hxxp://google[.]com

Resubmissions

15/06/2024, 09:09

240615-k4sc3avemf 1

15/06/2024, 09:07

240615-k3pwjsycqj 1

Analysis

max time kernel
99s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629160834054310"	chrome.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
5080	msedge.exe
5080	msedge.exe
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeSystemEnvironmentPrivilege	2708	shutdown.exe
Token: SeShutdownPrivilege	2708	shutdown.exe
Token: SeRemoteShutdownPrivilege	2708	shutdown.exe
Token: SeSystemEnvironmentPrivilege	1720	shutdown.exe
Token: SeShutdownPrivilege	1720	shutdown.exe
Token: SeRemoteShutdownPrivilege	1720	shutdown.exe
Token: SeSystemEnvironmentPrivilege	4300	shutdown.exe
Token: SeShutdownPrivilege	4300	shutdown.exe
Token: SeRemoteShutdownPrivilege	4300	shutdown.exe
Token: SeSystemEnvironmentPrivilege	3144	shutdown.exe
Token: SeShutdownPrivilege	3144	shutdown.exe
Token: SeRemoteShutdownPrivilege	3144	shutdown.exe
Token: SeSystemEnvironmentPrivilege	776	shutdown.exe
Token: SeShutdownPrivilege	776	shutdown.exe
Token: SeRemoteShutdownPrivilege	776	shutdown.exe
Token: SeSystemEnvironmentPrivilege	4892	shutdown.exe
Token: SeShutdownPrivilege	4892	shutdown.exe
Token: SeRemoteShutdownPrivilege	4892	shutdown.exe
Token: SeSystemEnvironmentPrivilege	1756	shutdown.exe
Token: SeShutdownPrivilege	1756	shutdown.exe
Token: SeRemoteShutdownPrivilege	1756	shutdown.exe
Token: SeSystemEnvironmentPrivilege	836	shutdown.exe
Token: SeShutdownPrivilege	836	shutdown.exe
Token: SeRemoteShutdownPrivilege	836	shutdown.exe
Token: SeSystemEnvironmentPrivilege	1896	shutdown.exe
Token: SeShutdownPrivilege	1896	shutdown.exe
Token: SeRemoteShutdownPrivilege	1896	shutdown.exe
Token: SeSystemEnvironmentPrivilege	2700	shutdown.exe
Token: SeShutdownPrivilege	2700	shutdown.exe
Token: SeRemoteShutdownPrivilege	2700	shutdown.exe
Token: SeSystemEnvironmentPrivilege	3528	shutdown.exe
Token: SeShutdownPrivilege	3528	shutdown.exe
Token: SeRemoteShutdownPrivilege	3528	shutdown.exe
Token: SeSystemEnvironmentPrivilege	3392	shutdown.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4860	NOTEPAD.EXE
4860	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4492	5080	msedge.exe	82
PID 5080 wrote to memory of 4492	5080	msedge.exe	82
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4940	5080	msedge.exe	83
PID 5080 wrote to memory of 4800	5080	msedge.exe	84
PID 5080 wrote to memory of 4800	5080	msedge.exe	84
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85
PID 5080 wrote to memory of 4536	5080	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc002046f8,0x7ffc00204708,0x7ffc00204718
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,1929985272298768570,4818311351534770756,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,1929985272298768570,4818311351534770756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,1929985272298768570,4818311351534770756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,1929985272298768570,4818311351534770756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,1929985272298768570,4818311351534770756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbff9aab58,0x7ffbff9aab68,0x7ffbff9aab78
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:2
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4900
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff63dcaae48,0x7ff63dcaae58,0x7ff63dcaae68
    3⤵
    PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3912 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4768 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3316 --field-trial-handle=1900,i,11672404545037821079,155854766694963911,131072 /prefetch:1
  2⤵
  PID:4824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
PID:1696

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\virus.bat" "
1⤵
PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K virus.bat
  2⤵
  PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K virus.bat
    3⤵
    PID:912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K virus.bat
      4⤵
      PID:4368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        5⤵
        
