3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645938789474560"	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{A1A924A9-DB1D-460A-B510-6348D77F8A05}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	MEMZ.exe
3696	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1948	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
1948	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1948	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1948	MEMZ.exe
1968	MEMZ.exe
3764	MEMZ.exe
1968	MEMZ.exe
3764	MEMZ.exe
1896	MEMZ.exe
1896	MEMZ.exe
3764	MEMZ.exe
3764	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
3764	MEMZ.exe
3764	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
1896	MEMZ.exe
1896	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1948	MEMZ.exe
1948	MEMZ.exe
1896	MEMZ.exe
1896	MEMZ.exe
1968	MEMZ.exe
1968	MEMZ.exe
3764	MEMZ.exe
3764	MEMZ.exe
3764	MEMZ.exe
1968	MEMZ.exe
3764	MEMZ.exe
1968	MEMZ.exe
1896	MEMZ.exe
1948	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4796	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
7016	msedge.exe
7016	msedge.exe
7016	msedge.exe
7016	msedge.exe
7016	msedge.exe
7016	msedge.exe
7016	msedge.exe
7016	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	taskmgr.exe
Token: SeSystemProfilePrivilege	4796	taskmgr.exe
Token: SeCreateGlobalPrivilege	4796	taskmgr.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe
Token: SeCreatePagefilePrivilege	5636	chrome.exe
Token: SeShutdownPrivilege	5636	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
4796	taskmgr.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
4796	taskmgr.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
5636	chrome.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe
4796	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3696	2548	MEMZ.exe	99
PID 2548 wrote to memory of 3696	2548	MEMZ.exe	99
PID 2548 wrote to memory of 3696	2548	MEMZ.exe	99
PID 2548 wrote to memory of 1968	2548	MEMZ.exe	100
PID 2548 wrote to memory of 1968	2548	MEMZ.exe	100
PID 2548 wrote to memory of 1968	2548	MEMZ.exe	100
PID 2548 wrote to memory of 1948	2548	MEMZ.exe	101
PID 2548 wrote to memory of 1948	2548	MEMZ.exe	101
PID 2548 wrote to memory of 1948	2548	MEMZ.exe	101
PID 2548 wrote to memory of 1896	2548	MEMZ.exe	102
PID 2548 wrote to memory of 1896	2548	MEMZ.exe	102
PID 2548 wrote to memory of 1896	2548	MEMZ.exe	102
PID 2548 wrote to memory of 3764	2548	MEMZ.exe	104
PID 2548 wrote to memory of 3764	2548	MEMZ.exe	104
PID 2548 wrote to memory of 3764	2548	MEMZ.exe	104
PID 2548 wrote to memory of 4232	2548	MEMZ.exe	105
PID 2548 wrote to memory of 4232	2548	MEMZ.exe	105
PID 2548 wrote to memory of 4232	2548	MEMZ.exe	105
PID 4232 wrote to memory of 1016	4232	MEMZ.exe	107
PID 4232 wrote to memory of 1016	4232	MEMZ.exe	107
PID 4232 wrote to memory of 1016	4232	MEMZ.exe	107
PID 5636 wrote to memory of 5652	5636	chrome.exe	121
PID 5636 wrote to memory of 5652	5636	chrome.exe	121
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5804	5636	chrome.exe	122
PID 5636 wrote to memory of 5824	5636	chrome.exe	123
PID 5636 wrote to memory of 5824	5636	chrome.exe	123
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124
PID 5636 wrote to memory of 5896	5636	chrome.exe	124

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
    3⤵
    PID:5356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
    3⤵
    PID:6744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
    3⤵
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    PID:5796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
    3⤵
    PID:6508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4120,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd385fab58,0x7ffd385fab68,0x7ffd385fab78
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1856,i,4020391240551638078,1309297121384478774,131072 /prefetch:2
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1856,i,4020391240551638078,1309297121384478774,131072 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1856,i,4020391240551638078,1309297121384478774,131072 /prefetch:8
  2⤵
  PID:5896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1856,i,4020391240551638078,1309297121384478774,131072 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1856,i,4020391240551638078,1309297121384478774,131072 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1856,i,4020391240551638078,1309297121384478774,131072 /prefetch:1
  2⤵
  PID:5240

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4780,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:1
1⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4652,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:1
1⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5304,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1
1⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5616,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6000,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:1
1⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5864,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=6256 /prefetch:1
1⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6244,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:8
1⤵
PID:6412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6440,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:8
1⤵
PID:6456

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x244 0x498
1⤵
PID:6496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5924,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:1
1⤵
PID:6756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6772,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:1
1⤵
PID:6828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:7016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x240,0x244,0x248,0x238,0x23c,0x7ffd32d14ef8,0x7ffd32d14f04,0x7ffd32d14f10
  2⤵
  PID:7052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2280,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1728,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:3
  2⤵
  PID:6348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2324,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4480,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=4480,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4900,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4944,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5484,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5492,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5952,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=6244,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --field-trial-handle=6248,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6232,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5944,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:6804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6336,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=4404,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6328,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5376,i,1723404032229526320,5282150528071631022,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:6648

