0237e71c717c971b208d0b4b3f05cdfe590377b72e0c4404f129dcb66972c915cc02def4d476708f756aee1993e496c5a6f3e8f842b3393

Download Submit
C:\Users\Admin\Desktop\Launcher.exe
Filesize
835KB

MD5
4f756fb839f094047119246399ba351e

SHA1
da198672d25e302e805b8eb0fa053bf37da06bd1

SHA256
0c4f8719067f4bdfabf553ab402f48c49d5acccfee042646a055f201035641c2

SHA512
9cde4329687730f1ba7da109f6fc293e669800da0b0ba2852325858f8149d4ce8275fe412ee2beb45433000edc74707b56cfcd73a5bcc51d25744deac4ea32a6

Download Submit
C:\Users\Admin\Downloads\d3dcompiler_43.nj5P3lBs.zip.part
Filesize
15KB

MD5
83a69d4f24dfb8817e9a4812734fdc49

SHA1
41d567f6e96476484c2303741d066c4ef8aaa594

SHA256
d3f152c9d0a15a72aa1e9d056edbd0f007db47200929bdfc799b3cc18f3a6e3f

SHA512
b4611112fc9b78c8af834ed6c1b78fe344a294422ceba9d9878215d91b33f8cdc7d8bf06ee719a253104b0b1d705ff004238b61187e2b96c72ade46c61a7baa2

Download Submit
C:\Users\Admin\Downloads\expandera.exe
Filesize
10.5MB

MD5
67a69244d8fe9dff6c4d243d8eb6fef1

SHA1
f2dc0de22e80fa8def4e892523f39b0498f57932

SHA256
f12b606ba1c31a48c4949cf074a87f22fa7602e131cdd9f9c773dab614d6497d

SHA512
3c1b576afec54d345d3c540446c0c24076c099fd212122313ce7c2b8d13869f288e32a0636264dc9e9f1ba9db8279a363f29beda10d10017f1a4ae136df58333

Download Submit
C:\Users\Admin\Downloads\expandera.rtuoFwVK.exe.part
Filesize
30KB

MD5
4ca0c2a0bf70b3b0bb1bfb64522e6fa4

SHA1
f9a7829bf0de388942a8d0a2de51178309c07e5a

SHA256
fa789354af7a3edbd0fb78c10e613f4a46685caa3589b4f828f49db10e4b1469

SHA512
9005f4764773948feadccf1f7ac799c2ea236ed5ba2cb34b4bab7f232537cf967edaea7d705ce3b8713908e926e176e6e621392ea1554764de20eab83a944efe

Download Submit
\??\pipe\crashpad_4616_ALCDOYQDFJCIWRTD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1400-0-0x0000025C2F820000-0x0000025C2F830000-memory.dmp

