2a45e44be359fba4c85591e7b13d1ec772ed181adc41254d8b00d31b2d15878e

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Memz.exe
Size

14KB
MD5

19dbec50735b5f2a72d4199c4e184960
SHA1

6fed7732f7cb6f59743795b2ab154a3676f4c822
SHA256

a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
SHA512

aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
SSDEEP

192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Memz.exeMemz.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	Memz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	Memz.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

Memz.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Memz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133585422306019602"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Memz.exeMemz.exeMemz.exeMemz.exeMemz.exe

pid	Process
3004	Memz.exe
3004	Memz.exe
1404	Memz.exe
1404	Memz.exe
1404	Memz.exe
1404	Memz.exe
3004	Memz.exe
3004	Memz.exe
3540	Memz.exe
3540	Memz.exe
3540	Memz.exe
3004	Memz.exe
3004	Memz.exe
3540	Memz.exe
1404	Memz.exe
1404	Memz.exe
4104	Memz.exe
4104	Memz.exe
3256	Memz.exe
3256	Memz.exe
3256	Memz.exe
3256	Memz.exe
1404	Memz.exe
1404	Memz.exe
3540	Memz.exe
3540	Memz.exe
3004	Memz.exe
3004	Memz.exe
3540	Memz.exe
3540	Memz.exe
1404	Memz.exe
1404	Memz.exe
3256	Memz.exe
3256	Memz.exe
4104	Memz.exe
4104	Memz.exe
4104	Memz.exe
3256	Memz.exe
4104	Memz.exe
3256	Memz.exe
1404	Memz.exe
1404	Memz.exe
3540	Memz.exe
3540	Memz.exe
3004	Memz.exe
3004	Memz.exe
3540	Memz.exe
3004	Memz.exe
3540	Memz.exe
3004	Memz.exe
1404	Memz.exe
4104	Memz.exe
1404	Memz.exe
4104	Memz.exe
3256	Memz.exe
3256	Memz.exe
4104	Memz.exe
4104	Memz.exe
1404	Memz.exe
1404	Memz.exe
3004	Memz.exe
3004	Memz.exe
3540	Memz.exe
3540	Memz.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

chrome.exemsedge.exe

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
3688	chrome.exe
1108	msedge.exe
1108	msedge.exe
3688	chrome.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe
Token: SeShutdownPrivilege	3688	chrome.exe
Token: SeCreatePagefilePrivilege	3688	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

chrome.exemsedge.exe

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exemsedge.exe

pid	Process
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
3688	chrome.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe
1108	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Memz.exe

pid	Process
3292	Memz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Memz.exeMemz.exechrome.exe

description	pid	Process	procid_target
PID 5000 wrote to memory of 1404	5000	Memz.exe	99
PID 5000 wrote to memory of 1404	5000	Memz.exe	99
PID 5000 wrote to memory of 1404	5000	Memz.exe	99
PID 5000 wrote to memory of 3004	5000	Memz.exe	100
PID 5000 wrote to memory of 3004	5000	Memz.exe	100
PID 5000 wrote to memory of 3004	5000	Memz.exe	100
PID 5000 wrote to memory of 3540	5000	Memz.exe	101
PID 5000 wrote to memory of 3540	5000	Memz.exe	101
PID 5000 wrote to memory of 3540	5000	Memz.exe	101
PID 5000 wrote to memory of 3256	5000	Memz.exe	102
PID 5000 wrote to memory of 3256	5000	Memz.exe	102
PID 5000 wrote to memory of 3256	5000	Memz.exe	102
PID 5000 wrote to memory of 4104	5000	Memz.exe	103
PID 5000 wrote to memory of 4104	5000	Memz.exe	103
PID 5000 wrote to memory of 4104	5000	Memz.exe	103
PID 5000 wrote to memory of 3292	5000	Memz.exe	104
PID 5000 wrote to memory of 3292	5000	Memz.exe	104
PID 5000 wrote to memory of 3292	5000	Memz.exe	104
PID 3292 wrote to memory of 4860	3292	Memz.exe	106
PID 3292 wrote to memory of 4860	3292	Memz.exe	106
PID 3292 wrote to memory of 4860	3292	Memz.exe	106
PID 3688 wrote to memory of 3076	3688	chrome.exe	111
PID 3688 wrote to memory of 3076	3688	chrome.exe	111
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 3028	3688	chrome.exe	112
PID 3688 wrote to memory of 4388	3688	chrome.exe	113
PID 3688 wrote to memory of 4388	3688	chrome.exe	113
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114
PID 3688 wrote to memory of 2512	3688	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\Memz.exe
"C:\Users\Admin\AppData\Local\Temp\Memz.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\Memz.exe
  "C:\Users\Admin\AppData\Local\Temp\Memz.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffccef446f8,0x7ffccef44708,0x7ffccef44718
      4⤵
      PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
      4⤵
      PID:5312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
      4⤵
      PID:5912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
      4⤵
      PID:1968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
      4⤵
      PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
      4⤵
      PID:5672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
      4⤵
      PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
      4⤵
      PID:6000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
      4⤵
      PID:5956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
      4⤵
      PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
      4⤵
      PID:5940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
      4⤵
      PID:1828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1796 /prefetch:1
      4⤵
      PID:2268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4206874446889436038,4639540318176625465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
      4⤵
      PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
    3⤵
    PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffccef446f8,0x7ffccef44708,0x7ffccef44718
      4⤵
      PID:1548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton
    3⤵
    PID:5164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffccef446f8,0x7ffccef44708,0x7ffccef44718
      4⤵
      PID:5908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real
    3⤵
    PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffccef446f8,0x7ffccef44708,0x7ffccef44718
      4⤵
      PID:3940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
    3⤵
    PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffccef446f8,0x7ffccef44708,0x7ffccef44718
      4⤵
      PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcd13aab58,0x7ffcd13aab68,0x7ffcd13aab78
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:2
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3652 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4140 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5024 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5100 --field-trial-handle=1932,i,9830600238740228485,11723209205879243684,131072 /prefetch:8
  2⤵
  PID:6120