        PID:1304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        6⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        7⤵
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        8⤵
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        9⤵
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        10⤵
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        11⤵
        
        PID:3744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        12⤵
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        13⤵
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        14⤵
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        15⤵
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        16⤵
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        17⤵
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        18⤵
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        19⤵
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        20⤵
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        21⤵
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        22⤵
        
        PID:1136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        23⤵
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        24⤵
        
        PID:2992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        25⤵
        
        PID:2160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        26⤵
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        27⤵
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        28⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        29⤵
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        30⤵
        
        PID:4304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        31⤵
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        32⤵
        
        PID:4144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        33⤵
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        34⤵
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        35⤵
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        36⤵
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        37⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        38⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        39⤵
        
        PID:3964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        40⤵
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        41⤵
        
        PID:5172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        42⤵
        
        PID:5232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        43⤵
        
        PID:5292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        44⤵
        
        PID:5360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        45⤵
        
        PID:5420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        46⤵
        
        PID:5484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        47⤵
        
        PID:5544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        48⤵
        
        PID:5604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        49⤵
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        50⤵
        
        PID:5728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        51⤵
        
        PID:5792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        52⤵
        
        PID:5852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        53⤵
        
        PID:5912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        54⤵
        
        PID:5972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        55⤵
        
        PID:6036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        56⤵
        
        PID:6096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        57⤵
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        58⤵
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        59⤵
        
        PID:5496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        60⤵
        
        PID:5644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        61⤵
        
        PID:5824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        62⤵
        
        PID:6020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        63⤵
        
        PID:5212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        64⤵
        
        PID:5704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        65⤵
        
        PID:4088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        66⤵
        
        PID:6164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        67⤵
        
        PID:6224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        68⤵
        
        PID:6284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        69⤵
        
        PID:6352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        70⤵
        
        PID:6412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        71⤵
        
        PID:6472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        72⤵
        
        PID:6532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        73⤵
        
        PID:6592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        74⤵
        
        PID:6656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        75⤵
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        76⤵
        
        PID:6776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        77⤵
        
        PID:6836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        78⤵
        
        PID:6896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        79⤵
        
        PID:6952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        80⤵
        
        PID:7012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        81⤵
        
        PID:7072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        82⤵
        
        PID:7128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        83⤵
        
        PID:6184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        84⤵
        
        PID:6316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        85⤵
        
        PID:6508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        86⤵
        
        PID:6692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        87⤵
        
        PID:6864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        88⤵
        
        PID:7120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        89⤵
        
        PID:6512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        90⤵
        
        PID:6944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        91⤵
        
        PID:7024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        92⤵
        
        PID:7200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        93⤵
        
        PID:7260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        94⤵
        
        PID:7328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        95⤵
        
        PID:7388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        96⤵
        
        PID:7448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        97⤵
        
        PID:7508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        98⤵
        
        PID:7576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        99⤵
        
        PID:7636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        100⤵
        
        PID:7696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        101⤵
        
        PID:7756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        102⤵
        
        PID:7816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        103⤵
        
        PID:7876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        104⤵
        
        PID:7936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        105⤵
        
        PID:7996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        106⤵
        
        PID:8056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        107⤵
        
        PID:8116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        108⤵
        
        PID:8176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        109⤵
        
        PID:7272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        110⤵
        
        PID:7460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        111⤵
        
        PID:7612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        112⤵
        
        PID:7804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        113⤵
        
        PID:7984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        114⤵
        
        PID:8164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K virus.bat
        115⤵
        