Filesize
64KB

Download
memory/1400-16-0x0000025C2FFC0000-0x0000025C2FFD0000-memory.dmp

Filesize
64KB

Download
memory/1400-35-0x0000025C2CCF0000-0x0000025C2CCF2000-memory.dmp

Filesize
8KB

Download
memory/1400-474-0x0000025C36640000-0x0000025C36641000-memory.dmp

Filesize
4KB

Download
memory/1400-475-0x0000025C36650000-0x0000025C36651000-memory.dmp

Filesize
4KB

Download
memory/1400-726-0x0000025C2FA20000-0x0000025C2FA22000-memory.dmp

Filesize
8KB

Download
memory/1688-179-0x00000113F6010000-0x00000113F6012000-memory.dmp

Filesize
8KB

Download
memory/1688-398-0x00000113F6140000-0x00000113F6142000-memory.dmp

Filesize
8KB

Download
memory/1688-75-0x00000113F4040000-0x00000113F4042000-memory.dmp

Filesize
8KB

Download
memory/1688-77-0x00000113F4060000-0x00000113F4062000-memory.dmp

Filesize
8KB

Download
memory/1688-79-0x00000113F4070000-0x00000113F4072000-memory.dmp

Filesize
8KB

Download
memory/1688-81-0x00000113F4080000-0x00000113F4082000-memory.dmp

Filesize
8KB

Download
memory/1688-83-0x00000113F40A0000-0x00000113F40A2000-memory.dmp

Filesize
8KB

Download
memory/1688-85-0x00000113F40C0000-0x00000113F40C2000-memory.dmp

Filesize
8KB

Download
memory/1688-87-0x00000113F40E0000-0x00000113F40E2000-memory.dmp

Filesize
8KB

Download
memory/1688-620-0x00000113F85C0000-0x00000113F86C0000-memory.dmp

Filesize
1024KB

Download
memory/1688-588-0x00000113F2B50000-0x00000113F2B52000-memory.dmp

Filesize
8KB

Download
memory/1688-89-0x00000113F43A0000-0x00000113F43A2000-memory.dmp

Filesize
8KB

Download
memory/1688-478-0x00000113F6360000-0x00000113F6460000-memory.dmp

Filesize
1024KB

Download
memory/1688-91-0x00000113F43C0000-0x00000113F43C2000-memory.dmp

Filesize
8KB

Download
memory/1688-450-0x00000113F6B10000-0x00000113F6B30000-memory.dmp

Filesize
128KB

Download
memory/1688-439-0x00000113F3390000-0x00000113F3392000-memory.dmp

Filesize
8KB

Download
memory/1688-437-0x00000113F5E80000-0x00000113F5F80000-memory.dmp

Filesize
1024KB

Download
memory/1688-436-0x00000113F84C0000-0x00000113F85C0000-memory.dmp

Filesize
1024KB

Download
memory/1688-426-0x00000113F83C0000-0x00000113F84C0000-memory.dmp

Filesize
1024KB

Download
memory/1688-172-0x00000113F5FB0000-0x00000113F5FB2000-memory.dmp

Filesize
8KB

Download
memory/1688-357-0x00000113F6130000-0x00000113F6132000-memory.dmp

Filesize
8KB

Download
memory/1688-355-0x00000113F6120000-0x00000113F6122000-memory.dmp

Filesize
8KB

Download
memory/1688-353-0x00000113F3DF0000-0x00000113F3DF2000-memory.dmp

Filesize
8KB

Download
memory/1688-183-0x00000113F6030000-0x00000113F6032000-memory.dmp

Filesize
8KB

Download
memory/3596-1443-0x000000001CFB0000-0x000000001CFC0000-memory.dmp

Filesize
64KB

Download
memory/3596-1486-0x00007FFC24B60000-0x00007FFC2554C000-memory.dmp

Filesize
9.9MB

Download
memory/3596-1449-0x000000001CFB0000-0x000000001CFC0000-memory.dmp

Filesize
64KB

Download
memory/3596-1448-0x000000001CFB0000-0x000000001CFC0000-memory.dmp

Filesize
64KB

Download
memory/3596-1447-0x000000001CFB0000-0x000000001CFC0000-memory.dmp

Filesize
64KB

Download
memory/3596-1444-0x00007FF64F130000-0x00007FF64F140000-memory.dmp

Filesize
64KB

Download
memory/3596-1439-0x000000001E420000-0x000000001E904000-memory.dmp

Filesize
4.9MB

Download
memory/3596-1442-0x000000001CFB0000-0x000000001CFC0000-memory.dmp

Filesize
64KB

Download
memory/3596-1450-0x00007FFC24B60000-0x00007FFC2554C000-memory.dmp

Filesize
9.9MB

Download
memory/3596-1414-0x000000001CFB0000-0x000000001CFC0000-memory.dmp

Filesize
64KB

Download
memory/3596-1412-0x00007FFC24B60000-0x00007FFC2554C000-memory.dmp

Filesize
9.9MB

Download
memory/7136-3149-0x0000000000F50000-0x0000000001026000-memory.dmp

Filesize
856KB

Download
memory/7136-3316-0x0000000000F50000-0x0000000001026000-memory.dmp

Filesize
856KB

Download
memory/7156-3152-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download