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x2f4
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
f6452615075d93e84c6546c43dacf6f9

SHA1
8ac48214ea2ae1ae569fdc2a36564e13b51c0e58

SHA256
601e58a0204a0774798d4d66abf4d31b182c354d96f478b8e7257c16fb26a39b

SHA512
bc07a56e4d759dc4a93d2f4216f86cbe81ea9b87ec89f8fb5f8da75ced1194c784de7a9b23da9ad3f519be673cf4222a876b0454ce340d78adad57df6f9047f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
31a156d7b72803a92b3514df44aed741

SHA1
683e06709d4e7034fe86e38aac62011d48cdcb87

SHA256
82237a26ad18315f3d75d484fbb3ca21309ab78b8207aca0f3c16a66c6b8086c

SHA512
ebd71ed88f5ec7ea4d86f9758086f6666836b1f1482a4e60d82bf2c51f7ea372befb66f1e64161ccf26a151e5359487b7b9e267d98b84833f6acc97100850c0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
52081e66f9ce40391aa4e819765f1917

SHA1
3a5437de4eb168cd33544c5e0e6c0bafa298dcd8

SHA256
10ccdb67a9b97b1e9875e3107d41a73be9de212604402dee9d04034b9a515f42

SHA512
e917e259ec1d2a7e0dccb74b590bca022b4278cdc1c3337c1e1538e50b0495fc832e08a243f549add6cc3c7b07eab2ea20719da0096892422e156d395b17d6ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
94d957f9c342a5a5d36999f5bc6a7713

SHA1
b0afb48b2d5ec4ebd1f352b593cebb31b1627703

SHA256
b6a27b02df779529286f0e51becc5361b30338b3732eb42fb3672e1127f4f9a5

SHA512
0f32c7857543fb28f6bc740a7af943d267818660ac3a4f14cd9d3e28139fc63d327f53647a94cb420d34f2eecc7997dab3dde7df4fa39641c50da3a08ff226d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
1ac6244a02126bd5ba48dcadf0848be7

SHA1
a6bb98c873419cad942a59d2f70185e654b6c4b8

SHA256
961b0cbb874ac49b4c3857e0eb5ab7ca42bcb615f48b8151c25d957831aab121

SHA512
2a19b7b5a376fd71aef1543cd5a777253506972b2e49436d6d8c30161825ae731ca931d241b816df02f4aaea9968d1b8f57706242748232ad6c49a00c3f0bbbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b5b8017e1240989e436415be7c68f73d

SHA1
f8fc6305416a21794b505f43ec04c324cefde17a

SHA256
5931c8717107da764d71cb86bc2847793ddab44ce2521063e9c6b48e3ed92db6

SHA512
56ce05e774af69b0d290b24dd62d4ef67c4fec5536c3a7a0bb69edb171840eb161bf650bf115776b252f15a315aafda6de05894e83bf796d0bb22057aec6416e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a8741f299de4e525badeaaed9a4f7af1

SHA1
10bbc1250673332a8c3ee1a0ec51c64d111fd0d1

SHA256
01bdf629b8f4230226cef7e731097bd7d50474cc02c40c8d3fff917c06bab1df

SHA512
ff5a1ee94d6837eb7cc52d6ebc983ea72c839d270b1472a1ec228e11ac634962facf24a834a788480b6ad575653689e3bb89db3d839885e1507b6ffce979e1f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
8bf92bd92e945994072bda3e603ec2d5