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"
1⤵
PID:6368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b564d5e3214f082398842a2b33243922

SHA1
31909fc6a370cb74853321d1c18c50ef748fbb71

SHA256
edf89fa30adbe4a4044cce17fb8e9574eacbdb28900779626314b010b9111716

SHA512
d0b321d0745a32e627ad7b358908e51c689954624cc7448a4a6e1c4c282b885474727ca39e2d1f5635865a21ac7400c16cda79ed59100cc5669163f7d4b8fac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a0afc9c0d8f7349a44dd761308441240

SHA1
1ae44956fb9a8430c561732511b67a317c8f1071

SHA256
70552afb57dd119af18a8218a74d55f361e3630e595239a6448b529d12d386c5

SHA512
1f3308481254850a0766d98676d5941189fe8810f6727e964c5a268392fe7aca1dc458d07090d9294acc68d20d9ff5a0b6378114b2216c54757c00a9b97a45b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ce44e6f94c9ff14e6c8c12165ae04866

SHA1
116387e98f5e7e231c9c5de94d5890fba28c4101

SHA256
9bc2b890f5b3029cdebeba13daee6043434e863d1baa16c0ffb80ac9efcedb20

SHA512
4830a25e78f6fd2d00b1ea1c18025a453d88ed283fc89bed612e0c1b23d4030f410d92813087de01ae37ef1a94ea6eef5ca3d01c943cb55fe0d015ab41adf26f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
91470b98a4d98c81959ce1e58a0a232b

SHA1
b70677bc7cf23d0330d76f2f8ac7b135c43c5d80

SHA256
27260e06bc87dd451ce271910ec434bf5024349e55bac0e9a433413aa44d7d40

SHA512
fc24ae500c37c31e4768c8c4ea383faf36427e27f4a09acea48c587c488f8b0233871bab95e85fa065ba158cbd5e6fb8490b61c39733f778bf5248a166bc80f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
98093e47c4e8551a77c214c4803ec0eb

SHA1
0c99d1aded07aaf6a71a769f92afc291ffdef18e

SHA256
104f019e7175e4df5dad0c512cdb5bc652965ab1152c35400416032ccee6c1c4

SHA512
fdfed62e4baa767f61c05dd58a1ed4636285cc8abfec2036d60a2058e42dfda944775428aa6b4940c837bae3b487b2df67814c17f6671d3b8b5097d4862485de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ed6fcbdf0c249cae3e07eef02fed8389

SHA1
06bcf038051d831fbc7266fd72c29832caa1d3fc

SHA256
1a4e3aa9d1c8b72854e9967874e33f8f1d528c96834d065b2a3c7fd780aad279

SHA512
f6d8ab1ab3843f76c70e6d611a177a015ead5573e56e6186e045f00e5110456d0afdbb1041a931bd3a50ea188a19a70429c6d080cc5033d1d616225e4b5a93e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
1569ef27063ef126ffba5491db67befc

SHA1
c04be9b457bbc9efa44a21ef7ae5ae0302a460f3

SHA256
8c18c84ec469168f04421f20fdfa90d3549ed76371539d5169a14db443e6de49

SHA512
e4d604e0c785be3c7b2fcb7f5b516697324197418bb5477dd2d6b5541f5fbb0443317403a178abd4084c017de61bcc89715cb801b303c3ddbab4d154393c64c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1793506e-0220-401b-8204-e6ca56e5937c.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
abec64075f79d369d38fd311495e84c2

SHA1
2e8e9870facee95ce514954855086d671ca6fbfe

SHA256
2d14f506578eea0a45b26fec5a6fea51ba193400b5f5a4d6a071b75d408cedeb

SHA512
a4258c27e2fad9bf469412c5325f22e0002f8692087e96a94a5e37410235106c82b442709185d5ad1a12795f8b011e475ff3df2e24e5bcea6b7c2c5de2136495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
9091a8eeaaaca45111c17f35e737477a

SHA1
a0267426dc2524925d03787cc8b44c7f2832e81e

SHA256
7387d3f47225f39238014cd6dfc7dd96761bac4358f7fcf658410b6b5fa9e86c

SHA512
aa48fda9a4abb600335550b3f00120efcfb843ad79a5d2ed48695c029393b091f4c72d5de60896e3734c95200343748619f0c48e5c91390d61a488743229c123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
858766e87fd16a13c915f010d35755e1

SHA1
22d1b1efecfe41af55277cd07548f3cac67b51e8

SHA256
b0402035fe35e8dfdde5e9f3523e13e7f703475c831f97c6cf1a2be3c2967d5b

SHA512
b85096f4e8a546084f5e3f06fc3c70c1f6a6194365cf1c21853037709f6b0977909ef91083464fd71008bb82ba7c463c1ca8d77b922bcb2031f822ef66754fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
74d5fab627f63fddc08e3d1361b74c2b

