dcf6bfa9392179f23ce11d1fe78325845bf0d1a921b720ef3cd7878020623e42

Resubmissions

21/06/2024, 06:37

240621-hdgsjazdrg 3

21/06/2024, 06:35

21/06/2024, 06:33

21/06/2024, 06:30

21/06/2024, 06:25

21/06/2024, 06:06

21/06/2024, 05:55

Analysis

max time kernel
199s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/06/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

steam_pfp_1.jpg
Size

5KB
MD5

db49c318451e36edef4137e52013da0b
SHA1

672212d918f7a67e9667efa50742d30f86663cf2
SHA256

dcf6bfa9392179f23ce11d1fe78325845bf0d1a921b720ef3cd7878020623e42
SHA512

5688a951972310da828bae076187e111adbd7670a8664a40ab6c26ffd4a85243a7c6a22c5482e889b8d058a0826c0654fd855035393a2ca747c4d5f2700f2e95
SSDEEP

96:VWLxsrCRz/hrzk1aCJCUvY6gkBMmkSM8AkxudbpXSG1i:ETRzJ8DJRf3RxJYxpCyi

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{19bc231b-f652-48e0-ba6a-a2defcdb2672}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{19bc231b-f652-48e0-ba6a-a2defcdb2672}\snapshot.etl	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634247887752957"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
5040	msedge.exe
5040	msedge.exe
2644	msedge.exe
2644	msedge.exe
4916	identity_helper.exe
4916	identity_helper.exe
5712	sdiagnhost.exe
5712	sdiagnhost.exe
4856	svchost.exe
4856	svchost.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeShutdownPrivilege	3028	chrome.exe
Token: SeCreatePagefilePrivilege	3028	chrome.exe
Token: SeDebugPrivilege	5712	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2000	msdt.exe
2000	msdt.exe
2644	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
3028	chrome.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe
2644	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4824	3028	chrome.exe	88
PID 3028 wrote to memory of 4824	3028	chrome.exe	88
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2480	3028	chrome.exe	89
PID 3028 wrote to memory of 2836	3028	chrome.exe	90
PID 3028 wrote to memory of 2836	3028	chrome.exe	90
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91
PID 3028 wrote to memory of 1268	3028	chrome.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\steam_pfp_1.jpg
1⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05a5ab58,0x7ffa05a5ab68,0x7ffa05a5ab78
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:2
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3028 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4920 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4628 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4620 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4604 --field-trial-handle=1996,i,7513830523787733016,14465652519697143541,131072 /prefetch:1
  2⤵
  PID:3564

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f6cf46f8,0x7ff9f6cf4708,0x7ff9f6cf4718
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:5088
- C:\Windows\system32\msdt.exe
  -modal "459280" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF215E.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,3234315731790927993,265844530038691076,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4448

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5712
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5876
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:692
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062106.000\NetworkDiagnostics.debugreport.xml

Filesize
73KB

MD5
69780c55b9a24792bb6cce129282a071

SHA1
63ac7dbc4b11915a77c13dfe09e381db31f673ae

SHA256
d2dc7fc95d4283f4e179ab1b76040c431df2349e7618c3c22058add1bdf097b8

SHA512
5ea91b5455e9cd0447587012babebaa6e5f9716797a8d3e80c885869f476183cc5d3148145c9c5fe11187b3fff93b0ddc373204da88cb8d0025085f936836913

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062106.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
811B

MD5
e08c1d076fa992021dcc107d1fc2e7c8

SHA1
175973d41a1f87dc9ef6a2074b7d6f37458d5e02

SHA256
6b8d1a8e9aa338181b7d091209288f05e6615be7d8ec4f3bbaf1e28120e64e51

SHA512
040282be2037b6f26a84f6d9d16a752644c59c0e334a6cfa652d43a7e2c6e0dd24d9f4d5c18944d32ce30226a8d0dd5d3a551d6c53dc3d17aab9eb7b088eba4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d2841daadc6d170eb01b2825d9c9f95d