SHA1
44db5600afa921f0dfb0f736ab028a59bcca62c7

SHA256
b145adb9684e572158bfe262e82f0df93f2c0266c1c51bcc5d837699aaf28e13

SHA512
1d81687c8588ee384570c036221aa3ba6903b537003a7ba34a8817836ebb0b9693bcfbfaac1e4c10167b98076a178a2d6a93ecb5ca5236f08d2580e787e002f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f57022af-2ed9-47b9-bfb7-198423ffced5.tmp

Filesize
6KB

MD5
4f00800289fcc7cc338410979520e7fc

SHA1
9a93c90a80478c633049a84362de15c13c277315

SHA256
43e7226d1053b12df45b0b57781f1aac7c969f267d043b3c9c29055ceefadd02

SHA512
41f3c71a49ba7f85abd1ef14f98078f1498eab3886a30a91395065cdb87c8dcbb99f7199c31bd1d5fac5df6651a54b5d59fb24cd7dc47f625a234e0cb7448cbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
253KB

MD5
df1bdbd006bd8532bae3ae7761adc4d4

SHA1
88add895a0842b8b530f913d998c35f7e94bafd9

SHA256
7494967ddea8c1645aaf1a7779e2c103ab612c563d6097c1d58cb6bb9940da7a

SHA512
81dcbbb9f4a0e85aefdf50d2e3e354ecfd4934ec784565f8c81569f4e0e9784154c972745fa5711b1910f4e9cb73afafc735a358a3b160ed305fd8a9780c7b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
923a543cc619ea568f91b723d9fb1ef0

SHA1
6f4ade25559645c741d7327c6e16521e43d7e1f9

SHA256
bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd

SHA512
a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
69KB

MD5
86862d3b5609f6ca70783528d7962690

SHA1
886d4b35290775ceadf576b3bb5654f3a481baf3

SHA256
19e1a1ad6c54fc29a402c10c551fa6e70022cefca6162a10640ee7d9b85783ed

SHA512
f0746c23a06effd14e1e31b0ea7d12156ff92b1f80445aa46e1a4c65cf5df4bc94f6dabe7aead01f1bd6a6c7b851b577a11697a186426a2c8dca897c48515ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
895188d9f4af95a79f91102dc740a090

SHA1
78153903fcd375def2db4cf27bd2e664b56bde3d

SHA256
0f73116915123d7507e5e7b11d5e70f7e65e7c3d37a786f409d2953a7d96ad5c

SHA512
e715b361ba7948e3b6cb2a1703cef93495eff79bdedd1add2a9bbbb1e2fac2ea6cba73045df1f3cf29a33950e62809ce967b9045f550db02bc2a611169bbd849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
fda096332efce9bd5e25ffca0352707a

SHA1
92e91b3c43fe6f675abb6f0d21c9ccd4f99ea403

SHA256
0fe602b278a2eb76ec47af384baf82032f9d2357f2d02c1640fb6ec1cc4a7f77

SHA512
db6a0a4f5e6a47b76f600a02373c47ce63cae7e8dd393f3705e864795f21c0ec7d29ea6536edadad5aa9fbf148a75404ed14bc4f4f581f9c3b9f0becc09f2e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
03ce071510bc684fa4f38d5a01ae22d6

SHA1
02d705fbc16ae9200eb7283d0cc89c7c495361f8

SHA256
c9b923c657da30b06333c352a3c594d2ebc00301842165915c45863ff85bf806

SHA512
da2a09d33892ae8466fc0fa4467f05374e7650518034ceb473bc25fa5fe33101782cebb62096a08e13fa96a47770c4806bcc52b655bd179cb363a020e071ebd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
1b728460a9971594a8c1b7131275c538

SHA1
59226a5de165a90a1d02375c5330adb6b0bab93c

SHA256
4c8f7a47905194571b40411df3f7e1f22e4155884f0a217c115b6fc9b534b993

SHA512
e85d3be8688e3ffabfc79c9573a1315c6c796be009d900b10ed17447b0f53f73208ad38681c104f559b27fc1f890648b38c58849d68f2c97ef4da16764693966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
755B

MD5
60b9086d84ed39d215d3a55a183c74b9

SHA1
43481e27ac75fb5356993aa4ef92cb4a1500e722

SHA256
2d8e59f01e200031813d5aba9e6f18d82dc4769004ea70158a09d2b25a4fbb5e

SHA512
f50959f1ae6f1d702930be0bd27c3efccb13db92fb4d2f2ef1e8e2ef90118a7177be29bd78db16200ed673058f9b37ffdf720bea5c07c589700d7c0091126cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dbf38cae465deae9e05733d396a95072