        PID:7548
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        115⤵
        
        PID:7520
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        114⤵
        
        PID:7244
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        113⤵
        
        PID:8076
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        112⤵
        
        PID:7824
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        111⤵
        
        PID:7728
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        110⤵
        
        PID:7520
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        109⤵
        
        PID:7276
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        108⤵
        
        PID:7240
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        107⤵
        
        PID:8152
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        106⤵
        
        PID:8072
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        105⤵
        
        PID:8032
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        104⤵
        
        PID:7972
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        103⤵
        
        PID:7912
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        102⤵
        
        PID:7824
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        101⤵
        
        PID:7792
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        100⤵
        
        PID:7724
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        99⤵
        
        PID:7664
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        98⤵
        
        PID:7592
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        97⤵
        
        PID:7544
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        96⤵
        
        PID:7464
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        95⤵
        
        PID:7416
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        94⤵
        
        PID:7364
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        93⤵
        
        PID:7276
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        92⤵
        
        PID:7236
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        91⤵
        
        PID:6320
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        90⤵
        
        PID:6296
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        89⤵
        
        PID:6456
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        88⤵
        
        PID:6304
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        87⤵
        
        PID:6988
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        86⤵
        
        PID:6800
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        85⤵
        
        PID:6588
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        84⤵
        
        PID:6456
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        83⤵
        
        PID:6300
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        82⤵
        
        PID:7144
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        81⤵
        
        PID:7116
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        80⤵
        
        PID:7036
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        79⤵
        
        PID:6968
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        78⤵
        
        PID:6932
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        77⤵
        
        PID:6864
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        76⤵
        
        PID:6796
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        75⤵
        
        PID:6752
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        74⤵
        
        PID:6692
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        73⤵
        
        PID:6616
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        72⤵
        
        PID:6576
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        71⤵
        
        PID:6508
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        70⤵
        
        PID:6448
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        69⤵
        
        PID:6388
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        68⤵
        
        PID:6316
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        67⤵
        
        PID:6252
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        66⤵
        
        PID:6180
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        65⤵
        
        PID:6008
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        64⤵
        
        PID:5820
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        63⤵
        
        PID:688
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        62⤵
        
        PID:6008
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        61⤵
        
        PID:5872
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        60⤵
        
        PID:5620
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        59⤵
        
        PID:4032
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        58⤵
        
        PID:5404
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        57⤵
        
        PID:4088
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        56⤵
        
        PID:6112
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        55⤵
        
        PID:6044
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        54⤵
        
        PID:6008
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        53⤵
        
        PID:5940
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        52⤵
        
        PID:5860
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        51⤵
        
        PID:5820
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        50⤵
        
        PID:5744
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        49⤵
        
        PID:5696
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        48⤵
        
        PID:5620
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        47⤵
        
        PID:5580
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        46⤵
        
        PID:5500
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        45⤵
        
        PID:5456
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        44⤵
        
        PID:5396
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        43⤵
        
        PID:5316
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        42⤵
        
        PID:5248
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        41⤵
        
        PID:5208
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        40⤵
        
        PID:5152
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        39⤵
        
        PID:2764
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        38⤵
        
        PID:4964
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        37⤵
        
        PID:4552
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        36⤵
        
        PID:2344
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        35⤵
        
        PID:2396
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        34⤵
        
        PID:4680
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        33⤵
        
        PID:1660
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        32⤵
        
        PID:2120
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        31⤵
        
        PID:4552
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        30⤵
        
        PID:4544
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        29⤵
        
        PID:3392
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        28⤵
        
        PID:1896
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        27⤵
        
        PID:1756
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        26⤵
        
        PID:3144
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        25⤵
        
        PID:1656
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        24⤵
        
        PID:4860
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        23⤵
        
        PID:1536
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        22⤵
        
        PID:2308
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        21⤵
        
        PID:1116
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        20⤵
        
        PID:4464
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        19⤵
        
        PID:4940
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        18⤵
        
        PID:1492
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        17⤵
        
        PID:1620
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        16⤵
        
        PID:4580
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        15⤵
        
        PID:4660
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        14⤵
        
        PID:3012
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
      - C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\system32\shutdown.exe
        
        shutdown /r /fw /t 1000000
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
  - - C:\Windows\system32\shutdown.exe
      shutdown /r /fw /t 1000000
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\shutdown.exe
    shutdown /r /fw /t 1000000
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- C:\Windows\system32\shutdown.exe
  shutdown /r /fw /t 1000000
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
ad867396463e6b327744930bac94b6aa