SHA1
1c45c49f746a11efd4f01ff7cbc2324eff6ad639

SHA256
8a3738876b15bd6500da8d564c768e7596617981e9bb2c29ee07c7612e5afad2

SHA512
65c6246c14cac855f4bca041c561cef318ad5552a2972aa6a5f47cc7410b43d8ef030a51bc0372959a0b1b65d7085d2f0dfb5a0e6c1e2565564525ef0af909c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f84de41eb89a661f604ccbef6b9218cd

SHA1
311f8eb65c63140abb4d42f177fb19c7f8530b6c

SHA256
81900889cfa612fbd7ec146471d8b87e07355fafbe516bc00f0c8e59982ac83d

SHA512
dee3aa51037359d9124850195307ad73ba60b03c7c4756ead535d6c900343be96124dd8df0887277ebae2c4ae9107d95fd882cff639f2fdddc460770eec42d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
25ac91e7827d09fa5113fb5d53f32e44

SHA1
1ced4eaaee1af48c8bdf9a757b6f34e0c0f09842

SHA256
3c6a75b177d6223936cef04878be12dd3dfc3ca20abe3341b062aa497a18d1ff

SHA512
7c76daec3e1471fed97fabdf28aeb2a2ea2b14ae1a4d79d59bb33548ad830b22b9b61541b2b4da64aa09418bd9310ef800a24986ff327d1c9a07c01a59107afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
ff5425c04ebd88e581769ac899eb241c

SHA1
cffe2aa5f3d19979c062a81538164d9f54ccd2e4

SHA256
aadeb5b2c820874961cba4060c002d11e99a54f28278914e79d9150a7062c88c

SHA512
d3914b4ac405b4e85811e7f823cf7402213ca0af2e9588e33a3776177e56af028de1160235867afd8a290cad05b621823babe2015bce4ea06c01b9319ec78c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
f95e52ce5ebe260b295e068169210320

SHA1
245f105d100e670905dc04956be299752e8bb7d7

SHA256
cd857d3307e5a3d0260701fe0f894ba66c7d0a590d7561ec504ff24ab1831c39

SHA512
139942f8d77d4ab319a56b485006365ceee561afd9c2eb46b0b93128c8a5898643a542494eae8ca5c63deabfa2f5bc7e6f2c8b82daa1295b25bd6681eb3e85b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d7c5cd3aabec858d09c2f22a9947903

SHA1
00355b6fe384e0aac6c1d60772225d53450bb742

SHA256
1c7431845a7721af56b988be546bef93bf25da36f42b1808ea8fcf4a6e5331a0

SHA512
7952ac6a6efe00e2be54539cce4dc5a644907bda430c8508bb46fc2d0a12506a4f9b6215a0e6a9a2213da9d788712a64c397c8f8613912587b85de5cca8fe8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffe5a5ec717375f778a5ac66785448b3

SHA1
1f68e9e250915d2e77e0b2eb7f217ff04009061d

SHA256
54b212fd691ba78cbbc5ead27fd8d11d5e620a7485de915f979a6b2a9497fc0b

SHA512
463be2a23f231f3a8e9f5db3eada48a0f657e3d27227e1c2dd51202999e06d465fda332f0b939ca34eccd285d80869600e87e65af98c26867b899de390b71603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99533ad10933e2ce2c3f8a4546264715

SHA1
e6c5ae928f09215053c71cf075e00be4e9142461

SHA256
89770a73814ec042e6dc543a3271be9a3376b9826659ce75e01087247789147a

SHA512
29bf2d8a8621d2bcda6d6e191d828f6206b888fb77fed96816d5f8d46c9440ae51de174b74f3060c43e1c7bc3539973795c9e3bb77c4ac851161521bcc8a6b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
fafabeba411d8ec480c920877ae02245