SHA1
fc9d57a07fdbd6f4a6b48ac67af93139964dc118

SHA256
0fa237bbfea6f1ab4ffee0ca1bd2027693a0a863f232b086569d2e29bfe53922

SHA512
7f96ff0a89ed16db731a8b442a4d58fd5d4d6c1dcf625a98e262c6cb510294c4a2bf4b91f8fe7a9659a38137dbd6dae2c92e7900eb3bb7360fbd515f29d194bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
03e5c7ccee8c247ef7e3f5804e9c1193

SHA1
3cb73d5ae6905413afa862c232909522d09497f1

SHA256
6de76fc6ce09ca70e783af3bc15a6ce19012c93d8b83e024aa425ee466f2c463

SHA512
a5db37ac15b25f16b272ae9d038d377bed7dadb2cf194b65f77edbe832ab5e2ba6e3bfd7469ab7bbfb88a8339c54839976e49a440ac6cadc7ab661ff2f51c0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
070f83468856c53bede5bed634058979

SHA1
8ce38b2b03ac8cede004a886aa932a00fb0f3e8d

SHA256
6031f78abae1b3637086531b7861ab5bc3c760c1a109e2caca0c8d23a630937a

SHA512
e0c4f4e83ddd1005b326fcb446ea84051b164af5833b4719712671e3112433c108fc8371de0db88f23a56793d3a160086da39a43a61f030c1cefd5178ef565b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
637401411239e92274daf01043ead5a9

SHA1
00054466eb51fb461fb5933fbf1e6be07dbebb0e

SHA256
3f1f5fcf1134c3bc386bfae21306e1ffc33b3938396775b572de475e9201699a

SHA512
e06a3694a5df9dbaaed4262a075a7190bb874ba4ac588423e5a5af03630fb418b2bfc3bef3a13779c02afcc237e6c0c230e3747ae908b7bd3436dfe34d196fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
be4aa3226b533b32d5b09c328cdb8c03

SHA1
7cbd79c7748d2f3e48b0cca00e98f1e3919a0a86

SHA256
c694851992a7dff6791d8f7a58866bf86c758f122e4a8b6ce55076090acac94f

SHA512
02cceac25464a76ab42a05ed0b07a71f070dd0dc5e1a7230b8a57d225bbbcc2cb394a4f511991a5ff2bdf7ef525c8f098ad3a6f482d1751f967797dca1ded6b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
48438e6d4651b4f235f82e35be136479

SHA1
b36d28e7a149b8ff313bb8c2d4bad76c186af79d

SHA256
22a4958df87453ecb81c07eac97d6265fb69b12139dd6064b00ec2da1e10dcd8

SHA512
54f5836c48342fa5456e6aa60d50ab1b175daa0f14dfc28fa96d2a045d3e76a416902d8e25874152a3c8fda6e481e7dbc96e0ce3cdd019adda1b9b73d5615368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
71KB

MD5
8d240cca0b76720df54c78442f33ddf7

SHA1
42bcbb736545afbef6fda857a154df2443078dc0

SHA256
277e4cade0eb872597dfbd944b7b89cb3f8c49543129bfd35193b2dc5e2f531c

SHA512
3a2f70f54be97bf645d488252f8f7a59f85b963ec88681ac670218ebea1ad42b8e13e7034e843efa172f5797d7e0c6507930e203648fa1fd0221fb8cfdd52f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
71KB

MD5
28993fef2dd84e0e14dd0e08831d0a55

SHA1
f3b04367f6034912e032ff4e02712dce134f7b41

SHA256
832c64b8a24c78a89e37e1387ed4a5815181ada924b9ccb0f43898469435df80

SHA512
9a2ada9bfa9039f955bc10d04ac5b03f1f3f4407837c86223ae3446059c2a5dc94f52cd308ae75a826f264a277723e32757660442bbdc45e857c1c26dd60a737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
71KB

MD5
4327bb2e4da9ddbcb6dbf6e31b7a1a0c

SHA1
041294b25b38d312fd20c2bb8c5afedf70be2778

SHA256
4c4a7f1cc527b2050e2825ae43fc56b01dfdec27d8800ebfe9ac3864499e8cd9

SHA512
a9b65943a7e9f61829edc2ff7149eb6210e84706a78f822680c917aabfb673636be0b774beb7558890f6cfdaef005fd33323d37d6d0bd4f6578243025e2beb81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
1f564a0a41f5da8c2f25256dfb9a953f

SHA1
8bc22d472e90460218718b132f78c692b67bad54

SHA256
6c0a7b7303a78cea0f9f9dc2bd854f281c5a1bc0c5df9bdc48510ada099ea070

SHA512
9d3c29a394a5c3e37c95e59ebb65b73126eba714a286999385c5ffe5567f5687ddc50e1bb55496e01d972b1a5da1d0b97ed5688bd2b9a687f8eb10e19da06a2c

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/4796-14-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-4-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-3-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-2-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-10-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-13-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-12-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-11-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-8-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download
memory/4796-9-0x00000228D7D70000-0x00000228D7D71000-memory.dmp

Filesize
4KB

Download