SHA1
0f68baf2a983097814456922e5ade6fd83f6694d

SHA256
8ccd0b4213955b67b5722326bf68bf74e6a7602dbf77b19344af195ceb280803

SHA512
e8c932f03d3a02facd4f4b2ced36d5673e3fe8c34eed947f871ddd01d2cb4dd2a5786aa289207931d3d4c5815c938901178b2587cf49c7cf29837d3478f4621b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f7b2f354c7ec13fb1875f6a03d85f611

SHA1
7a775b4c8c6bbb7d8a206102737e541216ad1311

SHA256
5dfcb6c84f1069f947575ca611d8acec26197c6c4328f43de2980cfb2f161199

SHA512
f00cfae42d88bf8ae3e1d027be2e58575cc9363e5c2961ebdc893604f9fe106bd7eb264a8bb3f443440edc7bffa1fe77feff456660a2f6cc0bce05912a68dec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
354e95942a662d20cf2e68ddf4adfb5e

SHA1
fe460a497a3659a4debd718c64e1c2e0c7b71406

SHA256
dd85b4160f00a5f2532cab0163ab25da1d7324f08e5137e250d808dffe098dfd

SHA512
1655a8f889ab9fa17f1a70d27fe89547f15f72da42315dc38a6592fb3f7702b2ecd9f9737bb94af142949d58446e8bd4a2933e7eb6ce75e78832d1d118a395d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
20e0feb8a57ee9be767219816c464fe2

SHA1
c6b8c266114b6343427a9a0087c869284d7e5fc9

SHA256
bac7d34e9642541677b1ae304525718f1f50525e71c15141fcc51ccfd7e13769

SHA512
e271960b7db62472c74ec7f4565abbae0d0d2e11572f45bb1012de950d7af554f1d46b6bda5c772f411c137384d538968033b6a89895749888d7025adad35eee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
dd0c3f98346adbdc8c822f35b4b8b081

SHA1
78fafe49e6207c2f74e94126b814fe7f12ef5217

SHA256
627ff9cbcc22dc3afaed0728881bdf1f80230f59df1c6811ad2a3be488a130e0

SHA512
b900baeb3c4f8786c384f846a1234d3e87334af413f7af67c196737180eca1f81c068f7bcf4805e449d01411cc45ea6524e1b306aefe050e12c4f982fdd4807f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
917e169ba316bdf40e6cd6e59c76a817

SHA1
86d41c29c830bb60d50d9539475fd9c5aa3cdd84

SHA256
36692ff137553671b629db3130778386262c0e6d8eb97c7adcabb8036de315e6

SHA512
545cf24af4beece4c58595b85841b6afc4c6240408e427812fbe606a1e4c5e8a7a556c37d56d4c83bfe7e3007ddc52401c3d3517218dab26373bc8b972036b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
0b4bc340dd1d1fb3d9871f34e6ec2e1e

SHA1
39217493e3a8fc7f58d98c52197ab05601dd2aba

SHA256
f29d4a9fd1fd8fafc593f1625235cfc639138a33f49c3b10e9d0b4157c21ffcd

SHA512
5d9933dcaae71447d743bbecd191fb5c0812d8dcf4c28f77dcadf732a0a4650961421d8116bf610de23fea6667274a592978d2210dc576310c5c132e12658be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Desktop\New Text Document.txt

Filesize
48B

MD5
64920c8082e5484daaafab576948c10b

SHA1
18a160faf2ec3d6292b8005e20261d7292f0a1fa

SHA256
263f9b18d3033d47b9fadea241613700ff3a31a05a443fea3ecac1a5e72c91d5

SHA512
e6caa28d6785e9c66dd591c72c38913b583de0cda9a3bffdd0f3b818d7a389a854e2639c85ff04291b35759166b365ebbc014158a922c060f24758007560f1f4

Download Submit