SHA1
ccaed5ff6977fd0b4ef3725feaed449af9fccdce

SHA256
8151185cbcc2fe43e09784a73096f1f76a2a9ceefe7d2aa6c4cae99b58692572

SHA512
6dd4a4248af77793d28a7646f88ff5d54356bd30d65d97cb9259abdb3008ddd3cac12cefe60f1f822f5b49a2ae482016bea05b1b6ea9dcd58a59273bf8b399f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6355293361a0d75d8dbdd704ed23a981

SHA1
1d3f8806892eedc124a9ba03193e011b28ddfd3d

SHA256
6ab18f15f192950cebc81f042538f999bf04c2a3e460cc7deeade0a26ad63582

SHA512
b767e0dd99a8875889beb2447c3b669575ecc249fbfd5834e0964a305b4f2515f1e8f3719fc96cc9bb8d9b0e31446d8fa8e475179e4670ac85de7cffb295e36a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
692e886d19184f497556a27d5d072c8f

SHA1
64dc1f8aa8f9eee46262e00586476c4704501350

SHA256
a1721d518b810e7f3c88521c6a75de406d3bd6436176a42db6ea6986ff6b2ced

SHA512
8d5bb7dc7f92bc93da0784711a24124e301dc609e7adfd2a9e130cbb39e060601ba9eacb69900ce6e34416a0c74001487a4a17e69d53d69bb1756642c2e67cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
1f8d72d3dec8e1eac947aeb261f047ae

SHA1
f59319170a3d64be995cfafd93314b59af132ab0

SHA256
cc22660774fc9dbd976c75fbafed22eabdd6db2590abd603fc0e8148013359a9

SHA512
1e503a9cda571f5bf0d05aac8f5ed098d017777dff8f3a3bdd9d345435ac5b645eb541a2b5ed4e113a061323cf056cc275c6c8bf2fe9322f77dd1924f593d64e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
a5dad5e123dfb8282674b74ed5a55791

SHA1
5a4e404b4eb49784ddf95aefdf65ab9297c6313f

SHA256
36f4007006489b116cce77e1c26c508cb47d8411d5471610fe6cdab15e511e2a

SHA512
f028a06028d05643a7ffdab25c75dd31d9d3e7d00631475f1980ab03591198c2695a0017d2985657f00c633db9fceba28bfff67c80f6df3d5aa48af9c367977c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF215E.tmp

Filesize
3KB

MD5
a9e92c50084c7d056e4a6b76677aa295

SHA1
5307c3d356a57f1f074abdc0743ba9d33c5062c3

SHA256
fcec1b1431322148abc8157c8cfcaaa7da3d8df971e91a3ed26790813b877638

SHA512
70e78f42d4bc51c4b30d61c88ff5593da42c58d3cceb5c1082619a9ca0af460e600e496c41a0a6163e06eef853bcd51df19278c6e3409b7edbec50574ecb9e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdydoysp.dkt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_d61fea5a-19e0-4928-afaa-1df783c275e2\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/4856-610-0x0000012D53580000-0x0000012D53590000-memory.dmp

Filesize
64KB

Download
memory/4856-614-0x0000012D53C00000-0x0000012D53C01000-memory.dmp

Filesize
4KB

Download
memory/4856-606-0x0000012D53540000-0x0000012D53550000-memory.dmp

Filesize
64KB

Download
memory/4856-863-0x0000012D53D20000-0x0000012D53D21000-memory.dmp

Filesize
4KB

Download
memory/4856-864-0x0000012D53D10000-0x0000012D53D11000-memory.dmp

Filesize
4KB

Download
memory/4856-867-0x0000012D53C00000-0x0000012D53C01000-memory.dmp

Filesize
4KB

Download
memory/4856-866-0x0000012D53C10000-0x0000012D53C11000-memory.dmp

Filesize
4KB

Download
memory/4856-869-0x0000012D53C00000-0x0000012D53C01000-memory.dmp

Filesize
4KB

Download
memory/4856-872-0x0000012D53B50000-0x0000012D53B51000-memory.dmp

Filesize
4KB

Download
memory/5712-580-0x000001CBBC6A0000-0x000001CBBC6C2000-memory.dmp

Filesize
136KB

Download