SHA1
50d9c6421351949ac82fb91bb2f830b36255d043

SHA256
d4400908d64be73073bfca8ae1bfad46573c66cbcaa0fa6ba851d4eb0f71b2dd

SHA512
1253ca0e2f8a9c2b604b51563e41f37dd2dd98094d37d20ab428abf9915912b05e6bf445843dcb1ac613cacb4db52f816039df52fe618bb87aafc03239a786e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8791383def7932e87b0f82fc91b6d6d

SHA1
6d59f2fb2fb01d79795bc9de094b6d09767bbf55

SHA256
ea11b5e512b55399d5803ec7a97026d9c799f225f79fba13cd01bdcb6c08ed58

SHA512
856357aab393aebf542ded4c3935efac4325ef4e18fe6fa1f2120a5f8444d5e19091a9ad4583e56274ff66714dd7815402f4a4a2dda7ad467cd7a19ee8bfcab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0261233d7e3ea9310bd0aca80b6055b

SHA1
8caaf1dabae8cf19abca3b54b01a6c02b7d1bd8e

SHA256
fa3c5436a4c06ac99b5c12b08ea2ae8633a466dd107d6a497680afd614a1cb0a

SHA512
6a9e857a1fb5cbe62cf052a1bb6fcc312f71ded1afda5ee0d01f52286e18efb47ec60a0a55c2bed619034538bd73ca4ec6a49d25f02efd2c5bc26a219b7241c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c293c9db20912d44d29b9de7ef5fd667

SHA1
3e4cd217f6a2d6e86e903c6e1e17ab2e0cf23232

SHA256
b29f23ddec382def056847bd1b0e805f81fdbfeaf274373b75d14a9c73766b84

SHA512
c659a86271ba4b3e962464da65788cb3d42442189e095c2fd5f32d4e308bccdd8e187650cc98a786c4b7d963545b689a2a75dac09bae666c03e134fa07c8b91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8260ebc895e758da45d85c4c97850719

SHA1
c3622738a2a6b4c5316e0ca99b57b0a37c5133f2

SHA256
bb33ac75b1f878776cfde6d98484252ceca612d041c352ee3b6077854190cf86

SHA512
c80bc7fa84de27e38eaa8eb573b224392c1a898bf1ee8bd7126b8fec1af4be9d81734fd963e8bbae171b824cae13349c3cd21e108eeaa515ab08c4209496f0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
53a65f74bf08da308e5c0be9c00ac059

SHA1
0915344b2b3a190d25394340a7ded373c6c5b389

SHA256
93734baad24697f8561f6dde8644ed95bd5833eb8c1d132c6e9c5da5fe64b0e0

SHA512
39eea5b9c47464d73b003edbd7cc75adb4ca37896a456814087889de8bdaacb36d130d516b8f251a562add7d25e88b6e14137209b3408deadc9ee0cc76fa57a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
ade7bcef3bed7908708a61351a2fb70a

SHA1
a57cee8587de695a393df39702ab168ac929328e

SHA256
912ebc693176cb2adbb3187460c12619df31da816eda0763da9dda5edfc1dace

SHA512
4746365ba67c6c36861ba27a13c7a2796314f88469d3b3d83e0d5c0a822e01498614bea873cf3705fa08e4e01fb695e90ef7e3cb5ed956a4c552a2e3c580c11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
202B

MD5
1273512db0bbe34712a366073fb5e096

SHA1
0a87793337adb55c4d78c1ebf71d90e4bdf03d6b

SHA256
77bf95651a9d2fb1830f247b3527573041853711cd072a057bb8102ef0f51e60

SHA512
20549e827f1478b024dffa0b4ee0a1be6cff67cde81fb7c1ca6ba00cb3966952ca4ba4411f50728ac84024f87f3500dcb5390e1dbeb7264355d631ef51cc0788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587654.TMP

Filesize
204B

MD5
776ce46ad4e6c26830074317bcbada66

SHA1
f6a2fc231aa1ef2fb08d1b1bd3d6a1d58dcd74ea

SHA256
5aa36d4337b963867714d914cf9e01b394164df31001f57f2c80b6931b3290dc

SHA512
436a702f1f67fb37521189fe9ca95d13efffc6719f36c74cceabec068a5d11440335226b88ba6e439aca22a04d30cbefbd6a67554440df931463abde988522ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c38f7a3171d04625879ba815fe666f7

SHA1
9121498bed3c7e390c429da7e14576454bb922f6

SHA256
c6ec3d216587f7145652777f78900f36683bf0c6bf4f67fd311081df8683e0ce

SHA512
5ebbc896869a956fad70116c91398109bb65c543c85775aff06b8634d15c8e301829bd9442864cb0db615d03d5d48e9e41d7a28b85d7e11c1aea9a9706b6ec55

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\crashpad_3688_EUNVTXXQMNBGPJYN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit